Seers Offers Easy-to-Use Cookie Consent

The growth in global privacy regulation has created an immense headache for thousands of businesses – and, thus, an immense opportunity for systems that offer relief. Small businesses in particular need simple, low-cost solutions to comply with rules that require gathering consumer consent to data collection and giving consumers access to data that’s been collected. An ideal small-business solution leads users through the set-up process without requiring technical skills or expertise in privacy rules. (Come to think of it, so does an ideal large-business solution.)

Seers is one of many vendors addressing this market. Its core products are systems to collect cookie consent and data access requests. It supplements these with products for access request fulfillment, data privacy impact assessments, GDPR compliance assessment, data breach reporting, policy creation, data discovery, and on-demand privacy training. Several of the products are engineered to support mid-size and large enterprises as well as small business.

Set-up of the Seers consent manager follows step-by-step process.  It starts with the user specifying the domain to be supported. The system then automatically scans this domain to identify the cookies and scripts currently installed. It will later compare the results to a list of hundreds of cookies that Seers has evaluated and classified, and generate a list of the specific cookie consent requests the site must present to visitors. Before this step, users set preferences for the cookie banner appearance, cookie policy URL, treatment of unconsented visitors, and other options. The interface includes handy explanations of each item so that users can make informed choices. The system will detect site visitor location and can use this to present consents in 30 local languages and in different formats for GDPR, California’s CCDP, and Brazil’s LGPD.

Once settings are complete, Seers will generate code to insert in the user’s Web site to deploy the consent system. It will then keep track of consents as these are received, providing an audit trail should documentation be needed. The system will regularly rescan the user’s Web site to identify the cookies currently in use and adjust the cookie consent table accordingly. A limited free version is available and the full module starts at $9 per month for a single Web domain.

Seers’ other main customer-facing module is Subject Request Management, which offers a portal that lets customers ask to see, change, or delete data a company holds about them. This is similarly easy to configure, letting users control the appearance, identify verification requirements, and other options. It feeds requests into a queue which lets users manually assign them to departments and individuals for resolution, tracks their status, and stores notes and attachments. Again, a limited free version is available while a single-user full version costs just under $50 per year.

Seers also offers a large number of interactive templates, assessments, and policy generators. These lead users through processes including data privacy impact assessment (DPIA), privacy policy creation, and GDPR compliance assessment. The ones I saw were all easy to follow and included impressive amounts of information. The privacy impact assessment module is priced at $46.99 per year while most of the other tools are bundled into a package starting at $129.99 one-time fee.

So far so good. I really liked what I saw from Seers. But there are gaps in its product line that mean most companies would need additional products for a complete solution. The company is closing one gap with a data discovery tool, now in beta and set for July release, which will let users build an inventory of personal data is stored in its systems. The first release, at least, will be limited to having users review field names and mapping these to standard categories. One nice touch is that the inventory will connect with data subject requests, so the system will be able to automatically pull information about an individual. But field names are not an entirely reliable source of information and Seers does not have the data scanning capabilities of a system like BigID.

Other gaps include consent management beyond cookie consent; records of processing activity (ROPA) reports; ensuring that processing is legally justified; monitoring vendors who process company data; and automatic policy updates as rules change. Whether you need these depends on what other resources you have available. But they’re all required under current privacy regulations.

ActiveNav Automates Data Inventory Updates

Our on-going tour of privacy systems has already included stops at BigID  and Trust-Hub, which both build inventories of customer data. Apparently I’m drawn the topic, since I recently found myself looking at ActiveNav, which turns out to be yet another data inventory system. It’s different enough from the others to be worth a review of its own. So here goes.

Like other inventory systems, ActiveNav builds a map of data stored in company systems. In ActiveNav’s case, this can literally be a geographic map showing the location of data centers, starting from a global view and drilling down to regions, cities, and sites. Users can also select other views, including business units and repository types. The lowest level in each view is a single container, whose contents ActiveNav will automatically explore by reading metadata attributes such as field names and data formats.

The system applies rules and keywords to the metadata to determine the type of data stored in each field, without reading the actual file contents. (A supplementary module that allows content examination is due for release soon.)  It stores its findings in its own repository, again without copying any actual information – so there’s no worry about data breaches from ActiveNav itself.

One disadvantage of ActiveNav’s approach is that relying only on metadata limits the chances of finding sensitive information that is not labeled accurately, something that BigID does especially well. Similarly, ActiveNav doesn’t map relations between data stored in different containers, so it cannot build a company-wide data model. This is a strength of Trust-Hub.

Still, ActiveNav’s ability to explore and classify data repositories without human guidance is a major improvement over manually-built data inventories. Its second big benefit is a “data health” score based on its findings. This is calculated for each container with scores for factors including: risk, including intellectual property and security issues; privacy compliance, based on presence of IDs and other data types; and data quality, including duplicate, obsolete, stale and trivial contents. Scores for each container are combined to create scores for repositories, locations, business units, and other higher levels. This gives users a quick way to find problem areas and track data health over time.

ActiveNav addresses what may be the biggest data inventory pain of all: keeping information up-to-date. The system automates the update process by receiving continuous notifications of metadata changes from systems that are set up to send them. In other cases, ActiveNav can query repositories to look for metadata that has been updated since its last visit. Of course, this requires providing the system with credentials to access that information.

ActivNav was founded in 2008. Until recently, it offered only a conventional on-premise software license with one-time costs starting around $100,000. This is sold this primarily through partners who work on data management projects for heavily regulated industries and governments. The company has recently introduced a SaaS version of its data inventory system that starts at $10,000 per year. It also offers data governance and compliance modules.

MarTech Plot Lines for 2021

“Apophenia” – seeing patterns where none exist – is both occupational hazard and job requirement for an industry analyst. The CDP Institute Daily Newsletter provides a steady supply of grist for my pattern detection mill. But the selection of items for that newsletter isn’t random. I have a list of long-running stories that I follow, and keep an eye out for items that illuminate them. I’ll share some of those below.

Feel free to play along at home and let me know what stories you see developing. Deep State conspiracy theories are out of bounds but you’re welcome to speculate on the actual author(s) of the works attributed to “Scott Brinker”. 

Media

Everyone knows the pandemic accelerated the shift towards online media that was already under way. A few points that haven’t been made quite so often include:

- connected TVs and other devices allow individual-level targeting without use of third-party cookies. As online advertising is increasingly delivered through those channels,  the death of cookies becomes less important. Nearly all device-level targeting can also include location data, adding a dimension that cookies often lack.

- walled gardens (Facebook, Google, Amazon) face increasing competition from walled flower pots – that is, businesses with less data but a similar approach. Retailers like Walmart, Kroger, Target, and CVS have all started their own ad networks, drawing on their own customer data. Traditional publishers like Meredith have collected their formerly-scattered customer data to enable cross-channel, individual-level targeting.  Compilers like Neustar and Merkle are also entering the business. None of these has the data depth or scale of Facebook, Google, or Amazon but their audiences are big enough to be interesting. The various “universal ID” efforts being pursued by the ad industry will enable the different flow pots to cross-pollinate, creating larger audiences that I’ll call walled flower beds unless someone stops me.

- shoppable video is growing rapidly. Amazon seems unstoppable but it faces increasing competition from social networks, streaming TV, and every other digital channel that can let viewers make purchases related to what they’re watching. The numbers are still relatively small but the potential is huge. And note that this is a way to sell based purely on context, so targeting doesn’t have to be based on individual identities. That will become more important as privacy regulations become more effective at shutting off the flow of third-party personal data.

