Operationalizing Data Protection & Privacy: Lesson 12 - Marketing Privacy

Disclaimer:? The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.

?

One of the most alluring uses of personal data is for digital marketing.? Since the dawn of the commercial internet companies have been harvesting personal data to drive sales and increase engagement, to the point that most consumers understand this is just part of browsing the web.?

Whether it’s personalized ads, emails, text messages, or content, marketers will use all personal data available to them to sell you their service or product.? And for far too long less ethical companies have been quite content to vacuum up as much personal data as possible and ask for forgiveness later.?

Fortunately, over the last five years, we’ve seen a shift in the regulatory environment, as well as in market practices, to require companies to be more transparent with their digital marketing and to offer consumers a choice as to how their personal data will be collected and processed for marketing purposes.?

And companies appear to be responding appropriately, including implementing more transparent privacy policies, website preference centers and consent management tools, complying with "do not track" requests, and developing robust practices to limit the collection of personal data to only what is needed.?

But digital marketing is still far from perfect, and DP&P professionals continue to play a key role in the marketing ecosystem to protect consumers while balancing business priorities.? ?

Let’s take a deeper look.?

1. Today, digital marketing begins with trust.? As a company with services or products to sell, you need to effectively connect with consumers to build a relationship and drive sales, and more than ever, brand trust plays an integral part in who consumers choose to support.? Consumers simply do not want to patronize companies they don’t trust.?
2. For many companies the first 20 years of digital marketing meant collecting as much personal data about your customers and potential customers as possible and finding ways to activate it in your markets and channels (without much thought about trust).? This included utilizing cookies, trackers, data brokers, and unscrupulous third parties to over collect personal data and then using it, potentially with third party personal data, to serve up personalized and targeted ads, emails, shopping experiences, and online content.
3. Thankfully, the last five to six years has seen a regulatory and market shift away from the over collection of personal data for marketing purposes and an emphasis on trust, transparency, and choice.? Now we have GDPR, CCPA (plus other US state privacy laws), the EU’s ePrivacy Directive, and increased scrutiny by the FTC, as well as a transition from third party cookies and trackers, which all help protect consumers while requiring better marketing practices from businesses.?
4. But for many DP&P offices, marketing activities still give us fits.? It’s not uncommon for marketing departments to be one of the hardest functions within a large organization to govern and support. ?While marketing is a necessary component of a successful business, the personal data and underlying technologies and platforms can challenge our DP&P policies and controls.?
5. It’s therefore critical for the DP&P office to build a strong relationship with the marketing function, and a good place to start (if it hasn’t been done already) is to properly audit and document all the personal data collected and processed for marketing purposes along with the technologies and third parties supporting these processes.?
6. Digital marketing activities can be broadly defined to not just be email and social media advertising but may also include customer and audience relationship management, customer analytics, and loyalty and rewards programs.? And often the teams responsible for these activities struggle to document the full scope of all the personal data collected and how it will be used. By partnering with the marketing department, DP&P offices can develop a thorough understanding of the company’s core marketing activities and document it for compliance purposes.?
7. What you find out during this exercise might surprise you, especially if your company is a large, decentralized organization where marketing budgets are held by regional teams and there are not a lot of shared marketing technologies.? It may turn up a long list of third-party marketing partners with local market expertise, but who sometimes use undisclosed technologies and personal data.?
8. Nonetheless, building this knowledge base is a major step towards DP&P compliance and can allow you an opportunity to discuss ways to embed a privacy by design mindset within the marketing organization.? You can also check to see how transparent your team has been in its data collection and use policies as well as if it appropriately asks for and respects customer consent and opt in/out requests.?
9. As you go through this process you will inevitably identify gaps and risks in your marketing operations, such as a missing DPA or the collection of unnecessary personal data.? You can use this exercise as an opportunity to develop remediation plans and work with the relevant stakeholder to address these in a timely manner.? No organization is perfect, especially in the face of rapidly evolving DP&P laws.
10. Marketing technologies and personal data use moves fast and aggressively, and what you identify today will likely be different in six months.? Therefore, developing a clear hook into the marketing process is vital for the ongoing success of your organization and compliance with DP&P laws, and you should at minimum perform basic risk assessments on all new marketing programs, campaigns, and technologies that will process personal data. If that's not possible, developing digital marketing standards and best practices can at least help guide the marketing team.
11. Marketing compliance is often not so black and white, and sometimes we must look at the DP&P principles of trust, transparency, and choice to guide our risk analysis and decision making.? When it comes to marketing, a simple question to ask your organization is if your behavior is creepy.? We’ve all heard stories of digital marketing practices that veer into the creepy territory, usually at the detriment to the brand, and identifying use cases and personal data elements that are off limits can help your company avoid becoming the creepy advertiser.?
12. Finding the right balance of targeting and personalization is key and as DP&P professionals we must continually ask our business partners some difficult questions.? Do we know too much about our customers?? Are we using personal data in a way that we haven’t communicated? ?Are we using any sensitive personal data for marketing purposes? ?And are our target audiences inappropriately defined? ?If your organization answers yes to any of these questions, then you should be reworking your marketing practices in a less invasive way.
13. It’s also important for DP&P offices to work with marketing teams to understand how to best use first party versus third party personal data.? With more and more marketing budgets devoted to advertising on social platforms where third party personal data is so readily available, organizations should identify if it compliantly combines personal data from multiple data sources.?
14. Where your organization has implemented a preference center or consent management tool, it would be prudent for the DP&P office to review this implementation to ensure it's functioning as intended. Sometimes you will see improperly configured cookie banners that do not respect opt out or do not sell requests, which creates unnecessary risk.
15. Business to business marketing has historically been separated from consumer marketing DP&P compliance, where the legal requirements are all over the place depending on the country.? ?B2B companies are often more aggressive in their marketing practices, but consumer expectations are slowly creeping into the B2B environment forcing companies to adjust their practices.? While lead generation services and unsolicited emails will probably never go away, more ethical and trustworthy B2B companies are beginning to only engage with consent.?
16. A major benefit to digital marketing is that it enables marketing departments to attribute sales and engagement to its various campaigns more effectively which allows robust reporting and data analysis of marketing spend and the revenue it generates.? A challenge in attribution and analytics though is limiting the processing of personal data, and the marketing team and DP&P office should collaborate to develop compliant solutions.
17. No matter the industry, marketers are not going to stop seeking new ways to engage customers.? DP&P professionals have an opportunity to not just support marketing compliance activities, but to position ourselves as trusted partners that add value to the marketing organization while hopefully growing sales.?

?

?