Consumers increasingly comfortable sharing data

March 2022

Trust and transparency remain fundamental drivers

In the modern data-driven economy, businesses need people to share their data. Marketers need to understand what makes their audience tick and be willing to share.

But how important is trust in the data exchange? How do attitudes to data sharing differ across international borders and between age groups?

New research shows people increasingly understand the benefits of sharing their data; a clear value-exchange has never been more important. Younger people are shown to have less privacy concerns than older generations.

These are just some of the findings of the ‘Global Data Privacy: What the Consumer Really Thinks 2022’ research report. The report represents 28 marketing associations whose reach stretches to more than half the world’s population – including the UK Data &  Marketing Association (DMA). The latest findings build on previous studies, giving us trends useful over the past decade.

Here are some key points from the global and UK-specific reports.

Rise of the ‘unconcerned’

The research categorises people into three groups:

  • Data unconcerned – people who have little or no concerns about their data privacy. The UK report shows a notable rise in this group, almost doubling over the past decade from 16% in 2012 to 31% in the latest study. So nearly a third of consumers are not unduly concerned about their privacy.
  • Data pragmatists – people who are happy to share data with businesses as long as there’s a “clear benefit in doing so”. This group still makes up the largest group of consumers, but has declined in the past decade from 53% to 46%.
  • Data fundamentalists – People who are unwilling or highly cautious about sharing their personal information. This group is in decline reducing in the past decade from 31%  to 23%.

The chart below illustrates UK trends over the last 10 years:

Data unconcerned

Younger people are most comfortable sharing their data

Growing numbers of consumers claim to feel more comfortable with the idea of exchanging personal information with companies, although there’s a significant variation across age groups.

Younger people (18-44) are most likely to feel comfortable sharing data. However those aged 55+ have actually become less comfortable sharing data.

Trust and transparency remain fundamental

Trust in an organisation remains the most important factor driving consumer willingness to share personal information. This comes significantly above factors such as product/service benefits, price and value perceptions.

The chart below shows UK trends for the factors driving consumers to share their data:

Trust remains vital

Consumers continue to seek transparency. Today, 77% of global consumers claim that transparency around how their data is collected and used is important to them.

Industry is still seen to benefit more than consumers from the data economy

The majority of consumers globally see data exchange as essential for the running of society. Over half (53%) of consumers across all markets agreed ‘the exchange of personal information is essential for the smooth running of modern society’.

However, consumers globally continue to believe that industry benefits more than they do from data sharing, despite a small shift towards greater value being perceived by consumers. On average (across the 10 trended markets) 71% of consumers believe that ‘industry benefits more from data sharing’. In general, younger people tend to be more likely to understand and recognise the benefits from sharing their data.

This suggests we still have a long way to go to truly enable consumers to fully realise the benefits from sharing their data, or they could see this as an unfair trade.

Importance of the data exchange

The findings once again illustrate the importance of the data exchange – the moment when businesses request or otherwise collect personal data from individuals. Whilst increasingly many consumers understand the intrinsic value of their data, they want easy access to clear information about how their data will be used and need to understand what product, service or value benefits they’ll get from sharing it.

The age profile of your customers is crucial here. It’s clear businesses need to work hard to win trust and provide clear information for older age groups.

Alex Hazell, Head of Privacy and Legal at Acxiom (the DMA’s UK research partner):

‘We must drive home the value exchange between brands and people – in other words, strive harder to help people understand what they receive in return for sharing their data. For marketers, we must continue to make that value clear, whether it’s in more straightforward scenarios like relevant discounts and offers, or in more complex processing such as cross domain personalised experiences that surprise and delight.’

Concerns about online privacy remain, although reduced

As the digital economy has expanded and matured, more and more consumers are engaging with online data exchange. The proportion of UK consumers who claim to have ‘high levels of concerns’ about online privacy has fallen to 69%.

Younger consumers want to support smaller businesses

The role data sharing can play in driving more competitive economies is a compelling reason for many UK consumers to share personal information. 52% of UK consumers stated they would be more likely to exchange personal data to provide a competitive advantage to smaller companies. This sentiment was most pronounced for the under 45s.

