As consumers continue to expand their technological literacy thanks to what seems like constant innovation — smart phones and their associated app technologies, the burgeoning Internet of Things (IoT), and more — they seem to have two options to maintain their privacy while taking advantage of these advances: become voracious readers of “terms and conditions” or remain ignorant to those sometimes lengthy documents and hope that the companies they do business with are doing their best to serve their privacy needs and protect their data.
As a consumer, neither option feels all that enticing, which means that marketers’ jobs become that much more difficult. Industry associations, private attorneys, and state and federal regulators seem to be in constant flux regarding how consumer privacy and data security are best respected and protected.
At the same time, marketers have become enthralled by the expanding scope of data available to use in their efforts — perhaps too enthralled.
“Big data availability introduces a key managerial challenge: data is exceptionally distracting to marketing departments,” says Doug Garnett, founder and CEO of Portland, Ore.-based Atomic Direct. “I’ve seen teams lose their power chasing ghosts in the data — ghosts without profit potential. Quite often, they get lost in the fascinating microscopic details that are unimportant to your business needs … we must remember the vast expanses of business truth that will never show in the data.”
Read on to find out what Garnett and other members of the Response Advisory Board have to say about the power of big data, the challenge of data security, and the privacy that consumers desire even more than the technologies they enjoy.
In January, the FTC held its annual PrivacyCon event, which touched on many of the key issues in consumer privacy and data security. What do you believe some of the greatest risks are facing marketers in these areas?
Tony Besasie, Cannella Media: The greatest challenge direct marketers will have is safeguarding data from hackers. With more personally identifiable information (PII) comes more responsibility and higher liability. In 2013, 40 million credit card numbers were stolen from the Target Corp. database, a company that invests millions of dollars annually in information technology (IT) security. That resulted in more than 90 lawsuits, $61 million in disaster recovery, $10 million in claim settlements, damaged brand equity — and the CEO was sacked. Like any criminal, hackers prey on the vulnerable and unprotected. This poses risks and costs for small and mid-market marketers.
Peter Feinstein, Higher Power Media: As marketers, the greatest risks are facing our own profit motives and ever-present human greed. These two motivations are tightly related and can, if not vigilantly disarmed, forever sabotage our relationships with our clients and partners in the media. Our industry is based on mutual trust; if we violate that trust just to make a buck, we endanger our industry’s reputation, put our companies at risk, and make consumers susceptible to the myriad dangers associated with securing data and maintaining their rights to privacy. We have to live above the battle and coach our clients to use data wisely, instead of purely for monetary gain. Otherwise, what should be a win-win-win situation will deteriorate into a win-lose proposition.
Doug Garnett, Atomic Direct: The serious risk is that we can’t control the risks. Generally, in business, risks are quantifiable and plans can be made to control them. But in this case, it’s not a question of whether you’ll have a problem, but when — and how big.
It’s more complicated in that there is a wide range of liabilities for a data or privacy breach. In many cases, it’s reasonable and manageable. However, there’s always a potential for the risk to be far bigger than your company can manage.
Perhaps it’s like living with earthquakes in California. An earthquake will happen. And we can plan reasonably for those of certain destructiveness. But there’s always the risk of the “Big One” — the one we can’t plan for effectively.
And this leads to one of the hardest risks in privacy: it is impossible to achieve perfect privacy controls. So two keys for any company’s success are: finding that place with the most protection but at a cost that is achievable; and having a reasonable plan in the event of breach.
Peter Koeppel, Koeppel Direct: Data breaches, identity theft, and a reduction in consumer confidence.
Kevin Lyons, Opportunity Media: When consumer personal data is breached, the consequences for a marketer can be markedly sharp — not only in image but also in revenue. Recent examples — such as Target, Home Depot, Yahoo, and MAPCO — demonstrate the vulnerability of marketers. The exact cost of those occurrences will be felt longer term, but lawsuits resulting from those incidents, some to the tune of as much as $1.9 million, have been documented.
