Smart Strategies for Trustful Marketing, Personalization & Analytics
2018 will be remembered as the year privacy regulation hit the business like never before. Your ambitions in analytics, 1:1 marketing and personalized experiences will be run over if you don’t prepare. In this article I’m giving you a guide for how to successfully and legally get your customers permission to activate their data to capture value.
I’m sure you’re not surprised if I say that GDPR is the core driving force for the changes. While some believe the changes are just a set of regulatory and technical issues to avoid fines in the EU, the truth is that failure in thinking business impact can give rough business model implications on a global scale (see The Customer’s Data Revolution).
Having legal grounds to process personal data is what GDPR is all about. Within GDPR there are cases where you do not need the user to opt in (consent) to be within the law. However, for your industry and your particular situation legal evaluation needs to be performed to assess this. My good friend Derek and Olga Marie in my team has made this amazing simple flow chart on how to evaluate legal basis and need for consent or not under GDPR and how that affects customer conversion.
If you study the flow chart, three vital strategies can be inferred:
- Whenever data can be anonymized there are no privacy implications and it should always be your first strategy.
- If the case requires you to use non-anonymized data, focus on how to be within contractual terms or legitimate interest legal grounds.
- In the cases where consent is required, to be successful you need to have a very clear tactic on how to capture the consents and then activate the customer data for value.
Let’s dig into each as a planned tactic.
Strategy 1: Anonymize First
Whenever data can be anonymized there are no privacy implications and it should always be your first strategy.
If you are able to anonymize data, you don’t need to assess the privacy impact and potentially ask for users permission to process data. GDPR defines anonymized data as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.” Anonymization places the processing and storage of personal data outside the scope of the GDPR. Hence, it can get you out of a lot of trouble.
If you think of the scope of analytics from the basic to the most advanced, anonymous data can have great value: Reporting, segmentation, clustering and training of various machine learning algorithms for predictive and prescriptive analytics can be done in an anonymous context. However, once you start to apply the models to individual customers like profile segmentation tagging or next best action processing, you come to the personal data space and you must assess the legal grounds of data processing.
One important note: Don’t fool yourself into thinking that tokenization, simple masking or hashing on customer identifiers is enough to make data anonymous. By combining attributes like position, zip code or birthdate with publicly available data you can in many cases still identify the customer and hence your data is not anonymous.
Strategy 2: Focus on Legitimate Interest Processing
If the case requires you to use non-anonymized data, focus on how to be within contractual terms or legitimate interest legal grounds.
Whenever you are within the contract / legal or legitimate interest of a service user data processing is ok and explicitly no opt in is required. For legitimate interest, the user must be able to request to opt out of the processing.
A big change with the new regulation is that it is limited what you can put in the terms (contract) of a service. Legitimate interest is the stuff you have been doing with the customers data all along that really makes naturally sense. Consent processing is all the other advanced stuff you do with the personal data.
An example can illustrate: If you for instance are a bank, storing your transactions and address details should be in the contract. Without those you wouldn’t have a service. For the same bank, giving the customer promotions on better loan interest or saving products could be legitimate interest, but the user must be able to opt out. Cross selling to insurance or hedge fund services or sharing / selling the customer data to third parties are cases where you might be outside the legitimate interest of the bank. Here you would need the users explicit consent.
The good news is that legitimate interest gives you freedom to use the customer data in several ways as long as you give the customer the ability to opt out. I recommend each organization to have a clear strategy to be in this zone, because getting consent will be more complicated.
You really need a good collaboration between legal specialists and business people to forge out what is in the different areas in a good way. In general, legal basis for a use case must be evaluated based on (1) the purpose, (2) the type of data processing, (3) what the data source is and (4) if data transfers are happening as part of the case. Being able to balance these four elements to land smart legal grounds is a capability your org must master if you have plans to personalize based on data.
Important last storm warning: New updated rules on ePrivacy comes worst case 25th of May with GDPR, but probably later in 2018. It will apply to all electronic communications data — whether personal or not. For digital marketing and data personalization, the legitimate interest clause disappears. In essence, personalized marketing will then require consent with few exceptions.
Strategy 3: Regard Consents as a Value Enabler
In the cases where consent is required, you need to have a clear tactic on how to capture the consents and then activate the customer data for value.
The customer consent value chain can be split into two parts: The first is to acquire the customers consent, the second part is about actually using the consent to create value for the customer and the business. If you study the “E2E Consent to Action Journey” below this concept is visualized.