DMA Chief Executive, Chris Combemale gave a summary the UK findings:

‘Overall, concern with data privacy is in decline, while the levels of happiness with the amount of data shared and comfort with the notion of data exchange are on the rise. In addition, public awareness and understanding of the role that data exchange plays in the modern digital economy has increased dramatically since 2012.’

“As the UK’s digital economy, alongside digital markets around the world, continue to advance and mature, there has been an increase in public ease and engagement with data sharing and the digital world. Younger people are digital natives – this is reflected in both their willingness to share data and acceptance of its importance to modern society.”

The times they are a changin’

The research highlights some interesting trends. You can read more detail in the Global report or UK report.

While consumers may be increasingly comfortable with sharing their data, it’s clear they’re most likely to do this with brands they trust, who’ve been upfront and honest about how they handle personal information and clearly demonstrate the benefits of the data exchange.

Google Analytics Processing Data in US – is this a problem?

January 2022

Austrian DPA has found that continuous use of Google Analytics violates GDPR

Once again, Google is under fire from a regulator in Europe. This time in Austria. 

The Centre for Digital Rights (noyb), which is based in Austria and led by Max Schrems, filed 101 model complaints following the Schrems II decision in 2020. 

Following the complaint about Google Analytics, the Austrian regulator has determined that the continuous use of Google Analytics violates GDPR: 

“The Austrian Data Protection Authority (DSB) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb  in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.”  Source noyb

What does Google Analytics do?

Google Analytics operates by using cookies to capture information about website visitors. Google Analytics is free to use and it’s ideal for businesses who want to know more about:

  • Who visits their website
  • How their website is used
  • What’s popular on their website, and what’s not
  • Whether visitors return to their website

What information does Google capture?

You are likely to see a range of Google cookies that do different jobs. Here’s a short list showing some possible cookies that might be used:

  • _ga: Used to distinguish users and retained for 2 years
  • _gtd: used to distinguish users and retained for 24 hours
  • _gat: Used to throttle request rate and retained for 1 minute
  • AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service and retained from 30 seconds to 1 year
  • _gac_<property-id>: Contains campaign related data for the user. This is used when Google Analytics and Google Ads are connected and retained for 90 days

These cookies range from simple identification to remarketing and advertising cookies which allows you to track and remarket individuals through Google Ads. The more one strays into using this data for remarketing, the more intrusive the data capture becomes. 

What does this mean in reality?

Since the advent of GDPR, the burden to demonstrate that consent has been freely given has become greater. 

In the UK, when the ICO published their cookie (and other technologies) guidance in 2019, many large websites became instantly non-compliant. The requirement to demonstrate that consent had been freely given had become stronger. 

The ICO also clearly highlighted that Performance Cookies (such as Google Analytics) required consent to be used. 

Since 2019, companies have used a variety of methods to notify users about the existence of Google Analytics cookies. Some compliant, some less so. 

It is also clear that many have taken a risk-based approach to what they should do. The ICO’s own guidance provides a level of ambiguity on the topic:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. Source: ICO

What are the issues?

  1. Google is a data processor unless you enable data sharing with Google Ads at which point you become a shared controller – ensuring that your privacy policies reflect these differing relationships is important. 
  2. Google stores most data in USA – since Privacy Shield became illegal this has presented some problems. Google is relying on SCC’s but the main concern is that the US has surveillance laws that require companies such as Google to provide US Intelligence agencies with access to their data. 
  3. Google does use data to improve their services. For a user, this can sometimes seem creepy. 

What could Google or US government do?

A rather obvious solution would be for Google to move the processing of EU data outside the US to server centres in Europe where the US government cannot exercise the same surveillance rights as in the US. 

Alternatively, the US government could introduce better protection for private citizens. Although this was unthinkable under the previous presidential regime, it may be conceivable under Biden/Harris. It still feels like a long shot. 

Realistically it’s quicker and more realistic for the Google’s of this world to set up data centres in Europe. Saas providers such as Salesforce addressed this issue years ago and it feels like it’s about time Google and Facebook did too. 

What should you do? 