- digital out-of-home ads will combine with augmented and virtual reality to create a fundamentally new medium. The growth of digital out of home advertising is worth watching just because DOOH is such a great acronym  . But it’s also a huge story that doesn’t currently get much attention and will explode once people can travel more freely post-pandemic. Augmented and virtual reality are making great technical strides (how about an AR contact lens?) but so far seem like very niche marketing tools. However, the two technologies perfectly complement each other, and will be supercharged by more accessible location data. Watch this space.

Marketing Technology

- data will become more accessible. That marketers want to be “data-driven” is old news. What’s changing is that years of struggle are finally yielding progress toward making data more available and providing the tools to use it. As with digital advertising, the pandemic has accelerated an existing trend, achieving in months digital transformations that would otherwise have taken years.  Although internal data is the focus of most integration efforts, access to external data is also growing, privacy rules notwithstanding. Intent data has been a particular focus with recent announcements from TechTarget, ZoomInfo, Spiceworks Ziff Davis, and Zeta Global.

- artificial intelligence will become (even more) ubiquitous. It seems just yesterday that we were impressed to hear that a company’s product was “AI-powered”. Today, that’s as exciting as being told their offices have “electric lights”. But AI continues to grow stronger even if it doesn’t get as much attention (which the truly paranoid will suspect is because the AIs prefer it that way). Marketers increasingly worry that AI will ultimately replace them, even if it makes more productive before that happens. The headline story is that AI is taking on more “creative” tasks such as content creation and campaign design, which were once thought beyond its capabilities. But the real reason for its growth may be that interactions are shifting to digital channels where success will be based more on relentless analytics than an occasional flash of uniquely human insight.

- blockchain will quiet down. I’ll list blockchain only to point out that’s been an underachiever in the hype-generation department. Back in 2018 we saw it at least as often as AI. Now it comes up just rarely.  There are many clear applications in logistics and some promising proposals related to privacy. But there’s less wild-eyed talk about blockchain changing the world. Do keep an ear open, though: I suspect more is happening behind the scenes than we know.

- no-code will continue to grow. If anything has replaced AI as the buzzword of the year, it’s “no code” and related concepts like “self-service” and “citizen [whatever]”. It’s easy to make fun of these (“citizen brain surgeon”, anyone?) but there’s no doubt that many workers become more productive when they can automate processes without relying on IT professionals. The downside is the same loss of quality control and integration posed other types of shadow IT – although no-code systems are more often governed than true shadow IT projects.  In addition, no-code’s more sophisticated cousin, low-code, is widely used by IT professionals.  It’s possible to see no-code systems as an alternative to AI: both improve productivity, one by letting workers do more and other by replacing them altogether. But a more realistic view is to recognize AI as a key enabling technology inside many no-code systems. As the internal AIs get smarter, no-code will take on increasingly complex tasks, making it more helpful (and more threatening) to increasingly skilled workers.

Marketing

The pandemic has changed how marketers (and everyone else) do their work. With vaccines now reaching the public, it’s important to realize that conditions will change again fairly soon. But that doesn’t mean things will go back to how they were.

- events have changed forever. Yes, in-person events will return and many of us will welcome them with new appreciation for what we’ve missed. But tremendous innovation has occurred in on-line events and more will surely appear in coming months. It’s obvious that there will be a permanent shift towards more digital events, with in-person events reserved for situations where they offer a unique advantage. We can also expect in-person events to incorporate innovations developed for digital events – such as enhanced networking techniques and interactive presentations. I don’t think the significance of this has been fully recognized.  Bear in mind that live events are often the most important new business source for B2B marketers, so major changes in how they work will ramify throughout the marketing and sales process.

- remote work is here to stay. Like events, marketers’ worksites will drift away from the current nearly-all-digital mode to a mix of online and office-based activities. Also like events, innovations developed for remote work, such as improved collaboration tools, will be deployed in both situations. The key difference is that attendance of most events is optional, so attendees can walk away from dysfunctional changes. Workers have less choice about their environments, so harmful innovations such as employee surveillance and off-hours interruptions are harder for them to reject. Whether these stressors outweigh the benefits of remote work will depend on how well companies manage them, so we can expect a period of experimentation and turmoil as businesses learn what works best. With luck, this will mean new attention to workplace policies and management practices, something many firms have handled poorly in the past. Companies that excel at managing remote workers will have a new competitive advantage, especially since remote work lets the best workers choose from a wider variety of employers.

- privacy pressures will rise. The European Union’s General Data Protection Regulation (GDPR) wasn’t the first serious privacy rule or the only reason that privacy gained more attention. But its enforcement date of May 25, 2018 does mark the start of an escalating set of changes that impact what data is available to marketers and how consumers view use of their personal information. These changes will continue and companies will find it increasingly important to manage consumer data in ways that comply with ever-more-demanding regulations and give consumers confidence that their data is being handled appropriately. (A closely related subplot is continued security breaches as companies fail to secure their data despite best efforts.  Another is the continued misbehavior of Facebook and other social media firms and increasing resistance by regulators and consumers.  That one is worth a channel of its own.)  Marketers will need to take a more active role in privacy discussions, which have been dominated by legal, security, and IT staffs in businesses, and by consumer advocates, academics, and regulators in the political world. Earning a seat at that crowded table won’t be easy but making their voice heard is essential if marketers want the rules to reflect their needs.

- trust is under fire. This is a broad trend spanning continents and stretching back for years (see Martin Gurri’s uncannily prescient The Revolt of the Public, published in 2014),  Socially, the trend presents itself as a loss of trust in institutions, the benefits of technology, and credentialed experts in general. In marketing, it shows up as companies voicing disappointment with data-driven analytics and personalization, as consumers not trusting companies to manage or protect their data, as workers' fear that AI systems will harm creativity and codify unfair bias, as widely-noted gaps between what customers want and companies deliver, as “citizen developers” preferring to build their own systems, and as buyers preferring peers, Web searches, social media, and pretty much any other information source to analysts reports.  

Trust is the theme that connects all the stories I’ve listed above.  Without trust, consumers won’t share their data, respond to marketing messages, or try new channels; governments will push for more stringent privacy and business regulations; workers will be less productive; and all industry progress will move more slowly. The trust crisis is too broad for marketers fix by themselves. But they need to account for it in everything they do, adjusting their plans to include trust-building measures that might not have been needed in a healthier past.  The pandemic will end soon and technologies come and go.  But trust will be a story to follow for a long, long time.

Software Review: Skypoint Cloud Combines CDP and Privacy Management

There are obvious similarities between Customer Data Platforms and privacy systems: both find customer data in all company systems; both assemble that data into unified profiles; and both govern access to those profiles. Indeed, some CDP vendors have expanded into privacy management by building consent modules to their systems or by integrating third-party consent managers.

Still, the line between CDP and privacy managers is usually clear: CDPs store customer data imported from other systems while privacy managers read the data in place. There might be a small gray area where the privacy system imports a little information to do identity matching or to build a map of what each source system contains. But it’s pretty easy to distinguish systems that build huge, detailed customer data sets from those that don’t. 

There’s an exception for every rule. Skypoint Cloud is a CDP that positions itself as a privacy system, including data mapping, consent management, and DSR (Data Subject Request) fulfillment. What makes it a CDP is that Skypoint ingests all customer data and builds its own profiles. Storing the data within the system actually makes fulfilling the privacy requirements easier, since Skypoint can provide customers with copies of their data by reading its own files and can ensure that data extracts contain only permitted information. Combining CDP and privacy in a single system also saves the duplicate effort of having two systems each map and read customer data in source systems.

The conceptual advantages of having one system for both CDP and privacy are obvious. But whether you’d want to use a combined system depends on how good it is at the functions themselves. This is really just an example of the general “suite vs best-of-breed” debate that applies across all systems types. 

You won’t be surprised that a young, small vendor like Skypoint lacks many refinements of more mature CDP systems. Most obviously, its scope is limited to ingesting data and assembling customer profiles, with just basic segmentation capabilities and no advanced analytics or personalization.  That’s only a problem if you want your CDP to include those features; many companies would rather use other tools for them anyway. There’s that “suite vs best-of-breed” choice again.

When it comes to assembling the unified database, Skypoint has a bit of a secret weapon: it relies heavily on Microsoft Azure Data Lake and Microsoft’s Common Data Model. Azure lets it scale effortlessly, avoiding one set of problems that often limit new products. Common Data Model lets Skypoint tap into an existing ecosystem of data connectors and applications, again saving Skypoint from developing those from scratch. Skypoint says they’re the only CDP vendor other than Microsoft itself to use the Common Data Model: so far as I know, that’s correct. (Microsoft, Adobe, SAP, and others are working on the Open Data Initiative that will map to the Common Data Model but we haven’t heard much about that recently.) 

How it works is this: Skypoint can pull in any raw data, using its own Web tag or other sources, and store it in the data lake. Users set up a data flow to ingest each source, using either the existing or custom-built connectors. The 200+ existing connectors cover most of the usual suspects, include Web analytics, ecommerce, CRM, marketing automation, personalization, chat, Data Management Platforms, email, mobile apps, data stores, and the big cloud platforms.

Each data flow maps the source data into data entities and relations, as defined in the Common Data Model or adjusted by the user. This is usually done before the data is loaded into the data lake but can also be done later to extract additional information from the raw input.  Skypoint applies machine learning to identify likely PII within source data and lets users then flag PII entities in the data map.  Users can also define SQL queries to create calculated values. 

Each flow has a privacy tab that lets the user specify which entities are returned by Data Subject Requests, whether data subjects can order the data erased, and which data processes use each entity. The data processes, which are defined separately, can include multiple entities with details about which entities are included and what consents are required. Users can set up different data processes for customers who are subject to different privacy regulations due to location or other reasons.

Once the data is available to the system, Skypoint can link records related to the same person using either rule-based (deterministic) matches or machine learning. It’s up to the client define her own matching rules. The system maintains its own persistent ID for each individual. Matches can be either incremental – only matching new inputs to existing IDs – or can rebuild the entire matching universe from scratch. Skypoint also supports real-time identity resolution through API calls from a Web tag.

After the matching is complete, the system merges its data into unified customer profiles. Skypoint provides a basic audience builder that lets users define selection conditions. This also leverages Skypoint's privacy features by first having users define the purpose of the audience and then making available only data entities that are permitted for that purpose. Users can also apply consent flags as variables within selection rules. Audiences can be connected with actions, which export data to other systems manually or through connectors.

Users can supplement the audience builder by creating their own apps with Microsoft Azure tools or let external systems access the data directly by connecting through the Common Data Model.

Back to privacy. Skypoint creates an online Privacy Center that lets customers consent to different uses of their data, make data access requests, and review company policy statements. It creates an internal queue of access requests and tracks their progress towards fulfillment. Users can specify information to be used in the privacy center, such as the privacy contact email and URLs of the policy statements. They can also create personalized email templates for privacy-related messages such as responses to access requests or requests to verify a requestor’s email address.

This is a nicely organized set of features that includes what most companies will need to meet privacy regulations. But the real value here is the integration with data management: gathering data for subject access requests is largely automated when data is mapped into the system through the data flows, a major improvement over the manual data assembly required by most privacy solutions. Similarly, the connection between data flows, audiences, and data processing definitions makes it easier to ensure the company uses only properly consented information. There are certainly gaps – in particular, data processes must be manually defined by users, so an undocumented process would be missed by the system. But that’s a fairly common approach among privacy products.

Pricing for Skypoint starts with a free version limited mostly to the privacy center, consent manager, and data access requests. Published pricing ranges past $2,000 per month for more than ten data integrations. The company was founded in 2019 and is just selling to its first clients.

Software Review: Osano Manages Cookie Consent and Access Requests

The next stop on our privacy software tour is Osano, which bills itself as “the only privacy platform you’ll ever need”.  That's a bit of an overstatement: Osano is largely limited to data subject interactions, which is only one of the four primary privacy system functions I defined in my first post on this topic. . (The other three are: discovering personal data in company systems, defining policies for data use, and enforcing those policies.) But Osano handles the interactions quite well and adds several other functions that are unique. So it’s certainly worth knowing.

The two main types of data subject interactions are consent management and data subject access requests (DSARs). Osano offers structured, forms-based solutions to both of these, available in a Software-as-a-Service (Saas) model that lets users deploy them on Web sites with a single line of javascript or on Android and iOS mobile apps with an SDK.

The consent management solution provides a prebuilt interface that automatically adapts its dialog to local laws, using the geolocation to determine the site visitor's location.  There are versions for 40+ countries and 30+ languages, which Osano updates as local laws change. Because it is delivered as a SaaS platform, the changes made by Osano are automatically applied to its clients. This is a major time-saver for organizations that would otherwise need their own resources to monitor local laws and update their system to conform to changes.

Details will vary, but Osano generally lets Web visitors consent to or reject different cookie uses including essential, analytics, marketing, and personalization. Where required by laws like the California Consumer Protection Act (CCPA), it will also collect permission for data sharing. Osano stores these consents in a blockchain, which prevents anyone from tampering with them and provides legally-acceptable proof that consent was obtained. Osano retains only a hashed version of the visitor’s personal identifiers, thus avoiding the risk of a PII leak while still enabling users to search for consent on a known individual.

Osano’s use of blockchain to store consent records is unusual. Also unusual: Osano will search its client’s Website to check for first- and third-party cookies and scripts. The system will tentatively categorize these, let users confirm or change the classifications, and then let site visitors decide which cookies and scripts to allow or block. There’s an option to show visitors details about each cookie or script.

Osano also provides customer-facing forms to accept Data Subject Access Requests. The system backs these with an inventory of customer data, built by users who manually define systems, data elements, and system owners. Put another way: there’s no automated data discovery. The DSAR form collects the user’s information and then sends an authentication email to confirm they are who they claim.  Once the request is accepted, Osano sends notices to the owners of the related systems, specifying the data elements included and the action requested (review, change, delete, redact), and tracks the owners’ reports on completion of the required action. Osano doesn’t collect the data itself or make any changes in the source systems.

The one place where Osano does connect directly with source systems is through an API that tracks sharing of personal data with outside entities. This requires system users to embed an API call within each application or workflow that shares such data: again, there’s no automated discovery of such flows. Osano receives notification of data sharing as its happens, encrypts the personal identifiers, and stores it in a blockchain alone with event details. Users can search the blockchain for the encrypted identifiers to build a history of when each customer’s data was shared.

Perhaps the most unusual feature of Osano is the company’s database of privacy policies and related information for more than 11,000 companies. Osano gathers this data from public Web sites and has privacy attorneys review the contents and score each company on 163 data points.  This lets Osano rate firms based on the quality of their privacy processes. It runs Web spiders continuously check for changes and will adjust privacy ratings when appropriate. Osano also keeps watch on other information, such as data breach reports and lawsuits, which might also affect ratings. This lets Osano alert its clients if they are sharing data with a risky partner.

Osano is offered in a variety of configurations, ranging from free (cookie blocking only) to $199/month (cookie blocking and consent management for up to 50,000 monthly unique Web site visitors) to enterprise (all features, negotiated prices). The company was started in 2018 and says its free version is installed on more than 750,000 Web sites.