Richard Stacey, Northern Response Intl. Ltd.: Collecting, managing, and utilizing consumer data come with special responsibilities for the marketer. The greatest risk to marketers is compliance risk. Marketers need to familiarize themselves with all the laws and regulations in this area, consult with regulatory authorities and attorneys, establish formal policies and procedures (including policies to take reasonable precautions to obtain proper permissions for collection and use of consumer data), and protect and secure all such data internally and externally.
We are also in a zone where the victim of a computer crime can sometimes be the one that gets punished. If, for example, a marketer gets hacked, it can be the marketer that will be charged — not the hackers. We are also in an area where the punishments for recklessness or intentional mishandling of consumer data can be severe — and are increasing.
As technology has made lives easier for consumers, it’s also opened their eyes to securing data about themselves. How can marketers best utilize this growing trove of data to better target consumers while also staying on the right side of expanding consumer privacy laws?
Fern Lee, THOR Associates: Marketers can best use the data on cross-device retargeting. Although privacy has become an issue, the opportunity to capture the consumer journey — specifically and strategically — has arrived. The key is defining what the “right side of expanding consumer privacy laws” actually means. It goes without saying that cross-device usage is a hacker’s dream come true. Consumers are ignorant about the opportunities made available for identify theft and malware.
What is interesting is that the FTC has asked that “sensitive” data (financial, health, children’s information) be given greater protection. Taken into the context of lead-generation marketing, the 800-pound gorilla that begs for attention is in the execution of retargeting and contacting consumers that “ask” for follow up.
Privacy can be protected only so much. In a court of law, when an attorney is prosecuting a witness and “opens the door” for a topic discussion, the other side has the right to address the topic discussed. Why would shared data be any different? If a consumer visits a site, asks for information, or leaves a trail of interest, is there an argument that they have opened the door?
Data is only as good as it is relevant and is best served to provide learnings for call-to-action and segmentation-specific pivoting.
Besasie: U.S. laws will evolve and the first actions will likely be government-imposed warnings and disclaimers. If you want a glimpse of what’s to come, just visit a website in the U.K. — you will be presented with an opt-in cookie disclaimer. That type of intervention will likely appear on every device upon the start-up and initiation phase, and more people may opt out — although government warnings haven’t been great deterrents in other business verticals before. So staying on the right side of the law shouldn’t be too difficult.
The bigger issue will be when a marketer desires to activate all of the data that is captured from these different and disparate sources. Each device will likely capture data differently. Take age for example: some devices may have a field for users to enter their age, others may capture a user’s age range, while others may capture a user’s date of birth — and even more may have no means to capture the data or may not be willing to share it citing privacy reasons. Migrating all of those data fields requires good practice and a good data management platform (DMP). Agreeing to the standards of data is going to be an increasing challenge.
Feinstein: I question the premise of the question. Based on the research I read, nearly every week consumers in many demographic groups have little to no understanding of the risks their use of IoT devices pose to their personal privacy; they engage in apps and devices using Wi-Fi connections possessing weak or non-existent passwords. They don’t bother to secure their critical personal data, engaging in social media behavior that is far riskier than unprotected sex ever was.
I think because we in the DR world read about these problems every day, we’re far more sensitive to it, and perhaps take greater precautions with our privacy than the average consumer. That said, we as marketers have to be good stewards of business, which by its definition means we have to be working to enhance our clients’ ROI. The accumulation of data does not necessarily guarantee any client’s marketing success. TV offers us a fine example. Easily the most powerful medium made by man, the application of massive data for hyper-targeting in TV may seem like genius, but what if it negates the intrinsic strength of TV: its ability to literally make a market out of nothing but sheer reach? We have to be mindful of the consequences of applying data (big or otherwise) to our marketing activities … both from a consumer privacy perspective and a client ROI point of view.