  1. Make sure you have correctly set up your cookie banner on your website. Technically, visitors should opt-in to Google Analytics and this permission should be captured before any processing takes place
  2. Provide a clear explanation of what data you are collecting and what that data is used for in an accessible cookie notice supported by a coherent privacy policy. 
  3. Make sure you describe all the Google cookies you are using – from simple tracking through to remarketing and advertising. Ideally each cookie would be included including the technical details, duration and purpose.
  4. If you use Google Analytics a number of settings have been introduced that help protect privacy:
    • Turn on the IP anonymising tool. It removes the last three characters of the IP address and renders the address meaningless. 
    • Make use of the data deletion tool – this is a bulk delete tool and can’t be used for one user
    • Introduce data retention policies – there is a default setting of 26 months before data is deleted but maybe you can delete data sooner. 
    • Consider the use of alternative tracking tools that do not rely on the use of cookies or transferring data overseas. A quick search resulted in a non-exhaustive list of analytics tools that don’t rely on cookies. There will be other suppliers: 
      • Fathom
      • Plausible
      • Simple Analytics
      • Insights
      • Matomo

In conclusion

  • At the moment, this finding by Austrian DPA does not apply in the UK. However it’s possible other DPAs may follow suit. 
  • Having said that, there are plenty of lessons to learn about how to work with Google Analytics and other US-based companies who insist on holding data in the US
  • It’s essential that your cookie notice and privacy policy clearly set out what tools are being used and what data is being processed. This is particularly important if you are linking Google Analytics to Google Ads for remarketing. 
  • Given that the world is slowly turning against cookies, maybe now is the time to start looking at less intrusive performance tracking solutions. 

 

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

IAB Europe TCF (Transparency and Consent Framework) under fire again

November 2021

The Belgium regulator (APD) is expected to announce that IAB is a data controller with TCF

What does the future hold for third-party cookies? The Belgium DPA has apparently notified IAB Europe that they will find them to be in breach of GDPR. An investigation has been carried out by Belgium DPA which will be shared with other Data Protection regulators across Europe. 

These regulators have 30 days to review the proposed ruling before it is adopted by Belgium DPA or referred to European Data Protection Board. If adopted IAB has six months to change its framework to comply. The IAB has robustly defended its position and says it will be able to comply. The IAB stated:

 “It will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD overseeing the execution of an agreed action plan by IAB Europe,” 

How did this start? 

This started in 2018 with a series of complaints made about the IAB’s Transparency and Consent Framework. In particular, the complainants contended that the use of personal data in the process to place digital advertising, known as Real-Time Bidding, represented a massive worldwide data breach. 

One of the complainants, ICCL (The Irish Council for Civil Liberties) noted:

“these (cookie) popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.”

The ICCL has also launched a privacy lawsuit against the IAB in Germany.

The Belgium DPA investigated these complaints and published their initial findings in October 2020. It appears that they are now about to announce formal action against IAB.

What is the problem?

At its heart is the issue of whether the IAB is a legal data controller. IAB has said that Belgium DPA considers them to be a legal data controller for the TC Strings – also know as:

“digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement” 

 “The APD is understood to consider these signals to be personal data,” 

IAB Europe has vehemently rejected the notion that they are anything but a data processor. They have consistently asserted that the AdTech providers they serve are the data controllers. 

What does this mean?

Potentially, all Real-Time bidding activity using TCF could be stopped. The more likely outcome is that IAB will rectify the problem within the 6-month period allocated to them. Longer-term, though, this is just another nail in the coffin for the use of third-party cookies for targeting digital advertising. 

For any marketing team who are not giving serious consideration to how they’re going to replace the Real-Time Bidding free for all, this is yet another warning that the world is changing. Even if IAB Europe does manage to fend off this particular attack, the future of the Transparency and Consent Framework is under threat. 

The future of third-party cookies

To many, it is obvious third-party cookies have had their day. Google announced that they would not be supported by Google Chrome from around now. Although their launch of the Google Sandbox has been delayed, this is a stay of execution, not a change. As Google controls more than 60% of the browser market, this was a game-changing announcement. 

What should marketers do?

