In 2018, data privacy has continued to become increasingly important and isn’t something that can be ignored.
Data privacy concerns the ability of an organization or individual to control what data, including customer data, can be shared with third parties. In the privacy world, the monetary risks go beyond dampened conversion rates. The EU are able to fine corporations up to 4 percent of their revenue for breaches of privacy.
That means, in financial terms, if a brand earns $1 billion in revenue, that’s a $40 million penalty per violation. With possible separate penalties for each country, which could multiple the fine 19 times over for each country in the EU. Having a strong data privacy approach is a necessity.
The evolution of data privacy
The issue began to gain steam in 2011 when the European Economic Community (EEC) adopted the E-Privacy Directive (Directive 2009/136/EC), Article 5(3). This directive recommended that EU countries protect site visitor privacy as they browse websites in three key areas:
- Disclosure of data tracking to site visitors, and how the site owner intends to use the data.
- Consent of the visitor to allow the data tracking to occur.
- Enforcement processes to ensure visitor consent to data tracking.
Following on the EEC’s lead, 43 countries around the globe including most of the countries in Europe, enacted legislation based on the E-Privacy Directive.
Since then, GDPR has come into force. The General Data Protection Regulation (GDPR), which was approved by the EU Parliament on April 14, 2016, went into effect on May 25, 2018.
Marketers and IT organizations at large multi-national companies now need to ensure that they comply with international privacy regulations, as well as satisfy local laws.
They need to understand and implement programs that address disclosure, consent, and enforcement, and be aware of solutions that enable them to scale across different countries.
Businesses are using people's data
As digital marketing has become more sophisticated and intrusive, the importance of data privacy has grown. Today’s digital marketer has access to a variety of tracking/marketing technologies to track the digital visitor’s footprint for the purposes of personalization, re-targeting, ad networks etc.
While these marketing technologies are becoming more sophisticated by the day to counter the challenges meted out by cross-device and cross-channel marketing, the method of tracking and collecting visitor information remains the same – the ubiquitous tracking cookie delivered to web pages or browsers through tags.
Change in consumer awareness driving a change in data privacy
As marketers have developed their online tactics, consumer awareness has grown. Consumers are generally more aware of marketing data collection and the resulting retargets now as the popularity of display ads and email follow their recent online behaviors.
Who hasn’t experienced searching for a product and then seeing display banners relating to that product for the next several days or weeks? These tactics have made consumers more aware of what is being collected and who is watching them online.
As customers become even more addressable across channels and devices, they will become increasingly ripe for targeting. Many marketers want to take a pro-active approach to data privacy. They want to avoid potential legislation responding to consumer complaints about aggressive remarketing practices.
Privacy is an opportunity to reinforce data quality
A strong privacy solution also brings benefits to conversion rates and marketing performance.
If we think about when consumers are most likely to lie about their data or use a junk e-mail address, it’s when they think the proposed value exchange is not worth the potential spam. Conversely, correct details are given to the companies that are genuinely interesting.
In this instance, privacy is about respecting the consumer and by extension getting more accurate data – creating a win-win situation for all parties. If we understand and respect the value exchanges that surround a consumer’s willingness to share data, then we are naturally confronted with a choice between more data or better data. As far as I know, marketers are no longer measured by the number of visits to a brand’s digital properties, so the latter should always win out.
Role of vendor management & data inventory in improving privacy
In order to meet the legal requirements and improve data quality, strong vendor management and data inventory are crucial. The International Association of Privacy Professionals (IAPP) released a survey conducted alongside Bloomberg law called, “Assessing and Mitigating Privacy Risks”. It revealed that privacy professionals are looking for vendor management and data inventory to meet the growing need for data privacy.
So what does this mean? It means knowing which data points are being collected, in line with what purpose and consent mechanisms, and through which tools the data is passing. For companies that see their growth being based on increased data use, this is crucial.
Enterprise tag management
For enterprise businesses, they need to adapt to the change in digital marketing tactics and growing consumer awareness. An enterprise privacy solution needs to integrate with enterprise tag management. You need to know what data is being collected and what tools it is passing through.
Some vendors require a company to remove all tags from web pages and then enable or disable them in a separate tool as part of implementing a privacy solution.
Ensighten makes it possible to leave tags in place or transfer them out, whatever works best in different scenarios.
Meeting DNT, UK cookie law & ePrivacy regulations
Selecting the right enterprise tag management solution is crucial to your business’s success. In all increasingly global world, digital marketers need a complete solution that provides built-in support for DNT, UK Cookie Law in addition to all ePrivacy regulations, with continuous monitoring and alerting of new tags, unusual tag behavior, and non-compliance.
