GDPR and data marketing
As a GDPR-friendly data marketing technology we’d like to share our insights about new challenges data marketers now face. EU General Data Protection Regulation or GDPR has became enforceable starting May 25, 2018. It’s already not a hot topic in media however it doesn’t mean that everybody became GDPR-compliant.
GDPR is a broad and complex topic so we won’t cover everything. As a customer demographics prediction platform, we are going to focus on businesses that use consumer data in their marketing. If you’d like to take a broader view on GDPR and review compliance checklist in general, here is a couple of really useful articles:
- One Week After the GDPR: How Businesses Are Responding. It sums up what GDPR is and its consequences for businesses.
- What Web and Business Experts Say About Implications of GDPR Regulation. It provides a GDPR-compliance checklist and expert opinions including ours.
Key takeaways
- Even if you don’t work in EU but have at least some EU residents in your lists, GDPR affects you
- If you are a data broker or other agency working with third-party lists containing EU records, you have problems with GDPR
- If you’re a business using data brokers and working with lists containing EU residents, you are going to stop doing this to become GDPR-compliant
So it became a problem to enrich your lists with additional consumer data which is so vital for data marketing in the data-driven world we live in.
And it’s a serious issue because 91% of US marketers use data segmentation while 94% say that consumer data is important or critically important to their marketing.
What is forbidden in data marketing now
Below are more details of what data and what companies collecting it are barred under GDPR.
Non opt-in third-party private data
Non opt-in third-party private data is the backbone of today’s data marketing. It is used for segmenting audiences, improving ad targeting and in many other marketing use cases.
It’s called third-party because entity that operates and processes this data hasn’t received it from consumer directly (as first-party). Instead it purchased or otherwise obtained this data from other sources. Examples of those who use third-party data include data brokers and even tech giants. For example, Facebook has been using data brokers to get additional data about Facebook users to improve its ad targeting.
It’s called non opt-in because no consumer gave clear and explicit consent to use their private data in third-party lists for reselling and marketing purposes.
Under GDPR it is explicitly forbidden to use non opt-in private data. Consumers should give explicit consent on using their data in marketing efforts.
Data brokers
Data brokers or data append services are companies that sell non-opt-in third-party private data. They have databases containing records of consumers with sensitive information. Other companies use data brokers in their data marketing efforts to enrich their lists of customers or prospects.
In order to enrich lists company is required to provide data broker with customers’ personally identifiable information so broker can match the record in their databases with records in uploaded lists and provide additional data in return.
Example. If company A wants income level and gender of its customer it should provide data broker B with address, phone, email or other personally identifiable information of this customer in order for B to obtain record of this customer in their database.
As you may see private data is shared two ways in this case. It means both data broker and company working with it violate GDPR’s provisions. Because they both don’t receive explicit consent from consumer.
In case of data broker such consent is hardly possible at all since they work with third-party data which source is often even unknown.
So under GDPR it is explicitly forbidden to use third-party private data without receiving clear and explicit consent from consumers.
GDPR has good intentions
Though we believe that government over regulation is hardly ever a good thing, GDPR is intended for a common good. The privacy aspect of data brokers is well known and controversial. But there is also an information security aspect. Data brokers industry is a huge contributor to data leaks and data breaches. And this is a serious aggravating issue.
For example, largest data breach in history happened in 2003 when more than 1.6 billion consumer records were stolen during the transmission of data to and from clients of Acxiom, industry leader in data brokerage. Facebook / Cambridge Analytica case that recently caused media outrage is nothing compared to this.
The problem is that data brokers work on the principle of uncontrolled and unregulated share of sensitive information. They operate databases of tens and hundreds of millions consumers containing their private sensitive information. And they also encourage other parties to share sensitive information with them jeopardizing its security.
But this article is not about the harm caused by data brokers.
So where to collect consumer data now
Such regulatory restrictions put at risk data marketing for companies working with data brokers. What alternatives do they have?
Traditional options
Traditional solutions to obtaining consumer data include:
- Manually collect data about your customers from public sources. Slow, inefficient and may be a subject to GDPR-compliance as well.
- Running customer surveys to collect more information about them. Better but it has low response rate. Customers are reluctant to participate in surveys with just around 2% of consumers completing questionnaires.
- Use data brokers in GDPR-compliant way. Though data brokers are controversial, have questionable accuracy and provide data only for up-to 30% of list on average, they still remain the best traditional option for obtaining consumer data. But how to use them without violating GDPR? The only practical way is to completely remove EU residents from your lists while using data brokers. If it’s possible. However GDPR is just one of the data regulations. For example, California already started rolling out its own data regulation and probably more regulations to come since privacy landscape is rapidly changing. So it’s better to be prepared even if you can completely exclude EU consumers from your lists.
Technology as alternative
An alternative to data brokers is machine learning consumer data prediction technologies that don’t operate private data in the loop. The trick to be compliant with GDPR is to not use non opt-in personally identifiable information at all. That’s called privacy be design.
Privacy by design is not about data protection but designing so data doesn’t need protection.
Example of such technology is Demografy. We provide demographic data with full coverage without requiring sensitive information to be shared at all. We use only names with last names that can be even partially masked which makes us GDPR-friendly. A drawback of such noninvasive technology is the lack of more in-depth behavioral consumer profiles that include data like shopping history, voting history or lifestyle. Because such specific data can be obtained only by identifying or tracking each individual consumer. We do not do this.
On the other hand even non-GDPR compliant data brokers cannot provide this data with measurable accuracy and high coverage. Their accuracy for behavioral data is very questionable and data is normally outdated while coverage is low since not all consumer profiles in their databases have behavioral data. Besides that key demographics is still highly useful and required for any marketing segmentation, even behavioral one.
Changing privacy landscape and future of the industry
Data privacy landscape is changing rapidly and businesses should be prepared to adjust their marketing strategy appropriately. While we weren’t shocked much by 1.6 billion consumer records stolen via Acxiom in 2003, we’re outraged by Facebook / Cambridge Analytica data leak of 50+ million records in 2018.
GDPR implementation already started redefining the industry. Barring data brokers as the only at least partially workable data marketing solution, GDPR paves the way for new technologies like Demografy. GDPR is not only about regulation. It’s about technology shift in processing personal data that will affect the whole industry.
This creates unique opportunities and demand for companies that are developing ML-based GDPR-friendly technologies. New technology providers is one of the most underreported categories of businesses. They are going to enjoy GDPR that will allow them into the data markets. And they will design the future of data marketing. So we can anticipate the raise of new GDPR-compliant technologies for data marketing in mid and long term. This, in turn, will fundamentally impact how businesses work with data. So it’s better to be prepared in advance.
Follow us in social networks to get updates:
