This past week I attended my first IAPP Global Privacy Summit. It was a wonderful experience to be in person with so many privacy professionals and to hear firsthand about their challenges. Many people focused on the key note speakers which included:
Tim Cook, CEO of Apple, spoke about the privacy issues that drive and divide the major tech companies
Lina Khan, Chair, Federal Trade Commission, who in her first public address spoke about how the FTC will leverage its rulemaking process to address data security.
Brad Smith, President and Vice-Chair of Microsoft, stated that the failure of the US to pass a federal privacy law makes the US less globally competitive
When I asked privacy professionals what they took away from the event, most of them spoke about the practical things they heard about how to operationalize privacy. Here is a summary of my takeaways from the event:
1. The business benefits from building trust
Many privacy professionals talked about how they have small teams and small budgets and expressed how challenging it is to get funding and support from other people in their business. Support from other people in the business is critical as new regulations are rolled out and companies need to really examine their data practices.
By emphasizing the benefits of trust to the business and business growth and measuring how their contributions helped the bottom line, privacy professionals felt that they had a better chance of getting buy-in and budget and cooperation from their teams.
2. Consent is more than cookies
During a speaking session featuring WireWheel’s CEO, Justin Antonipillai, Ruth Boardman from Bird and Bird and Dona Fraser from BBB, they talked about, while consent today is cookie consent, with the new regulations, it is moving towards getting and managing consent across the multiple channels (including phone, tv, and other devices) in real-time. This will make managing consent more difficult but also brings opportunities. If they do it right, companies can use consent as a way to build trust and collect more first-party data.
3. Marketing + Privacy: teamwork and trust are key
On a panel that I spoke on that included CMO Juliette Kopecky from LinkSquares, GC and CPO Andy Dale from Alyce, and Attorney Scott Lashway, privacy professionals were highly engaged and asked questions about how and when they should get involved with marketing as marketing evaluates new technologies. The panel suggested that privacy should get involved with marketing early and often while keeping in mind marketing’s motivation – driving revenue. The privacy team can offer a lot of value to the marketing team as marketing, especially in the cookieless world, relies on buyer trust.
Marketing can also help privacy teams to market their message to sales, clients, and other stakeholders in the company.
Since the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) came into effect (May 2018 and January 2020 respectively), the concept of “ethical marketing” has increasingly become top of mind.
Of course, the immediate concern for businesses is achieving and maintaining regulatory compliance. But, particularly concerning to marketers are the constraints concerning the “sale” and use of consumer data and the ability of consumers subject to these regulations to “opt out” of that use.¹ This is not only a regulatory concern but directly challenges the heart of the digital marketing ecosystem.
As former Obama administration Acting Under Secretary, U.S. Department of Commerce and WireWheel CEO Justin Antonipillai notes, the “issue of ethical marketing has become a huge one for most companies in the last couple of years…How do we think about targeted marketing and use of consumer data, but to do it the right way?”
Martech and Ad Tech Impact
With the passage of the Consumer Privacy Rights Act (often referred to as CCPA 2.0) set to go into effect 1 January 2023, working with consumer data, to not only satisfy regulatory compliance, but doing so ethically and effectively has taken on an absolute sense of urgency for marketers. The impact to Martech and Ad Tech is profound. It is with this as backdrop that WireWheel’s Justin Antonipillai sat down with LiveRamp VP, Head of Innovation & New Business Rishabh Jain to record their discussion Ethical Marketing: Where Trust and Personalization Intersect.
While the CPRA does not go into effect until January 2023, because there is a look back from January 2022, leading edge companies are being proactive regarding its implications. They recognize that how they handle privacy is an opportunity to improve customer relationships – including those consumers not subject to the GDPR or CPRA. As LiveRamp’s Rishabh puts it: “I think that there’s a lot of opportunity right now for using privacy as a strategy to increase trust with consumers as opposed to viewing it as simply compliance.”
In short, ethical marketing begins with making data privacy a core company value and continues by viewing privacy regulations as opportunities to gain trust with consumers. Apple’s iOS 14 ad tracking announcement, Facebook’s retargeting management tool (LDU), and Google’s announcement regarding third-party cookies are key examples of leading companies…well, leading…with the idea that data privacy is not simply a regulation, but a core brand value (More on this in Part II of this post).
The Consumer POV
“There tends to be two things consumers have taught me” says Rishabh. Firstly, “It feels like a lot of things are happening in the background that they don’t really understand or have control over.” The use of third-party cookies exacerbates that sense of lack of control. Secondly, “when they learn about it, they want to understand, can I turn it off? And in some cases, they want to understand actually can I make it better?”
“So I have actually heard it both ways, which I think is a signal that what users really want is to be able to understand it and control it, not necessarily just turn it off.”