Software Review: BigID for Privacy Data Discovery

Until recently, most marketers were content to leave privacy compliance in the hands of data and legal teams. But laws like GDPR and CCPA now require increasingly prominent consent notifications and impose increasingly stringent limits on data use. This means marketers must become increasingly involved with the privacy systems to ensure a positive customer experience, gain access to the data they need, and ensure they use the data appropriately. 

I feel your pain: it’s another chore for your already-full agenda.  But no one else can represent marketers’ perspectives as companies decide how to implement expanded privacy programs.  If you want to see what happens when marketers are not involved, just check out the customer-hostile consent notices and privacy policies on most Web sites.

To ease the burden a bit, I’m going to start reviewing privacy systems in this blog. The first step is to define a framework of the functions required for a privacy solution.   This gives a checklist of components so you know when you have a complete set. Of course, you’ll also need a more detailed checklist for each component so you can judge whether a particular system is adequate for the task. But let’s not get ahead of ourselves. 

At the highest level, the components of a privacy solution are:

• Data discovery.  This is searching company systems to build a catalog of sensitive data, including the type and location of each item. Discovery borders on data governance, quality, and identity resolution, although these are generally outside the scope of a privacy system. Identity resolution is on the border because responding to data subject requests (see next section) requires assembling all data belonging to the same person. Some privacy systems include identity resolution to make this possible, but others rely on external systems to provide a personal ID to use as a link.
  
  
• Data subject interactions.  These are interactions between the system and the people whose data it holds (“data subjects”).  The main interactions are to gather consent when the data is collected and to respond to subsequent “data subject access requests” (DSARs) to view, update, export, or delete their data. Consent collection and request processing are distinct processes.  But they are certainly related and both require customer interactions.  So it makes sense to consider them together. They are also where marketers are most likely to be directly involved in privacy programs.
  
  
• Policy definition.  This specifies how each data type can be used.  There are often different rules based on location (usually where the data subject resides or is a citizen, but sometimes where the data is captured, where it’s stored, etc.), consent status, purpose, person or organization using the data, and other variables. Since regulations and company policies change frequently, this component includes processes to identify changes and either automatically adjust rules to reflect them or alert managers that adjustments may be needed.
  
  
• Policy application.  This monitors how data is actually used to ensure it complies with policies, send alerts if something is not compliant, and keep records of what’s done. Marketers may be heavily involved here but more as system users than system managers. Policy application is often limited to assessing data requests that are executed in other systems but it sometimes includes actions such as generating lists for marketing campaigns. It also includes security functions related specifically to data privacy, such as rules for masking of sensitive data or practices to prevent and react to data breaches. Again, security features may be limited to checking that rules are followed or include running the processes themselves. Security features in the privacy system are likely to work with corporate security systems in at least some areas, such as user access management. If general security systems are adequate, there may be no need for separate privacy security features. 

Bear in mind that one system need not provide all these functions.  Companies may prefer to stitch together several “best of breed” components or to find a privacy solution within a larger system. They might even use different privacy components from several larger systems, for example using a consent manager built into a Customer Data Platform and a data access manager built into a database’s core security functions. 

Whew.

Now that we have a framework, let's apply it to a specific product.  We'll start with BigID.

Data Discovery

BigID is a specialist in data discovery. The system applies a particularly robust set of automated tools to examine and classify all types of data – structured, semi-structured, and unstructured; cloud and on-premise; in any language. For identified items, it builds a list showing the application, object name, data type, server, geographic location, and other details. 

Of course, an item list is table stakes for data discovery.  BigID goes beyond this to organize the items into clusters related to particular purposes, such as medical claims, invoices, and employee information. It also draws maps of relations across data sources, such as how the transaction ID in one table connects to the transaction ID in another table (even if the field names are not the same). Other features highlight data sources holding sensitive information, alert users if these are not properly secured from unauthorized access, and calculate privacy risk scores. 

The relationship maps provide a foundation for identity resolution, since BigID can compare values across systems to find matches and use the results to stitch together related records. The system supports fuzzy as well as exact matches and can compare combinations of items (such as street, city, and zip) in one rule.  But the matching is done by reading data from source systems for one person at a time, usually in response to an access request. This means that BigID could assemble a profile of an individual customer but won’t create the persistent profiles you’d see in a Customer Data Platform or other type of customer database. It also can’t pull the data together quickly enough to support real-time Web site personalization, although it might be fast enough for a call center. 

In fact, BigID doesn’t store any data outside of the source systems except for metadata.  So there's no reason to confuse it with a data lake, data warehouse, CRM, or CDP.

Data Subject Interactions

BigID doesn’t offer interfaces to capture consent but does provide applications that let data subjects view, edit, and delete their data and update preferences. When a data access request is submitted, the system creates a case that is sent to other systems or people to execute. BigID provides a workflow to track the status of these cases but won’t directly change data in source systems. 

Policy Definition 

BigID doesn’t have an integrated policy management system that lets users define and enforce data privacy rules. But it does have several components to support the process:

• "Agreements" let users document the consent terms and conditions associated with specific items. This does not extend to checking the status of consent for a particular individual but does create a way to check whether a consent-gathering option is available for an item.
  
  
• “Business flows” map the movement of data through business processes such as reviewing a resume or onboarding a new customer. Users can document flows manually or let the system discover them in the data it collects during its scan of company systems. Users specify which items are used within a flow and the legal justification for using sensitive items. The system will compare this with the list of consent agreements and alert users if an item is not properly authorized. BigID will also alert process owners if a scan uncovers a sensitive new data item in a source system.  The owner can then indicate whether the business flow uses the new item and attach a justification. BigID also uses the business flows to create reports, required by some regulations, on how personal data is used and with whom it is shared. 
  
  
• “Policies” let users define queries to find data in specified situations, such as EU citizen data stored outside the EU. The system runs these automatically each time it scans the company systems. Query results can create an alert or task for someone to investigate. Policies are not connected to agreements or business flows, although this may change in the future. 

Policy Enforcement

BigID doesn’t directly control any data processing, so it can’t enforce privacy rules. But the alerts issued by the policy, agreement, and business flow components do help users to identify violations. Alerts can create tasks in workflow systems to ensure they are examined and resolved. The system also lets users define workflows to assess and manage a data breach should one occur. 

Technology 

 As previously mentioned, BigID reads data from source systems without making its own copies or changes any data in those systems. Clients can run it in the cloud or on-premises. System functions are exposed via APIs which let the company, clients, or third parties build apps on top of the core product. In fact, the data subject access request and preference portal functions are among the applications that BigID created for itself. It recently launched an app marketplace to make its own and third party apps more easily available to its clients. 

Business 

BigID has raised $146 million in venture funding and reports nearly 200 employees. Pricing is based on the number of data sources: the company doesn’t release details but it’s not cheap. It also doesn’t release the number of clients but says the count is “substantial” and that most are large enterprises.

Data Security is a Problem Marketers Must Help Fix

Everything you need to know about 2020 is covered by the fact that “apocalypse bingo” is already an over-used cliché. So I doubt many marketers have found spare time to worry about data security – which most would consider someone else’s problem. But bear in mind that 92% of consumers say they would avoid a company after a data breach. So, like it or not, security is a marketer’s problem too. 

Unfortunately, the problem is a big one. I recently took a quick scan of research on the issue, prompted in particular by a headline that nearly half of companies release software they know contains security flaws.  Sounds irresponsible, don't you think?  The main culprit in that case is pressure to meet deadlines, compounded by poor training in security procedures. If there’s any good news, it’s that the most-used applications have fewer unresolved security flaws than average, suggesting that developers pay more attention when they know it’s most important. 