  1. If you haven’t started your programme of first-party data collection, start now. This is data supplied by individuals through the course of a transaction or communication. It could be their address, email telephone number etc. Obviously ensuring you have used an appropriate lawful basis to use that data to create marketing segments is essential and that this activity is mentioned in your privacy notice. 
  2. Investigate how you can start to collect Zero party data. This is a newish term coined by Gartner in 2020. This means data that is collected by inviting individual users to volunteer information through surveys/questionnaires etc. By definition, the lawful basis for using this data will be consent but make sure that the use case is clearly communicated at the point of data capture. 
  3. Seek out contextual advertising solutions. These are programmatic advertising solutions that use context to understand the audience rather than those systems powered by segments built using third-party cookies. Several major media owners have already signed contracts with big providers such as Permutive. 
  4. Also, consider using any promotional solutions which employ Edge computing. Look for advertising solutions that do not suck a user’s data into a central hub but allow that data to stay on the user’s own device.
  5. Investigate the use of second-party data. This is permissioned data owned by one organisation that is sold directly to another for that organisations’ exclusive use. Also, look at data cooperatives, data marketplaces & exchanges and technical data environments – sometimes called clean rooms. These also use permissioned data to build audience insight. The key here is to interrogate the provenance of that data. Can the supplier provide a clear audit trail? 
  6. Consider the use of vertical networks – a blunter object than contextual advertising solutions but an effective way of promoting your services to special interest groups.

Whilst we remain in a state of limbo with third-party cookies, it may seem difficult to decide what to do next. The reality is that we need to assume that cookies will disappear and the sooner other compliant and more ethical targeting methods are used, the better. 

Minimise your data with maximum permissions

March 2021

Deliver successful marketing campaigns without hoarding data

This might seem like a contradiction in terms. How can you minimise the volumes of data you keep whilst also maintaining good levels of marketing permissions?

The answer, of course, is to only keep the data you need. Less is more. I’ll say that again – less is more. However, the challenge for many marketers is to understand which data to discard and which data to keep.

Figuring out which data is needed takes time and effort and draws on some old-fashioned skills we learnt in the pre-internet era to maintain data accuracy and assess what variables/values actually drives a sale.

Before the ubiquitous email, which appears to cost nothing, we used to make some very difficult decisions about who to contact because each contact cost a fortune. Now is the time to re-discover some of those skills and cut down on those emails and digital ads, whilst rebuilding trust with prospects and customers.

1. Data accuracy

Arguably the most boring job for any marketer is to keep their customer and prospect data up to date and accurate.

Questions to consider:

  • How many records hold inaccurate data?
  • Are they worth keeping?
  • How recently did that prospect engage with you?
  • Will they ever engage again?
  • Are the marketing permissions up to date and valid?

Like de-cluttering your house, it’s difficult to throw away data but keeping data for too long can attract large fines and a bad reputation.

2. Effective retention policies

If you understand the patterns of purchase and sale you’ll have a good idea of when people who are customers are no longer engaged and either need to be refreshed or removed.

Asking if people want to be removed from a database after a long period of inactivity is a good idea. Why keep people on a list who don’t want to hear from you?

Questions to ask:

  • Have you reviewed your retention policy and refreshed permissions?
  • Do you have a regular routine in place to identify and update permissions once they reach their retention policy limit?
  • Do you regularly review the responses you generate from the older data sets?
  • Based on your findings, should you adjust the retention policy periods?

3. Reduce the collection of data points

If I provide a phone number when I place an order, what happens to that data?

Unless it’s for a carrier I’ll always provide an inaccurate number. It makes more sense to explain exactly why you need every single data point and provide a “what’s in it for me” reason why this data should be collected. The completion rate will be greater with more accurate information.

Questions to ask:

  • Do have a clear plan for how every single data point is used?
  • Have you communicated that intention clearly?
  • Have you explained clearly the “what’s in it for me”?
  • Which data can be discarded?

4. Special category data

Special category data can be explicitly collected or inferred from the combination of other data sets. This is a particular challenge in Adtech where the quantity of data collected through third party cookies is, frankly, mind blowing.

If you’re able to establish  sexuality from which websites someone uses this, potentially, becomes special category data. Keeping any special category data presents an additional risk and should be carefully considered, whilst consent for marketing needs to be sought under any circumstance. If in doubt get rid of it.

Questions to consider:

  • Do you really need to know anything sensitive about your prospects and customers?
  • What difference will knowing the information make to your ability to sell your products and services?

5. Preference centres

The notion you should give your customers and prospects the choice to manage their preferences in an open and transparent way is at the heart of data protection legislation.