This attitude is not unique to Californians or citizens residing in the European Union. It really is common across all geos and demographics. Consequently, forward looking organizations like Apple are not necessarily bucketing their customers and prospective customers as Californians/Not Californians, Subject to GDPR/Not Subject. Rather they understand that consumer sentiment is in alignment with these regulations and view increased transparency and control as more ethical and valuable. “I think it’s pretty clear what consumers want” says Jain:
“You know, it’s voters who voted for the CCPA and CPRA. It’s not legislators in a room somewhere who came up with this, it’s a proposition and so it is people in California who said, ‘we want this.’ And then they said we want it again.”
“And when people are telling you what they want, it tends to mean they want it. And if you show that you’re listening, and you show that you’re listening sooner rather than later, they will trust you more.”
Forward-looking organizations are listening, and they are moving beyond compliance and thinking in terms of ethical marketing as strategy.
The Brand POV
Needless to say, companies still want to continue to market and advertise and be able to target potential customers effectively. And there will certainly be challenges.
Google Chrome’s planned obsolescence of third-party cookies; the perceived “creepiness” of cookies, Facebook Pixels and server-side API; the CPRA’s addition of Sensitive Personal Information (SPI) to the category of Personally Identifiable Information (PII) and attention to “cross-context behavioral advertising;” all portend challenges to the traditional Ad Tech approaches to, and Martech use of, identifying, segmenting, targeting, and retargeting customers and prospects. The Facebook LDU implementation earlier this year demonstrated with resounding clarity the impact of “do not sell” on marketing efficacy.
This is a trend that promises to continue, notes Justin. And operationalizing consumer relationship in light of these changes will be critical to success. And it is not a DIY affair which has led to “a lot of pain with not a lot of reward” for many. But those that get ahead of it – and understand data privacy as a new route to developing trust-based relationships – just may discover a significant competitive advantage over peers who merely aspire to compliance.
After all, “When someone grants permission they are acting consciously, becoming an active participant rather than a passive source of data to be pillaged. Permission equals engagement. And engagement is the ultimate goal here, isn’t it?” (Carroll, 2018).
Part II will look at what lies ahead, how to operationalize for today’s requirements and position for future challenges and opportunities.
[1] The definition of selling has been further defined by the CPRA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Are you advertising on Facebook and are confused by its “Limited Data Use” feature? Check out our latest infographic to get a clear picture of what this means for your retargeting efforts and for tips on achieving or maintaining CCPA compliance.
Facebook’s “Limited Data Use” feature protects Facebook advertisers from violating consumer privacy laws outlined in the California Consumer Privacy Act (CCPA)
Why Did Facebook Release LDU?
Facebook’s new “Limited Data Use” (LDU) feature helps businesses limit the use of California residents’ personal data in order to comply with the California Consumer Privacy Act (CCPA)
LDU allows businesses to exercise more control over how their data is used in Facebook’s systems
How Does This Work With Pixels?
By using Facebook LDU, advertisers are able to specify which data should be subject to the protections of the CCPA
LDU automatically detects if a Facebook user is located in California and then limits the way their user data can be processed and stored
Detecting if a user resides in California is done through a modification to the Facebook PageView pixel
How Does This Affect Retargeting?
The new “Limited Data Use” (LDU) will most significantly affect companies that purchase Facebook ads and LDU will also affect the associated marketing performance of those advertisements
The major effect of LDU is on Facebook retargeting, which is the process that a company uses to find people who have visited the company’s website and then used the visitor’s information to find their Facebook profiles.
When LDU is enabled, detecting if a Facebook user resides in California is done through a modification to the Facebook PageView pixel
This means that if a California user “opts-out” of being tracked, under the CCPA, businesses cannot include California Facebook users in a behavioral (website pixelbased) retargeting campaign
How Are Cookies Involved?
When a user visits a website, most companies collect personal information via the use of technologies, such as cookies, to improve the website experience and retarget visitors
Companies that advertise on Facebook can use the Facebook Business Manager to implement a Facebook PageView pixel to begin collecting data for future retargeting
CCPA compliance is focused on empowering users to “opt-out” of tracking so it’s imperative for businesses to implement a cookie consent banner that gives the user the option to “opt-out” of having their information “sold”
What Is the Sale of Data Under CCPA?
The sale of personal information under CCPA is defined as transferring data to another business or third party for value, whether monetary or not
Under CCPA, users have the right to opt-out of the sale of personal information at any time
Implementing a Facebook PageView pixel on a company’s website in order to begin collecting data for future retargeting establishes a process for the company and Facebook to sell a user’s personal information since data is transferred between the two companies for retargeting purposes
Achieve CCPA Compliance Quickly
Implement a consent management platform that gives users a choice to “opt-out” of tracking
Provide a compliant “Do Not Sell” experience that builds consumer trust
Enable the LDU feature for users who “opted-out,” which stops the Facebook pixel from firing
As discussed in Part I of this blog, leading edge companies are looking at the trends in data privacy and recognizing two things: 1) This trend is likely to continue and 2) while it presents challenges to the marketing ecosystem as it exists today, it also presents significant opportunity to design a new and better experience for current and prospective customers.
LiveRamp VP, Head of Innovation & New Business Rishabh Jain joined former Obama administration Acting Under Secretary, U.S. Department of Commerce and WireWheel Founder Justin Antonipillai to discuss these issues for a webinar entitled Ethical Marketing: Where Trust and Personalization Intersect.