The research is not reassuring. It may be a self-fulfilling prophecy, but most security professionals see data breaches as inevitable. Indeed, many think a breach is good for their career, presumably because the experience makes them better at handling the next one. Let’s just be grateful they're not airline pilots. 

Still, the professionals have a point. Nearly every company reports a business-impacting cyberattack in the past twelve months. Even before COVID-19, fewer than half of IT experts were confident their organizations can stop data breaches with current resources.

The problems are legion. In addition to deadline pressures and poor training, researchers cite poorly vetted third-party code libraries, charmingly described as “shadow code”; compromised employee accounts, insecure cloud configurations, and attacks on Internet of Things devices.

Insecure work-from-home practices during the pandemic only add new risk. One bit of good news is that CIOs are spending more on security,  prioritizing access management and remote enablement. 

What’s a marketer to do?  One choice is to just shift your attention to something less stressful, like fire tornados and murder hornets. It’s been a tough year: I won’t judge. 

But you can also address the problem. System security in general is managed outside of most marketing departments. But marketers can still ensure their own teams are careful when handling customer data (see this handy list of tips from the CDP Institute). 

Marketers can also take a closer look at privacy compliance projects, which often require tighter controls on access to customer data. Here’s an overview of what that stack looks like.  CDP Institute also has a growing library of papers on the the topic.

Vendors like TrustArc, BigID, OneTrust, Privitar, and many others, offer packaged solutions to address these issues. So do many CDP vendors. Those solutions involve customer interactions, such as consent gathering and response to Data Subject Access Requests.  Marketers should help design those interactions, which are critical in convincing consumers to share personal data that marketers need for success. The policies and processes underlying those interfaces are even more important for delivering on the promises the interfaces make. 

In short, while privacy and security are not the same thing, any privacy solution includes a major security component. Marketers can play a major role in ensuring their company builds solid solutions for both. 

Or you can worry about locusts. 

 

Jamie's Excellent Privacy Adventure

Jamie knew something was wrong when his alarm clock didn’t greet him by name. Weird, he thought.

Things quickly got weirder.

The water in the shower was too hot.  The traffic report mentioned an accident nowhere near his route to work. When the radio played a song he had specifically banned from his play list, he knew something serious was wrong.

“Clock, please run a system check,” Jamie muttered, annoyed.

Silence.

He said it again, louder, this time staring directly at the device on his night table.

Silence.

System must be down, he thought. I’ll deal with it later.

But then he looked out the window. The cars all had human drivers and pedestrians were not staring into their phones. He knew he had a much bigger problem.

A multiverse flip.

He'd read about it on the news.  Result of global warming or wireless signal overload or overlapping artificial realities. No one really knew.  What they did know was that people woke up in a different world from the one they’d fallen asleep in.  It seemed to be happening more often. 

Jamie picked up his phone. It didn’t recognize him but on-screen instructions let him unlock it with a thumbprint. He dialed LOST – League of Strayed Travelers – a service that spanned multiverses with enough cross-traffic to cooperate. He was lucky; the call was answered. By a human, which felt odd. But apparently that was the world he was in.

A quick conversation established that Jamie was indeed lucky: the local LOST staff included someone from his home universe. She would be Jamie’s guide. Soon a car pulled up – this one with both a driver and passenger.  Out hopped Emily, a cheerful young woman who quickly began explaining what was different.

“This is a world where privacy has been taken very seriously. Businesses and government are banned from storing any personal information beyond what’s needed for security purposes. That’s why your smartphone recognized your thumbprint. But look more closely at the phone and you’ll see it doesn’t have a record of your past calls or contacts. In the same way, we still have search engines and social networks and ecommerce, but they don’t personalize their services. It’s annoying but you get used to it. What I miss more is voice recognition, which is entirely forbidden as inherently invasive. Alexa was my best friend!”

She glanced wistfully at Jamie’s alarm clock, which he now realized was no smarter than a rock.

“But it gets much worse,” Emily continued. “Without gathering personal data, companies can’t train AI systems for things like self-driving cars, energy conservation, or personalized medicine. So we have more accidents, more pollution, and a vastly less efficient economy. Everyone has less free time and is poorer. Crime is worse because people have to carry cash and video surveillance is strictly limited. And, ironically, social media is still filled with bullying and misinformation – it turns out those have nothing to do with privacy and everything to do with human nature.”

Emily frowned briefly. Then her face brightened.

“But there’s good news, too. We’ve been researching the multiverse flips and have experimental devices that can move you from one world to another. We can’t guarantee where you’ll end up but have enough return traffic to be reasonably sure it won’t be too terrible. At least, most of a time. So there’s a risk but we can give it a shot if you like.”

On the ride back to the LOST office, Jamie and Emily chatted more about this universe, the flipping device, and their previous lives. Turned out she was from New Jersey. And married. By the time they arrived, Jamie had decided to try the new machine.

Emily gave Jamie one final smile as she closed the lid on the flipper. It was dark and warm and filled with white noise.

Then the lid was up.  Jamie was in a different room. New faces. No Emily.

A serious-looking man reached into the flipper and pulled out a package. “May I have this? It’s how we share information across the multiverses.”

The man opened the package and scanned the top document. “I see you’re Jamie. Welcome. I’m Giovanni.”

Giovanni took a closer look at the documents. “Looks like you come from a place where anything goes, privacy-wise. It’s very different here. We believe that people own their own data. But we respect their liberty, so any use is allowed if they give consent.”

Jamie was a bit groggy as he stepped from the flipper. “How’s that working out for you?”

Pretending not to notice that Jamie looked tired, Giovanni smiled and pointed to a seat. “If you please.”  His face turned serious.

“Mixed results, to tell the truth. Most people consent to pretty much everything. Their experience is much like yours – many free services but little privacy. Data breaches are common and much of the data is inaccurate. But the majority put up with it for the convenience and an occasional discount coupon.”

“And everyone else?” asked Jamie.

“There are two groups. Some people are privacy zealots, pure and simple – they won’t give up their data on principle. They pay extra for services that others get for free, and many services aren’t available to them at all.  They’re often left out of business and social events and have harder lives as a result.  Many live off the grid doing things crafting Faraday cage handbags. At least we don’t hear their complaints.” He did not seem amused at his own joke.

“The others are people with enough power and money that they can easily afford the cost of privacy-enhanced alternatives. They have staff or bots to maintain a social media presence without exposing their own data directly. They use special devices and software that hides their identity, regularly erases their data, and maintains separate personas for different purposes. They get the best of both worlds: privacy for themselves and convenience based on the data of others.”

Jamie was puzzled. “Why is privacy protection expensive? I’d think most of the solutions are based on software.  That should be nearly free to run for everyone once it’s built.”

“I thought so too,” sighed Giovanni. “But it’s a lizard-and-the-egg sort of thing: most people won’t pay even a little extra for privacy, especially if they’re rewarded for giving it up. So the market for privacy-enhanced systems is fairly small, which means manufacturers must charge a higher price per customer, which makes the market still smaller, which drives the prices still higher. It ends up as a luxury good.” Giovanni sighed again.

“Yes, I can see how that works out,” said Jamie. He thought for a moment. “Look, it’s nice to meet you but this isn’t my home universe. Can I go back into the flipper and try again?”

“Of course,” replied Giovanni. “With your permission.”

There was time for a quick lunch while Giovanni prepared another information package. Jamie climbed back into the flipper, relaxed for a moment, and the lid was up again. Another room. More new faces. .

Now a veteran, Jamie sat up and handed the information packet to the nearest person. A badge clipped to his shirt showed his name was Tim.