Garnett: A good friend of mine observed that the core problem with big data is that the mass of data that holds no meaning very quickly overwhelms those tiny areas of data that hold important meaning. We are facing this problem today — especially with the range of data being collected.
It’s important to remember, too, that this data has a highly significant weakness: it records only behavior. The risk with behavioral data is that while it says “what” someone did, it holds no evidence of “why” they did it. Without the “why,” it leads to mis-spent marketing money.
For example, a company I know sells accounting software. They identified web behavior they thought indicated people who were evaluating the software for purchase. Except, the behavior was occurring because people who were out of work were trying to learn their software to get a job. In other words, the behavioral assumption found people who were the worst prospects — not the best.
This isn’t a problem if all we’re doing is direct selling. However, it’s a huge problem if we are driving sales through all channels, including retail.
Koeppel: Transparency is the key; that is, the consumer understanding exactly how their information is going to be used versus having those details buried in some fine print that nobody understands. Consumers will trade some measure of privacy for relevancy as long as it does not feel overtly Orwellian to them. But the balance of trust is clearly a fragile line. Just look at the controversies Facebook has gotten embroiled in when it’s materially changed its use of data policies in a way that makes people feel threatened or violated. That’s why consistency and clarity are so crucial.
Industry standards that spell out a code of conduct that is easy to comprehend are one way that this sort of balance and understanding between consumer and marketer could be arrived at.
Stacey: The age of big data is a new opportunity for marketers to reach their target audiences more efficiently and effectively. There are many ways to use this myriad of data depending on the objectives of the marketer. In addition to better audience targeting, the increasing availability of data allows marketers to test faster and more cost effectively — and then scale faster and more cost efficiently. In short, big data allows for better targeting, testing, and scaling of marketing campaigns.
How can marketers best align their product development, IT, and marketing teams to maximize both the effectiveness of marketing messages and the security of customer data?
Besasie: There are plenty of articles that say that a company’s chief marketing officer (CMO) and its chief information officer (CIO)/chief technology officer (CTO) should be best of friends. I agree with this assertion. Collaboration needs to start at the top.
Garnett: Most important, realize that this behavioral data is only a small part of what you need to know. Traditional market research and other data is of equal — perhaps greater — impact in the choices you make. By avoiding the error of becoming too dependent on the behavioral data where privacy risk is largest, you will inherently minimize your exposure.
Koeppel: There are three ways that come to mind. The first — and it may sound elementary — is to give the people what they want. We have more information about consumer behavior than at any other time and that behavior should act as a kind of compass to help guide us. The second thing is to align offerings with the behaviors and values that consumers are already exhibiting. After all, marketers now have to meet the consumer at a time and place of the consumer’s choosing. The third thing is to respect the rule of law, and that begins by having a clear understanding of it. Today’s marketing landscape is ever changing — there are platforms and things we don’t even know about today that will exist in a few years — therefore consumer behaviors and the laws surrounding them are going to have to respond to those changes.
Lee: The key is to provide disclosures that are FTC “truthful” and to avail the consumer to the tracking roadmap that is associated with a campaign. Effective marketing messages need consistency and repeatable touch points for the consumer to engage. Loyalty follows with a positive product experience. The other side of this coin is for brands to imbed technology for ease in opting out as well as making sure that the path to purchase is not confusing.
Lyons: Three important elements to consider here are consent, anonymity, and incentive. If the data marketers are collecting is consensual and anonymous, privacy laws are obeyed. However, by incentivizing the collection of said data, the volume of the data collection can increase, enhancing the overall value and effectiveness.
Stacey: Each marketer will have to structure its business in a way that makes the most sense for the type of business it is running and what it is trying to accomplish. Many firms are moving to a team-based organization from functional silos, as product development, marketing, sales, and IT now have to work more closely together. The other important change involves the consumer using data as a tool for dialog. For example, today we routinely develop and improve products and their delivery by reading Amazon customer reviews. That’s something we weren’t doing five years ago.