“Designing that experience is the thing we’re starting to hear brands and publishers ask for advice about” notes Rishabh.“They are seeking input regarding the best ways they can create and maintain a trusted relationship with the consumer. Many recognize too, that this is an opportunity to design an experience that puts trust and transparency at the center of all consumer interactions, not just those that are covered by the EU’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Rights Act (CPRA).”
Transparency and Trust and Disruption
Consider Apple’s the release of iOS 14. IOS 14 contains new privacy features. It mandates that app developers disclose what data the app collects and label specific information that could be used to track users across the web. “Opt out” will now be on an app by app basis.
Other iOS 14 privacy features include measures that prevent an app accessing the microphone or camera without the user’s knowledge. There is also a new location data option that allows the user to share “approximate location” rather than the current option of not sharing location at all or sharing the more precise location (Brandon, 2020). This last addition seems to be a response to the new category of “Sensitive Personal Data” (SPI) defined in the CPRA. “Precise geolocation data” is considered SPI.
This is a great example of Rishabh Jain’s missive: “if you show that you’re listening and you show that you’re listening sooner rather than later, [the consumer] will trust you more.” Is there a more trusted brand than the world’s first two-trillion-dollar company?
“My big takeaway, continues Jain, “from the CCPA, CPRA, Apple and other announcements is that it is pretty clear what consumer expectations are going to be moving forward. If you set up the interactions correctly today, you are more likely to maintain and gain the trust of your consumers in the future.”
As significant as this and other announcements have been, Google’s 2022 scheduled execution of the third-party cookie (Chrome will no longer accommodate them) is certainly the most disruptive to marketers, Ad Tech, and the highly effective strategy of retargeting.
The End of Third-Party Cookies: “Beginning of a Beautiful Friendship”
So what does this mean for marketers?
“Essentially, when I go from one website to another there is no consistency in ID” explains Jain. If, for example, “I’m on the Gap website, Gap knows who I am. When I’m on The New York Times website, [they] know who I am. “But to talk to each other, all of a sudden it becomes very difficult. So now you have question: how do I effectively market and what types of data sharing will happen once you get out of a third-party cookie world?”
“What we will start to see” continues Rishabh, “is more websites seeking a direct login or authentication from the consumer. The New York Times is a great example. When you go to their website today, they will very quickly ask you to login with your email. It’s an example of a publisher who is thinking ahead and trying to get a direct relationship with their consumer.”
Third-party cookies and the cross-context behavioral targeting it enables has never been a favorite of consumers. While comfortable with first-party cookies and appreciative of the enhanced experience it can offers when engaging a brand, third-party cookies are outside that relationship. This plays a role in why “the majority of consumers today know they are not in control of their data.” (Consumer Report, 2020).
This was not lost on the drafters of the CPRA. “The Act introduces a definition of “cross-context behavioral advertising” for the first time:
‘Cross-context behavioral advertising’ means the targeting of advertising to a consumer based on the consumer’s personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts. (Dr. Ryan, 2020).¹
As disruptive as this is, there is opportunity to improve customer relationships and reap the rewards. The same Consumer Report states that “evidence suggests that technology companies focused on privacy and security will see significant upside. The upside comes from higher regard for brand and higher willingness to pay (emphasis added).”
“Once you start sharing data based [on] direct consumer interaction…this is where the infrastructure you [lay] out early will help” says Rishabh. “You want to make sure that the consumer understands that on a first party basis (the website and the consumer) you are setting up a relationship [where] you can actually use their data with your downstream partners.” In short, it is a trusted relationship.
Future Proofing
Right now is the time to lay the foundation for these new direct relationships notes Rishabh. “The future doesn’t become less complex, unfortunately it becomes more complex.” Brands and publishers need to think about how they want to build this new infrastructure – in the right way – now.
Getting ahead of consumer data issues with the right infrastructure that accurately maintains permissions, respects privacy, and keeps consumer data secure, the more likely you can maintain and grow a customer base that trusts you.
There are proven, concrete steps to take to position well for the immediate future we know, and position for what we don’t. Justin offers the following advice:
The earlier you start to establish direct trusted engagement with your consumers, with appropriate permissions and ability to show them all the information in a concise, clear way the better.
This should include clarity and transparency in communicating how you plan to collect and use data. The sooner you create those interfaces, the better off you are.
The infrastructure, solutions and workflows should be flexible and configurable to accommodate changes. You want an agile partner that can quickly adopt to change.
You will want to partner with an expert in configurability and how to operationalize the consumer data continuum from initial interaction, to permissions handling, and when necessary, handling DSARs with the auditability necessary to comply with regulatory requirements.
Your website should have core easily understood messaging that you can effectively manage their preferences (opt in or out or limitations in the use of their data) internally, and in data sharing environments.
Judy Gordon is the WireWheel Vice President of Marketing. She leads the team that manages the WireWheel brand and helps to spread the word about the company. Over her career, Judy has worked with start-ups…