“Hi Tim. I’m Jamie. Where am I this time?”

Tim opened the package and read the cover sheet. He paused a moment.

“Not where you want to be, I’m afraid. But not a bad place. How much do you want to know?”

Jamie was disappointed but Tim seemed friendly enough. This room somehow seemed more cheerful than the last one.

“Well, I’m here, so I might as well find how things work. You’re the first place where people are wearing name tags. What’s up with that?”

“Happy to explain,” said Tim. “But where are my manners. Would you like a glass of wine?”.

“I prefer beer,” replied Jamie. They walked to the front of the building, where a pleasant café fronted the sidewalk. They sat with their drinks.

“Unlike the last two places you’ve been, our universe believes that some data should be shared with everyone while other data should always be kept private. Deciding where the line falls isn’t easy and I can’t say we always get it exactly right. But we keep making adjustments over time. The good thing is people mostly know what to expect and are treated fairly without taking extraordinary measures to protect themselves.”

Jamie didn’t get it. “How does that work? Everyone is wearing name tags, so clearly that’s something you’re required to share. But the tags just show first names. How do you deal with more sensitive data?”

“Excellent question,” smiled Tim, warming to his subject. “So few people really care. Have another drink.”

Tim drained his own wine glass and ordered another. Jamie was still working on his first beer. Tim continued.

“We apply what people in your universe call ‘privacy by design’.  Our badges do more than show our first name: they contain details that are shared on an as-needed basis. For example, when we entered the cafe, a sensor queried my badge and told the server was that I’m allowed to order a drink. But that’s all he learned; it didn’t tell him my age, let alone the name, address, birthdate, and biometrics he’d get from your driver’s license. And if there were some other reason I wasn’t allowed to order a drink – say I was already drunk – it wouldn’t have said that, either. It would just have told the server not to serve me. So my privacy is protected even while drinking restrictions are enforced.”

Jamie pushed away his beer. “So that badge knows that you’ve been drinking? I don’t think I’d want anyone keeping a log of my alcohol consumption.”

Tim looked at his own glass. “Neither would I. But the badge doesn’t keep a log; it just monitors my blood alcohol level. And it doesn’t share that unless there’s reason, like determining whether I can legally order a drink.

Jamie relaxed a bit.  Time continued. 

“There’s lots more information that the badge or other devices do log. My smartphone knows my location history, the Web sites I’ve visited, search queries I’ve made and much more. It uses those to make my life easier, same as in your universe. But, unlike your universe, the data never leaves my device. That way no one can use it in ways I don’t control. When someone wants to serve an ad to people who like red wine” – he lifted his glass – “they just query devices until they find a profile that fits the description. The profiles aren't stored outside the devices and there's no record of which device an ad was served to. That makes things a little harder for advertisers, who can’t control how often one person sees the same ad or connect ad views to subsequent purchases. But it still allows most kinds of behavior- and profile-based personalization.  The economy manages to function.”

Tim stopped short. “Sometimes I repeat myself. I hope I’m not boring you.”

He was, a little. But Jamie could see he loved the topic. “Well, I do want to try to get home. But maybe there’s something here I can bring back that would be useful. What else do you think I should know?”

Tim gathered his thoughts. “To quickly flesh out the picture, the same principles apply to other types of data. So, my phone knows where I live and where I am now, which lets it connect with navigation software to tell me how to get home. But it only asks the central navigation system for a route, without telling it who’s asking. So the navigation system doesn’t know anything about my movements over time. And we do let people view ads for payment, but there are strict rules against trading away personal data.”

“Who makes these rules?” asked Jamie. “In my world we’re pretty skeptical of regulators.”

Tim gave him a sharp look. “So are we. The rules come from a mix of legislators and agency staff.  There's plenty of lobbying from all sides. As I said before, there’s lots of disagreement and they don’t always get things right. But everyone starts from the premise of putting individual interests first and business interests second. Turns out that’s a good guide for many decisions."  Tim paused for a breath.

"And, yes, social interests like public safety come into play. So I can't drive a car if my badge says I'm legally drunk, although the badge doesn't give the car a reason.  I can actually override that rule in an emergency, but then the car also notifies the authorities and turns on special tracking devices.  So, yes, it's complicated.  But just because it’s hard doesn’t mean we shouldn’t try to make it work. You’ve already seen how poorly things turn out in worlds that apply simple solutions instead.”

“Indeed I have,” said Jamie. “I certainly don’t think my universe has it right.” He paused. “But home is home and that’s where I belong. Can we try the flipper again?”

“Of course,” replied Tim. They left the café without paying. Tim winked at Jamie. “Don’t worry. They'll charge my badge. Anonymously.”

Once more into the flipper.

Jamie’s phone buzzed to life before the lid was raised. He knew he was home.

“Good morning, Jamie,” the phone said. “You’re late for work. Shall I call you a car and let the office know you’re on your way?”

Jamie shut it off and opened the lid.

Privacy-Protecting Systems Are The New Green

Let’s take a break from Customer Data Platforms to do some trend-spotting. I spy with my little eye…privacy systems!

Specifically, there's a crop of systems that are privacy-safe alternatives to dominant social, search, email and other common consumer technologies. One well known example is DuckDuckGo, which positions itself as “a search engine that doesn’t track you”.  But there are plenty of others.  Some that have recently caught my attention include:

• Brave, a browser that lets users decide which ads they’ll see and blocks advertisers from seeing behavioral details
• Anagog, which let mobile apps track behaviors and make predictions while keeping all data on the device
• ProtonMail, an encrypted email service  (it's one of a dozen alternatives in that market)
• Vero, an ad-free social network
• Chatterbox, a privacy-safe smart speaker for kids
• Aegis One “mini-computer” for anonymous Web browsing, from a company so privacy-conscious that they apparently don’t publish their contact information (which may take things a bit too far)

A thorough search would surely turn up more examples. You could also add add products whose purpose is privacy, like ad blockers or proxy servers; the gazillion contenders in the pay-people-to-watch ads industry; privacy-enhancing extensions to standard products such as Google Chrome and Firefox; and, perhaps most prominent, the privacy-centered positioning of Apple.

In other words, privacy-protecting systems are a big and growing business.  Privacy is the new green: the cool virtue signifier for consumers and businesses alike.

This is worth noting because industry conventional wisdom has long held that consumers don’t really care about privacy, despite claims to the contrary. The core evidence has been that even people who say they care about privacy are willing to give up their personal data for the tiniest of incentives, whether monetary discounts or convenience. There’s still plenty of data along those lines, such as this Mulesoft study, which found that 49% of consumers would share personal data to get personalized service.  But the same surveys show a substantial minority don’t want their data tracked at all and many have stopped using big social media platforms due to privacy concerns. (See also this Harris Poll report for another set of similar statistics.)

It’s hard to find consistent data over time but it’s a safe bet that this GlobalWebIndex report is correct that consumers' privacy concerns have grown sharply in recent years.

The implications of this are intriguing. There’s a reasonable possibility that we’ll soon gain access to an alternative universe of online systems that protect rather than destroy consumer privacy. If government regulators finally step up their protection of consumers – as is already happening with laws like GDPR and the California Consumer Privacy Act – these systems will have a significant head start over existing products, not to mention vastly more credibility. The result could be a tipping point when network effects kick in and privacy-centric systems suddenly pull a mass audience away from the current, data-fueled incumbents.

That’s still a long shot, if only because the incumbent firms have huge revenues that give them the resources to fight back. But a fundamental change in consumer attitudes could make their brands so toxic that no amount of investment would save them once consumers recognize there are viable, privacy-safe alternatives. 

How will you know if this is actually happening? Keep your eyes out for three things:

• funding announcements from venture capital firms that specifically cite the privacy-preserving features of their investments
• evidence that consumers are paying real attention to privacy, based not just on surveys about attitudes but on actual behaviors (such as the decline in Facebook use, which is already happening)
• a Scott Brinker/Terry Kawaja style logoscape of privacy-enhancing versions of standard consumer technologies

If you’re looking for a much deeper analysis of Internet privacy and other trends, take a look at the Mozilla Foundation’s recent Internet Health Report.

Consumers Aren't As Into Personalization As You Think, and Other Survey Results

I see a lot of surveys -- easily a dozen each week.  Mostly they go into a big file which I mine occasionally for factoids to spice up a paper or presentation.  Sometimes I take a more thorough tour to look at some bigger issues.  Today is one of those days.

Specifically, I was prepping for a presentation in Amsterdam, which meant I needed to present general industry trends and then see what is different in Europe.  This turned out to be pretty interesting.  But I assembled vastly more data than I could include in any presentation where the audience was not chained to their seats (frowned upon by EU regulators).   So I'm sharing it all here with you instead.

(I've also packaged it all in a paper for the Customer Data Platform Institute, available here.  Much more convenient than copying this blog post if you want a reference copy.)

Note that there's more information on sources at the end of this post.  For now, let's just get to the good stuff.

Consumer Attitudes: Personalization

If marketers hold any truth to be self-evident, it’s that today’s consumers want and expect personalization. The reality is a bit different and depends greatly on the definition of “personalization”. The majority of consumers believe they receive personalized service, but many fewer expect personalized experiences. What they do expect is consistent service, shared information, and being identified as repeat customers. In other words, they expect you to know who they are and to use that data to serve them – for example, by being aware of past purchases and problems. But they don’t necessarily expect you to make personalized offers or otherwise personalize their experience.

We do see quite consistently that European consumers have lower expectations for all kinds of personalization.

Whether or not consumers expect personalization, it can still be a competitive advantage to provide it. The majority of consumers do say they’re more loyal to brands that understand them and provide good service, and more likely to stop doing business with brands with poor service. But, again, the focus seems to be more on service than proactive personalization: barely one quarter of consumers said that anticipating needs is the most important part of personalization. This may come as a shock to marketers who have put anticipating needs at the top of their list of reasons to do personalization.

These results shouldn’t be read as a reason to ignore customer needs. Companies get more revenue when they offer customers what they want, whether or not the customer expects it.

We again see that European consumers place slightly less weight than U.S. consumers on personalization, although the difference is less pronounced than with expectations. One interpretation would be that European consumers don’t expect personalized treatments and thus don’t factor it into their behavior.

 
Consumer Attitudes: Privacy

Marketers know they need to balance personalization against privacy. We’ve just seen that consumer interest in personalization may not be quite as high we thought. By contrast, consumers show great interest in privacy, both in general and specifically in relation to marketing. More than three-quarters don’t want companies to market to them based on personal data. Fewer than half would trade their data for personalized service, even though that’s the reason most companies give for collecting it. Although European consumers show slightly less concern about privacy in general, they are more opposed than U.S. consumers to letting companies use their data for marketing. This is consistent with the personalization results: if European consumers place less value on personalization, it makes sense that they’d be less willing to share their personal data to enable personalized treatments.

Looking beyond personalization to the broader question of trust, we again see that Europeans place less trust in business than U.S. consumers. An astonishing 68% believe brands sell their data. This may reflect the attention drawn to data sharing by the European Union’s General Data Protection Regulation (GDPR). Europeans' lack of trust in most business may also explain why they are more likely to support brands that do show high purpose.

Marketing Technology

Now let’s turn to marketers. Most European marketers will tell you that their region is behind the U.S. in adoption of advanced marketing technology. European consumer perceptions of less personalization support this. The data here do show that European marketers use fewer data sources and channels for most purposes, although the figure for inputs to attribution is higher. The differences are relatively small with the significant exception that Europeans report using personalization in 20% fewer channels (4.1 vs 5.1) than U.S. marketers.

The gap is larger when we focus specifically on data integration. European marketers are much more likely to cite challenges with linking multiple data sources, more likely to see linking data as the reason to deploy a Data Management Platform, and more likely to avoid a DMP because the technology is too complex. While integration is a substantial problem for many U.S. based marketers, it’s clear the pain is greater in Europe – despite having slightly fewer data sources to integrate.

The same pattern holds for marketing technology in general. European marketers spend a slightly smaller share of their marketing budget on martech and a slightly smaller share of their martech budget on data and analytics. But while those differences are fairly small, U.S. marketers expect much higher growth in their 2019 martech budgets. This is a significant indicator of attitudes regardless of what actually happens. Similarly, European marketers show consistently but slightly lower adoption of advanced marketing systems such as DMP, cross-channel engagement, and flexible attribution models.

Marketing Maturity

Looking beyond technology, we see that U.S. and European marketers share a high level of belief in personalization. But European marketers rank lower on other measures that indicate maturity. It’s particularly intriguing that European marketers are less likely than U.S. marketers to be prioritizing first party data, even though GDPR is generally assumed to make first party data more important.

In sum, the belief that European marketers are using less advanced technology than U.S. marketers appears to be correct.

 
Leaders vs Mainstream

What separates the most successful marketers from the rest? This data, all from the same survey, found that high performing marketing departments were twice as likely to be responsible for technical activities related to customer data: operations, governance, security, and schemas. This suggests that marketers do in fact get better results when they have more control over their customer data. By contrast, leading and mainstream departments had similar responsibility levels for traditional marketing activities such as automation rules, data acquisition, and analytics.

It’s important to qualify this message. Even among leading marketing departments, the majority do not have technical responsibilities. So clearly success is possible under other arrangements. It’s also important to recognize that marketing and IT will almost always share some responsibilities. And they should.

Other leader vs mainstream comparisons provide more insight into the challenges faced at different maturity levels. Mainstream marketers are more likely than leaders to cite disparate technology as their biggest martech challenge: this suggests that is the first hurdle to cross. Leaders, having started to knit together their systems, are likely to run into organizational barriers next. Once they resolve organizational problems, they can deliver results such as a single customer view and quantifying the benefits of personalization and real time marketing. Few mainstream marketers, still fighting technical and organizational battles, are able to accomplish these.

Some markers show much less correlation with leadership. Mainstream marketers are nearly as likely as leaders to lead customer experience initiatives and to run real time interactions in at least one channel. Note that single channel real interactions do not require unified customer data or any type of shared systems. So they are not by themselves an indication of maturity.


Customer Data Platforms

Finally, we’ll look at some information specifically related to Customer Data Platforms. The table below compares CDP selection priorities for enterprise vs mid-tier buyers. It supports the common belief that these groups have different concerns. Enterprise marketers give higher priority to data security and integrating data from many sources, including third party data. Mid-market buyers also rank security as their top concern but then look for help with internal data and for data analysis tools. These are probably problems that enterprises have already solved. One implication is that CDP vendors may find themselves specializing in one or the other type of buyer so they can optimize their systems for the different needs.

I also have several surveys that asked about CDP deployment. Answers vary greatly although the general result suggests that CDP adoption is getting close to DMP adoption. The very low figure from Heinz Marketing reflects the nature of its survey, which asked B2B marketers about tools for marketing analytics and pipeline management. The audiences for the other surveys were more representative but the figures still seem much higher than likely. The CDP Institute’s own estimate is that market penetration for CDPs at the end of 2018 was around 15%.