In the first part of the journey is where you actually capture the consent. The second part is where you utilize the consent and activate the data. The important insight is the symmetric dependency between the flows: (1) Without journey 1, journey 2 becomes worthless. (2) Without journey 2, journey 1 is a waste of time and customer attention.
The consents becomes like a filter for the addressable customer base you can target. Even though your target audience is larger, you can just address the customers that have given their consent. Hence, investing in a consent without really believing getting a high sales conversion in the final end might not be the optimal strategy. We should invest in consents for customers where firstly there is a high chance of getting acceptance, but secondly and as important that this customer is likely convert to a sale. Hence, thinking end to end is likely the right approach.
So how do we succeed in capturing consents (journey 1)? Few case studies have been published on this. What I have heard at conferences and industry events is that many are worried. There exists a few mentioned examples where consent convergence rates are single digit! That is catastrophic for Journey 2 success. While low, reflect on the fact that the average click through rates for ads are less than 2% for Google, so low consent conversion is not so unlikely.
Fortunately, some cases mentioned are above 50% convergence. How can you achieve such high numbers? Those are closely guarded secrets, but making a consent relevant, well formulated, well designed through the right channel with a clear value prop for the customer is my best advice. Also, plan to do lots of iterative personalized AB testing E2E to get it right.
The concepts around consents might sound somewhat abstract, so let’s give an example. Imagine a bank that wants to sell credit scores to third parties based on their own and third party data. The case likely will require user consent:
- First, set clear KPIs to measure the success of your business objective — you want to monetize credit scores.
- Next, segment out what customers make up your target market to succeed with the objective. Who will have a benefit from the credit scoring service with the partner? Who of your customers will the partner want to approach with credit? Etc.
- Third, model the customers end to end experience. It is likely that much of credit score use case will be run from the partners value chain like a telco doing a credit check in a user sign up flow for a subscription. How will you assure that your relationship to your customers are kept trustful as part of the flow? How will the bank be integrated into the flow? What is the concrete consent text that is both legal and understandable by the customer?
- Lastly, experiment with a small batch of customers. First with user experiments, later with A/B tests where you measure conversion rates for the consent stage and end to end. When you are happy, you can finally launch.
Set the Strategies to Action
I hope you now see that every organization serious about having an effective data and personalization strategy better get their tactics clear on privacy. Here’s a suggestion to prioritizations to make the strategies come alive:
a) Make privacy a Commercial Topic
Error number one organizations are doing right now is this: Business and marketing view privacy the same way security has been viewed — like a technical issue. That is a true path to failure.
CMOs and their organizations must increase their own knowledge on the topic and take ownership for privacy. Do this by allocating top business talent to privacy projects. In this way you can engage and challenge the technical and legal side on the regulations and take clear but well advised business considerations. It is very easy for tech and legal to require customers consent for evert case, but challenge tech if there are ways to anonymize the data and challenge legal if the case can be modified to avoid consent legal basis and have legitimate interest instead.
b) Optimize for your business objectives
It really comes down to focusing on your business objectives. As we have seen, you have 3 core strategies to focus on for your cases, and getting them right and really mastering the strategy chart will make you successful. When it comes to the data consent part, there are many pitfalls, but also strategic advantages to achieve if you get it right. My best advice is to focus on some key KPIs to target for your data and analytics strategy (see Make your Data a Source for Peak Growth).
c) Focus relentlessly on the user experience
As we have seen do not underestimate UX/UI in your privacy initiatives. A badly formulated or designed consent can give low convergence rates and failure in data activation. Likewise, a poorly designed privacy control panel or user journey around handling of the customers legal rights can make a customer churn the company due to trust issues.
What can you do? First, integrate consent management into you CLM and omni-channel initiatives. In this way you can get a holistic perspective on the privacy aspects of the initiatives. You will need in some way be able to create a trustful and natural dialogue with the customer where you present a consent and she/he feels they get some benefit in return. Second, copywriting consents will become an art. Put communication talent together with legal to work on the formulations. Third, be experimental in your approach and use A/B testing to improve results. There are no clear rules for how to succeed and all are struggling. By being agile and experimental in this you can get an advantage to your competition.
In the end, your total setup on data governance, analytics and privacy will be a key in how to establish a trustful relationship with your customers to your brand (read this). My hope is that the strategies presented here can help you establish such a sound and trustful setup that also lets you capture value for your business.
Be 100% compliant by advertising or partnering with us SMOC.AI platform and ecosystem. #anticreepyads