Consumer consent mechanisms can help ease the strain on marketers in trying to walk the proper privacy line. What consumer consent mechanisms have you seen that have been most effective, and why?
Besasie: While opt-outs are the less intrusive approach, opt-in mechanisms are always best from a compliance perspective. The best method of obtaining opt-in is to create value for the customer.
Feinstein: Without naming names, the best consumer consent mechanism I’ve seen comes from a wearable device company. It’s grown from a one-product wonder to six different devices, with a seventh readying for launch. The company’s approach to consumer consent is to be in-your-face when you install its app, and it offers periodic reminders, and options to opt-in or out, based on certain milestones of activity, distance, sleep, or even your device’s battery level. Instead of being product-centric, the company is consumer-centric. Instead of operating from fear, it brings privacy and data out of the shadows and puts it front and center, where it gives users clarity and ease of choice.
Koeppel: Making it easy for consumers to understand what the quid pro quo is between consent and whatever benefit they will receive is vital. In the texting realm, companies such as Regal Cinemas make it easy for audience goers to opt in and then they provide a series of benefits (e.g., free popcorn, discounted movie tickets, etc.) to make the bargain between marketer and audience worth their consumer’s willingness to participate.
Lee: It’s not only about consent. The privacy issue will be questioned because of tracking and shared information. It is the responsibility of the marketer to create policies of best practices and to adhere to the FTC barometer. That being said, with the changes in our political climate, there may be more leeway and less regulation with this new administration.
Lyons: Nielsen has an app you can download to your phone, where you consent to its data collection, providing the user with an incentive of up to $50 per year to do so. That is a good example of an effective consent and collection mechanism.
Stacey: The most effective consumer consent mechanisms will depend on the type of product or service you’re selling and the kind of data you are collecting. The best place to start is to look around your industry or related offers and use them as a guide and then you can innovate from there, provided you stay within the boundaries of the applicable regulatory and legal framework.
With security breaches and hacking making more headlines, what are the most effective data security measures that marketers and their agencies/vendors are using to ensure the safety of customer data?
Besasie: Hire a good CIO that keeps updated on the latest security measures and attends the right conferences.
Koeppel: With high-profile hacks — from Target to the Democratic National Committee — making big news, it’s obvious that no individual or institution is invulnerable to this sort of sabotage. Given how this sort of problem is escalating, it’s clear that security is a moving target and — with apologies to Mr. Popeil — there is no “set it and forget it.” As some data security experts advise, it’s “lather, rinse, and repeat.” With every new phishing expedition there will have to be fresh counter measures.
Lee: Before answering that question, I have to say the bigger issue is the truthfulness of what is being presented as news online. Aside from security breaches and hacking, as a marketer it is alarming how gullible and impressionable the consumer has become. It’s just as important to educate the consumer on what is “true” and how to fact check information, as it is to install measures to combat consumer data hacking and breaches.
The key is not only for the marketer to ensure customer data safety but also consumers should update passwords, keep software up to date, and make sure Wi-Fi networks are protected. Where banks and financial institutions have addressed this issue and adhered to protection of consumer data, retail establishments, hospitals, and e-commerce sites need to step up their game.
Lyons: There is no silver bullet solution here, in terms of 100-percent protection against data breaches, as the tools hackers use evolve quickly. However, essential tools that marketers and their agencies must use to fight against this risk include sound IT infrastructure (firewalls, etc.), continuous monitoring, and employee education on security measures.
Stacey: The best data protection methods will be specific to the type of data you are collecting and the collection methods you’re using. Generally if you can batch data and transfer it from external collection to internal storage on separate systems then this helps limit any live or open connection with access to the data. If you’re always live and in real time, then it gets more complicated and more costly to properly safeguard the data.
There’s always a trade off between the level of security you reasonably require, the risk of being compromised, the value of the data, the consequences if you were to be violated, and the cost of the required security system. The best guideline is to take reasonable care and precaution given the sensitivity of the data, the consequences of its disclosure, and the risk of exposure probability.