Our solution provides a fully customizable dialogue box for visitor consent along with complete visibility into data collection by all 3rd, 4th, and even 5th party tags.
Article 5(3) of the ePrivacy Directive, Directive 2008/58/EC, is the directive’s provision that requires a website to gain consent from visitors to track them.
For example, the UK has their version of the ePrivacy Directive called the UK Cookie Law. Similarly, the Do Not Track (DNT) feature is an opt-out feature for web-tracking that a visitor can make use of.
If a visitor opts out of web-tracking, a website should respect the visitor’s privacy by not leaving any tracking cookies on the visitor’s browser. While DNT is stringent in some countries (notably France), it’s enacted mostly through self-regulation in the US.
The important question is how to have complete visibility and control of all tags that collect visitor data and simultaneously ensure full compliance with US and international privacy laws?
US vs EMEA data privacy
I’ve spent the last couple of years trying to grasp the divide between the U.S. and Europe. There are a multitude of differences, starting with the structure of the law: common law vs. continental or civil law, and Right to Privacy legislation in Europe, which doesn’t exist in U.S. legislation.
The U.S. has also spent quite some time talking up the idea that privacy is about having something to hide. Independent of whether we have something to hide or not, privacy legislation in the U.S. is often state level (each U.S. state has their own definition of PII or personally identifiable information), with no unifying legislation at the federal level. U.S. based companies were using the Safe Harbor Act to collect and store European visitor data in the U.S.
In addition, Europe is faced with 28 countries trying to align under the General Data Protection Regulation (GDPR) alongside developing a one-stop-shop framework that would ideally work for all non-European companies addressing EU citizens.
What is the Safe Harbor Act?
The Safe Harbor Act was developed in 2002 to allow U.S. based companies to collect and store European visitor data in U.S.-based servers.
The EU courts ruled on Oct. 6, 2015, that the Safe Harbor Act was invalid, requiring U.S. companies to develop new policies and procedures for collecting and storing EU visitor data.
The European Parliament announced strict new fines for companies that don’t adequately inform users what information is being collected about them, and what they plan to do with it.
Why is the Safe Harbor Act now invalid?
The European Court of Justice (ECJ), rather unsurprisingly, invalidated the international transfer mechanism known as Safe Harbor, which is used by a multitude of companies to justify storage of personal data related to EU citizens on U.S. facilities.
Its origins are in Snowden’s revelations about the NSA’s mass surveillance practices. When EU data is transferred onto U.S. facilities, the NSA is able to access it, and therefore the European Right to Privacy is not respected.
The invalidation of Safe Harbor means the framework has been deemed illegal. The Helsinki Times even went as far as stating that using Safe Harbor might constitute an offense, which could carry a maximum punishment of one year in prison.
Companies addressing EU consumers and using the Safe Harbour framework in their analytics set-ups should at least know which vendors should replace their clauses. In this respect, it will affect vendor management, something that is not well governed when we look towards digital and ad tech.
Implied vs explicit consent
In the new data privacy world, it is important for both the consumer and the business to know the difference between implied and explicit content.
Explicit consent means that a user visiting a website must explicitly hit a button acknowledging they understand the website owner will collect data before they can proceed.
Implied consent occurs when a user browses a site, and by implication agrees he or she understands some data will be collected as “strictly necessary.” The Ensighten privacy solution handles both models.
How can Ensighten help?
Ensighten’s approach to data privacy is threefold. First, our tag management system is uniquely architected to keep sensitive data out of the browser. By contrast, the free and client-heavy tag management tools make data readily available in the browser—for competitors to view, for cyber-criminals to steal, and to increase risk overall. Our privacy layer wraps around our entire platform and is foundational to every Ensighten solution.
Second, we include monitoring for potential data risks as part of our core solution, so marketers can ensure customer data is protected and only made available to trusted partners and sources. While these capabilities exist today as part of Ensighten Inform, look for more explicit privacy monitoring reports and dashboards coming from Ensighten soon. Marketers who live and breathe data will need sharp visibility into the potential risks that data brings—especially as the new legislation goes into effect.
And third, but not least, Ensighten provides patented privacy gateway enforcement. We enable marketers to create easy, consumer-friendly opt-out experiences in everyday language that any user can understand. While our enforcement solution is popular with our European customer base, the impending legislation has quickly moved the solution onto the radar of our US-based global customers. Stay tuned for future blog posts as we explore how US-based brands can learn from EMEA marketers as we embark on this new era of global data privacy protection.
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.