Note on Sources

This paper draws from surveys with different audiences, survey methods, and sample sizes. The origin of each item is indicated by a number that relates to the list of surveys below.  This list provides some information about each survey, as presented in the survey report.
Data from the original surveys has been processed in several ways:

• Questions have been paraphrased for brevity and clarity.
• European results are averages of country results, which have been weighted in different cases by national population, sample size, or not at all. Different surveys included different countries.
• Some U.S. results include data from all of North America.

Readers should be able to track down the original survey reports on the Internet. I haven't published links because links change too often to be useful.

1 Acquia, Closing the CX Gap: Customer Experience Trends Report 2019. More than 5,000 consumers and 500 marketers.
2 AdRoll, The State of Marketing Attribution, 2017. 987 respondents recruited by email and social media. Majority at director/manager level.
3 Aspect, 2017 Aspect Consumer Experience Index. Online survey with 1,000 aggregate U.S. sample and similar in Germany, Spain, United Kingdom.
4 Econsultancy, The Customer Data Imperative, 2018. 509 online survey respondents, primarily at large B2C brands. Mix of marketing, IT, and operations.
5 Edelman, 2018 Edelman Trust Barometer. 33,000_ online survey respondents across 28 countries.
6 ExchangeWire, Adoption vs Execution: How Media Agencies Across the Globe Are Making the Most of their DMP’s Capabilities, 2017. 470 agency professionals.
7 Frost & Sullivan, The Global State of Online Digital Trust, 2018. 990 survey responses.
8 Gemalto, Data Security Confidence Index, 2018. 1,050 IT decision makers from organizations with perimeter security systems.
9 GlobalWebIndex, Trends 19, 2019. 91,913 Internet users aged 16-64.
10 Harvard Business Review Analytics Services, The Age of Personalization, 2018. 625 responders from audience of Harvard Business Review readers. Primarily executive/senior management at large enterprises.
11 Heinz Marketing, State of Revenue Marketing, 2018. 241 B2B marketing executives, primarily small to mid-size companies.
12 Infosys, Endless Possibilities with Data, 2018. 1,062 senior executives from organizations with annual revenues exceeding $1 billion.
13 Ipsos+Medallia, The Customer Experience Tipping Point, 2018. 8,002 consumers in U.S., UK, France, Germany.
14 Mulesoft, Consumer Connectivity Insights 2018. 650 IT decision makers at organization with 1,000+ employees.
15 Relevancy Group, CDP Buyers Guide 2018. 406 executive marketers.
16 Salesforce Research, Fifth Edition State of Marketing 2019. 4,101 responses from full-time marketing leaders, primarily mid-size organizations. Mix of B2B and B2C.
17 Sizmek, Marketers Survey Results 2018: An Insider’s Look at Data, Walled Gardens, and Collaboration. 522 B2C brand marketers.
18 Spiceworks, 2019 State of IT, IT Marketing. 780 business technology buyers.
19 Walker Sands, State of Marketing Technology 2018. 300 marketing professionals. Primarily small to mid-size companies.
20 WE Communications, Brands in Motion 2018. Online interview of consumer survey panel totaling 11,000+ in U.S., U.K., and Germany.
21 Winterberry Group, Know Your Audience: The Evolution of Identity in a Consumer-Centric Marketplace, 2018. Online survey of more than 400 advertisers, marketers, fundraisers, publishers, technology developers and marketing service providers.

Third Party Data Is Not Dead Yet

Third party data is not dead yet.

It was supposed to be. The culprit was to be the EU’s General Data Protection Regulation, which would cut off the flow of personal data to third party brokers and, even more devastatingly, prevent marketers from buying third party data for fear it wasn’t legitimately sourced. 

The expectations are real.  A recent Sizmek study found that 77% of marketers predicted data regulations such as GDPR would make targeting audiences with third party data increasingly difficult.  In a Demandbase study, 60% of respondents said that GDPR was forcing a change in their global privacy approach.  And 44% of marketers told Trusted Media Brands  that they expected GDPR would lead to more use of first party data vs. cookies.

Marketers say they're acting on these concerns by cutting back on use of third party data. Duke Fuqua’s most recent CMO Survey found that use of online (first party) customer data has grown at 63% of companies in the past two years while just 31% expanded use of third party data.  Seventy percent expected to further grow first party data in the next two years compared with just 31% for third party data.  A Dentsu Ageis survey had similar results: 57% of CMOs were expanding use of existing (first party) data compared with 37% expanding use of purchased data.

The irony is that reports of GDPR impact seem to have been greatly exaggerated. A Reuters Institute study found 22% fewer third party cookies on European news sites after GDPR deployment, a significant drop which nevertheless means that 78% remain.  Meanwhile, Quantcast reported that clients using its consent manager achieved a consent rate above 90%.  In other words, third party data is still flowing freely even in Europe even if the volume is down a little. The flow is even freer in the U.S., where developments like the new California privacy regulation will almost surely be watered down before taking effect, if not blocked entirely by Federal pre-emption.

Of course, what regulation can’t achieve, self-interest could still make happen. There’s at least some debate (stoked by interested parties) over whether targeting ads with third party data is really more effective than contextual targeting, which is the latest jargon for putting ads on Web pages related to the product. Online ad agency Roast and ad platform Teads did an exhaustive study that concluded contextual targeting and demographic targeting with third party data worked about equally well. The previously-mentioned Sizmek study found that 87% of marketers plan to increase their contextual targeting in the next year and 85% say brand safety is a high or critical priority. (Ads appearing on brand-unsafe Web pages is a problem when ads are targeted at individuals, a primary use for third party data.)  The Trusted Media Brands study also listed brand safety as a major concern about digital media buying (ranked third and cited by 58%) although, tellingly, ROI and viewability were higher (first and second at 62% and 59%, respectively).

But third party data isn’t going away.

It’s become increasingly central for business marketers as Account Based Marketing puts a premium on understanding potential buyers whether or not they're already in the company’s own database.  Third party data also includes intent information based on behaviors beyond the company’s own Web site. Indeed companies including Lattice Engines, Radius, 6Sense and Demandbase have all shifted much of their positioning away from predictive modeling or ad targeting based on internal data and towards the value of the data they bring.

Then again, business marketing always relied heavily on third party data. What arguably more surprising is that consumer marketers also seems to be using it more.  Remember that the CMO surveys cited earlier showed expectations for slower growth, not actual declines.  There's more evidence in the steady stream of vendor announcements touting third party data applications.

Many of these announcements are from established vendors selling established applications, such as ad targeting and marketing performance measurements. For targeting, see recent announcements from TruSignal, Thunder, and AdTheorent; for attribution, see news from Viant and  IRI.

But what's most interesting are the newer applications. These go beyond lists of target customers or comparing anonymized online and offline data. They provide something that only third party data can do at scale: connect online and offline identities. This is something that companies like LiveRamp and Neustar have done for years.  But we're now seeing many interesting new players:

• Bridg helps retailers to identify previously anonymous in-store customers, based on probabilistic matching against their proprietary consumer database.  It then executes tailored online marketing campaigns.

• SheerID verifies the identities of online visitors, enabling marketers to safely limit offers to members of specific groups such as teachers, students, or military veterans. They do this by building connections to reference databases holding identity details..

• PebblePost links previously anonymous Web visitors to postal addresses, using yet another proprietary database to make the connections. They use this to target direct mail based on Web behaviors.

You’ll have noticed that the common denominator here is a unique consumer database.  These do something not available from other third party sources or not available with the same coverage.  Products like these will keep marketers coming back for third party data whether or not privacy regulations make Web-based data gathering more difficult.  So don't cry for third party data: the truth is it never has left you.