Welcome To the Era of “Beg Data”
- March 28, 2018
- Posted by: Tim Walters, Ph.D.
- Categories: Business Transformation, Content Strategy, Customer Experience, Featured
Not a typo: The GDPR and growing consumer resistance will put a permission gate in front of personal data.
The open bar has closed. The all-you-can-eat-buffet in now a Jell-O counter. Super-size colas have finally been banned.
Pick your favorite analogy. The fact is that for about the last decade, under the banners of personalization, targeting, relevance, and customer-centricity, marketers and customer experience professionals have been encouraged — and in most cases allowed — to grab personal data wherever they could find it, do with it as they pleased, and freely sell it on to the next party that might care to extract an ounce of value.
They’ve typically done so without the knowledge — let alone the consent — of the consumers identified by that data. That is, unless you honestly believe that “consent” consists of agreeing to terms and conditions that are purposefully obscure, unreadable by design (PayPal’s T&Cs are – or at least were – longer than Shakespeare’s Hamlet), and justifiably ignored by consumers.
True story: When a well-known enterprise software vendor introduced their latest data and profile-driven CX solution in early 2016, I asked if they were concerned about the restrictions on personal data collection and use under the pending GDPR. Response: “We’re not worried about that. There’s always some way to get the data.”
You can’t argue with that! This week alone, Facebook and Cambridge Analytica have made it very clear that there’s always some way to get at personal data. But going forward, if you want to get the data legally, you’re probably going to have to get permission.
A permission gate in front of personal data
Right at the beginning of the GDPR, we find this sentence: “Natural persons should have control of their own personal data.” That’s ten words that can be reduced to eight, since “natural persons” are just people and “their own personal data” is redundant – so, “People should have control of their personal data.” In my opinion, it’s tempting to say that this is the one thing the GDPR wants to bring about. The remaining 250-odd pages of the regulation exist in order to turn that “should” into a “shall be,” and to have businesses assist in ensuring that “People shall be in control of their personal data.”
It’s no surprise then that the two legal grounds for data processing that are most likely to be used by marketers and CX professionals – consent and legitimate interest – both contain a prominent and utterly unavoidable “permission gate.”
(Note that since I’m focusing on commercial relationships, I use consumer where the GDPR typically speaks of data subjects.)
In the case of consent, the permission gate is rather apparent. Consent must be “freely given, specific, informed, and unambiguous.” Let’s break that down:
“Freely given” – Consent for processing personal data cannot be a requirement for using a site, app, or service, unless the data is strictly necessary for it to function.
“Specific” – Companies have to inform consumers of each purpose for which they aim to use their data, and enable them to provide or withhold consent for each separately. (This is going to be very interesting in the case of, say, Facebook, which probably uses your personal data for dozens if not hundreds of purposes.)
“Informed” – No more burying consent requests and privacy notifications in novel-length T&Cs written in legalese. They must be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
“Unambiguous” – Consent must be indicated by a “clear affirmative action.” “Silence, pre-ticked boxes, or inactivity” may not indicate consent.
And if you think that legitimate interest is an end run around the consumer, think again. After clearing the “balance test” – no mean feat, as I discussed in my last article – you still have to give the consumer an opportunity to object to the processing of their data. (The GDPR does not use the term opt-out, but that’s what it amounts to.) And the text in which you explain your legitimate interest and the data you intend to process must be as specific, clearly distinguishable, intelligible, and clear as it is in the consent request.
In short, consent requires that the consumer actively grants permission; legitimate interest depends on the consumer passively not exercising their right to withhold permission. Either way, personal data processing under the GDPR means that you to ask – clearly and transparently – before you grab.
Consumers are “consent poor”
The obvious question is, what’s likely to happen when you ask for consent? Will 80% grant it or 8%? To get an initial indication, PageFair created a very simple mock-up consent form and ran a survey.
Nearly eight of ten respondents said they would decline consent. Similarly, when presented with a mock-up consent form for tracking cookies, 75% said they would reject all tracking cookies or accept them only when strictly necessary. And only 5% said they would accept all cookies – which is the status quo that the digital marketing ecosystem depends upon today.
Note that PageFair didn’t survey the general public but rather some “300+ publishers, adtech, brands, and various others.” That’s a population that you might think would be more willing to grant consent than a typical ill-informed and anxious consumer. In fact, a 2015 study of consumer behavior under the existing data protection rules found that “70% of over-55s, 51% of those aged 35-54 and 27% of consumers aged 18-34 give consent less than 20% of the time.”
Don’t count on passivity
Under normal circumstances, you’d expect the passive option under legitimate interest to deliver a greater number of positive responses. But, we don’t exist under normal circumstances. Try to imagine the reaction today to an email that reads: “Hi Roger – I wanted to let you know that we at BRAND X intend to exercise our legitimate interest to get to know your product preferences by collecting and processing the following pieces of your personal data.” I doubt the answer will be “Sure! Please, take it all! Give me a shout if you want some more!”
Even before the Facebook crises pulled the shady practices of data brokering and psychographic profiling into the harsh light of day, it was quite clear that consumers’ mood about “data sharing” (to put it generously) is shifting quickly and radically. For example:
· In a 2017 survey of adults in the US and the UK, 68% said don’t trust how brands use their personal information.
· When asked to name the number one reason they would abandon a provider, 80% in SAP’s global survey said, “If they use my data without me knowing.”
· Accenture’s latest global consumer pulse survey has revealed a “vicious circle” in which consumers demand personalized experiences but are increasingly reluctant to part with the personal data needed to create and sustain them. (Analyzed in my recent article on The Content Advisory.)
And kiss your third-party data goodbye
The GDPR and consumer resistance is likely to meaningfully if not significantly reduce the amount of first-party personal data to which marketers have access. And it’s hard to see how the combination will not utterly devastate the market for third-party data. This is due first to the profound implausibility that anyone will consent to have their personal data aggregated and sold by a data broker to unknown clients and uses around the world.
More critically, under the GDPR, firms must ensure that any personal data they use is compliant regardless of its source – meaning that a company and its data suppliers are jointly liable for any violations. Organizations will have to not only change the contract terms but also get much more detailed, intimate, and careful (not to mention suspicious, or even paranoid) when it comes to vetting and confirming that any and all third-party data has been collected in a compliant manner.
My prediction is that the small amount of third-party data that remains under the GDPR is either going to be too toxic to touch (that is, of unreliable provenance, with unproven or unprovable consent) or it is going to be much more expensive, because it has been so carefully collected and curated.
Marketing for permissions
The era of beg data is legally mandated under the GDPR and probably inevitable everywhere else. The data predators that cannot adapt – because their business model depends on unconstrained, gluttonous access to personal data – will go the way of every creature that fails to adjust to a new environment. For the rest, beg data means that marketing’s primary challenge and responsibility becomes securing access to personal data by understanding consumers, crafting an attractive value proposition, and ensuring that the value is delivered, thus building trust and increasing the chances of getting more and richer data. This marketing for permissions can turn the vicious circle into a virtuous cycle, nurture trust-based relationships, and secure the competitive advantage for those who get it right, first.