There are technology solutions from a wide variety of providers to create preference centres for cookies, as well as managing marketing preferences for emails, direct mail and so on.

Presenting this information in an easy-to-understand format can feel like a formidable challenge and there’s sometimes the temptation to hide it or just not bother to explain clearly enough.

Not explaining or hiding information is never a great idea, as there is a direct link between openness and transparency and trust.

“Doing the right thing” and building trust is a No 1 priority for many brands and they see it reaps dividends in greater loyalty and repeat purchase.

Not only that but the afore-mentioned technology solutions have relatively inexpensive options for smaller or medium sized businesses. Cost should not be an impediment.

Questions to consider:

  • Are all your marketing and cookie preferences managed centrally?
  • Do you know what all the cookies on your website do?
  • Do you know what happens to the data that is captured by third party Adtech providers?
  • Have you completed a DPIA for Ad Tech activity?
  • Do you have a compliant cookie notice and preference centre with the permissions options applied correctly?

6. Understanding the ROI of your campaigns

Being able to analyse the customer/prospect journey from first point of data capture through to a final sale is the holy grail. An apparently cost-efficient lead at the front end may not translate into high margin sales in the end.

Equally, being able to understand what influences a purchasing decision and what environment is most successful will allow you to filter your marketing effort against fewer key variables.

As the ICO clearly stated in their review of RTB, the sheer volume of data in use by Adtech providers feels disproportionate to the outcome.

Questions to ask:

  • Can you calculate an end-to-end ROI on customer transactions?
  • Do you know which variables will influence purchase more than anything else?
  • Have you done some modelling of your own customer data to create anonymised look alike segments to be used with contextual advertising?

7. How do you move on from third-party cookies?

As we know, Google will stop supporting third party cookies in 2022. This places an immediate pressure on advertisers to focus on their own first party data.

Immediate questions to ask:

  • Do we have any first party data?
  • How else do we add to what we already know?
  • Can we ask our customers to share more data? What interests them, what content do they consume, how do they shop?

If we’re able to create segments from our own data, the opportunity to use that information to create anonymised look-alikes will improve targeting efficiency. We are seeing a proliferation of providers who are using different variables to target customers which does not even involve large quantities of cookie data and this trend is set to grow.

If you understand your data well and create meaningful segments for targeting from first party data, which has been volunteered by customers, marketing teams will be in a strong position to deliver more with less.

 

Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service.

What privacy lessons can we learn from Online Dating

March 2021

Here are our top 10 tips…

Recently, I was joined by John Mitchison from DMA and Chris Field from Harte Hanks in Texas to talk about privacy issues in the online dating industry. DPN are now Associate members of the Online Dating Association, the International trade body for dating businesses, and we were delighted to speak to their members on this topic.

The discussion was wide ranging – here are my ten lessons:

1. International data protection laws appear to be converging

We know EU GDPR has set the bar high but we can see that, to an extent, this is being replicated in some states in US, most notably California. It’s also clear with the Biden/Harris presidential team there will be a greater focus on protecting privacy and the possible introduction of a Federal data protection law.

The fact the UK is likely to be granted adequacy is another reason to believe high data protection standards are here to stay.

2. Questions around trust and transparency will increase

Since the introduction of GDPR and the start of the Covid pandemic the wider population has an increased awareness of privacy questions. People know their rights and there’s an increasing awareness of data breaches.

Being open and transparent is a core principle of GDPR and, to build trust, more businesses will treat trust as a core operating principle.

3. Special category data must be handled carefully

A lot of very personal information is shared through an online dating account and some of it will be considered special category data. This is, anything to do with health, sexual orientation, sex life, racial origin and religious beliefs.

The UK’s ICO cautions against using this data unless its use has been carefully risk assessed.  In particular if this data is shared as part of a profile it should not necessarily be used to help build segments for marketing purposes.

4. Distinguish between service messages and marketing messages

It may not be desirable or necessary to use all the data contained in a user profile to create segments for marketing. It would make sense to minimise the use of personal data and identify the key variables which will generate a sale.

The remainder of the data could be used to help deliver the service, but understanding the difference between service and marketing messages is paramount.

5. Right to be Forgotten is not an absolute right

It’s almost never a good idea to completely erase a data subject from your system as, somehow, you need to know not to add them back in again. This means keeping a small snippet of information in a suppression file to ensure they can never sign up for marketing again.

However, with the dating industry, there’s also the need to have safeguards in place to protect other members from stalkers, convicted rapists or other criminals. In this case, producing a DPIA and documenting the reasons for keeping any data is absolutely essential.

6. DSARs (Data Subject Access Requests) are growing

Individuals know their rights and are making more requests whether it’s through a third party or a direct request. In the US, there’s a similar requirement in California. Having the necessary processes in place to ensure these can be responded to within a month is key.

7. Removal of fake profiles is not a privacy matter

Within the terms and conditions of most dating sites will be the absolute right to remove fake profiles. This is not a privacy matter but part of the terms and conditions of use to protect other users.

8. Wean yourselves off use of third-party cookies

Although Firefox and Mozilla have already stopped supporting third party cookies for targeting purposes, Google’s decision to stop supporting them in 2022 is a game changer. Chrome represents over 65% of the browser market and their decision will effectively kill off third-party cookies.

Now is the time to think about alternative ways of targeting. This could be through the development of profiles using data you’ve compliantly collected yourselves, the use of contextual targeting tools or collaborations to share data insights. The world will change and the race is on to change ways of targeting.

9. Social media marketing is under scrutiny

What do you need to create look alike audiences on Facebook or Instagram? Can you create anonymised segments which can be uploaded for targeting? Do you need to upload emails to create segments and if you do, have you gained the necessary consent from your customers/prospects? Uploading emails is a high risk activity without consent.

10. Data breaches are endemic

In UK, 88% of companies were affected by a breach in last 12 months whilst in US the number is 49%.  The most recent ICO quarterly breach review indicated 72% of breaches were non-cyber security related.

In a nutshell, most problems are down to user error whether it’s not updating user access, not changing passwords, insecure data sharing. The list of possible infringements due to error are endless. For any organisation handling such huge volumes of personally sensitive data, the challenge is substantial.

We may have been talking about dating but these top 10 tips can apply to any digital business.

 

Data protection team over-stretched? Find out how we can support you with our Privacy Manager Service.

Marketers: Will You Need to do a DPIA for that?

February 2020

Why Marketers need to understand Data Protection Impact Assessments

The ICO published its draft Direct Marketing Code of Practice on 8 January 2020.

One of the key topics which emerged from DPN’s analysis of the draft Code is the ICO’s clarification of the types of marketing / profiling activities where organisations should be carrying out a Data Protection Impact Assessment (DPIA).

In simple terms, a DPIA is a process that helps companies to identify, assess and mitigate privacy risks right from the start of a project.

An organisation must be able to demonstrate accountability and privacy by design principles by showing they have taken the appropriate measures to safeguard the ‘rights and freedoms’ of individuals.

When should a DPIA be conducted?

The ICO states, in their draft Code, that any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing.

The following examples are given:

  • when conducting ‘large scale’ profiling of individuals for marketing purposes
  • matching datasets for marketing purposes
  • processing may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
  • using geo-location data for marketing purposes
  • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
  • targeting children or other vulnerable individuals for marketing purposes

That certainly sounds like a lot of situations, doesn’t it?

We anticipate a lot of marketers who have never conducted DPIA before will have to learn fast.

The ICO suggests it’s likely that ALL marketers will need to carry out a DPIA at some point. The Regulator says this will bring financial and reputation benefits – and crucially, will help to build trust with individuals.

The draft code includes a ‘good practice recommendation’:

“Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.”

So what do you need to do?

When carrying out a DPIA for marketing, organisations must be able to:

  • describe the nature, scope, context and purposes of what you are planning to do
  • assess its necessity, proportionality and any compliance measures in place
  • identify and assess risks to individuals
  • identify any additional measures which may be appropriate to mitigate any risks

As with any ‘new’ process, it will take time, patience and practice to embed into the culture and develop expertise within your teams. Over time, marketing teams will get more and more adept at carrying out DPIAs.

Smart marketers see the DPIA process as a way to demonstrate they’ve truly focused on their customer or prospect – from the planning phase all the way through to implementation.

It helps to recognise and tackle any privacy issues early on and helps to prevent any undesirable consequences.