As you might guess if you have read a few of my posts, I am not a person that is adverse to CRM and other customer facing technology that help improving the value created for said customer. Well, I am working in the CRM arena for more than twenty years now. A good part of what I am currently working on involves marketing automation software. And frankly, a lot of what I see and am allowed to do with and for forward-looking companies is just amazing!
Talking to CEO’s and executives of CRM- and marketing automation companies about the European General Data Protection Regulation GDPR, I repeatedly heard statements like “it is a way for lawyers to make money”. And they probably are right with this assessment.
Because too many executives still bet their house on this law being a toothless tiger, or being under the radar; or they are claiming ‘legitimate purposes’ according to sentence f of section 1 in article 6 of the regulation, to justify their collection of data.
Their legitimate purpose being the ability to serve targeted – or in new lingo relevant – advertisements. And I am sure they have some guidance by their lawyers, when arguing like this.
However, there is the caveat to these legitimate purposes: the overriding “interests or fundamental rights and freedoms of the data subject which require protection of personal data”.
Soon we will find out how serious the GDPR is taken by the European Union – whether it is a roaring lion or a toothless tiger.
There are only a few days left until this law gets into full force on May 25, 2018.
Means we will find out soon.
I will lay my dollars on the roaring lion option and am convinced that a good number of consumer protection agencies have already prepared lawsuits against high profile companies, and are yanking their chains till they are finally able to file them.
Besides article 6 on the lawfulness of processing, which enumerates and describes under which conditions the processing of personal data is allowed – and which is probably one of the most quoted parts of the regulation, there is one very interesting other article that seems to get less attention: Article 5, which names the principles governing the lawful processing of personal data.
One of these principles is the minimization of processing of personal data to “what is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (article 5 (1) b)).
Ever heard of the “Cookie Law’?
What is less widely known is that GDPR will be accompanied by the ePrivacy regulation, which is planned to be released soon. This regulation details out some points about data collection, e.g. the collection using cookies or the collection of data using landing pages. The clear intention of this proposed law is to minimize the collection of data and to avoid that consumers face ‘non-options’ that can be formulated like “accept all of the cookies that I throw your way or go away”.
Therefore it is also dubbed the ‘cookie law’.
Still we do see screens like these ones that get served by TrustArc and other companies on the sites of pretty much every site of major software vendors.
These software vendors include exactly those that promote and sell their software and solutions with the argument that they help companies to “deliver a better experience to their customers”.
I bet that most of us have seen the screen below after navigating to a site.
Ignoring the enticing button with the label “Agree and Proceed and selecting the pretty unobtrusive link to ‘More information’ leads us to a very interesting screen.
The settings default to giving widest possible authorizations, which is hardly “minimizing”.
An even more extreme approach is the one that just informs about cookies being set. This approach often even includes the statement that using the site implies consent, like the ones below.
Or this one
Recital 32 of GDPR explains conditions for a consent being valid.
“1Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. 2This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. 3Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
I am probably not alone when saying that the examples above stretch this definition at various points, e.g. at ‘freely given’ or ‘silence’ or ‘pre-ticked’.
And there are a good number of possible approaches in between the ones depicted here.
Why am I not surprised?
Let’s be clear: Advertising cookies do not improve the surfer’s experience. They solely serve the purposes of the companies that collaborate in placing them.
Taking the somewhat more cautious approach of allowing oneself to serve all categories of cookies by default is also not exactly a form of ‘minimization’.
The same applies to many landing pages. A landing page that asks for 10+ mandatory data elements is not exactly asking for minimal data, but for quite a lot.
As you have found out by now if you are still reading this, I am not exactly a fan of companies pursuing the approaches above.
Unsurprisingly, the European Parliament may serve as a good example in this context.
While having and using data is an important ingredient to personalization and to serving highly targeted advertisement and marketing, it is important to know that marketers value the ability to send targeted messages more than their customers value receiving targeted advertisements.
Using data from the Forrester Research study on the retailers disconnect with shoppers clearly shows this.
Source: Forrester Research
Again, while this is retail industry specific data, the message is clear. Personalized, relevant marketing communications are not highest up on customers’ priorities!
This should already be a good explanation for the increasing use of ad blockers, poor click through rates or email opening rates that do not meet sender expectations.
For landing pages the rule applies that minimum friction gives maximum results. Minimum friction involves minimum data entry. This will also improve the quality of the data that you receive. Here is some more retail data from a Forrester Research study that gives a clear indication on what customers are willing to share – and what not.
Source: Forrester Research
For me, the reason is simple – as is the solution.
Receiving a targeted advertisement is not an outcome in the customers’ eyes.
At best it is perceived as an intermediate step worst case it is perceived as intrusive.
But then, following Doc Searls’ prediction that GDPR will pop the adtech bubble, things might get to the worst case. Following him, focusing on targeted ads not only is a nuisance to customers, but also utterly harmful for businesses.
The main problem here still is that businesses are looking at an outcome from the wrong angle: Theirs.
They are still thinking inside out instead of outside in. They are looking for outcomes that are good for them to grow their business. Instead they should look at outcomes that are good for their customers. Growing their business is a consequence, then, and not the objective.
Following this thought also makes it far easier to be compliant to regulations like GDPR.
There are a few simple steps that can be taken to get closer to the objective of being on the Good side of the Force instead of being on its Dark side (did I ever say that I love my Star Wars movies?).
There are mainly three!
The first and foremost of them is to limit tracking via cookies to the bare essentials. These bare essentials might even include the usage of site optimization cookies – if you are trustworthy enough your site visitors will allow you this. But you need to gain and retain this trust!
By all means avoid statements like “by continuing to use our site you accept our cookies”. You can do far better. And customers will reward this.
Do it yourself, or you will see Thor’s hammer in the form of even stricter regulations.
Remember what happened to the checkbox next to the question whether customers agree to receive marketing communications? Yes, a law was introduced that enforced it being unchecked.
The sample screens that you see above actually have the same meaning as this ticked box.
Rework your terms and conditions, privacy policies, cookie policies or however else you call them. There are far too many conditional sentences in there. These documents are filled with statements like “we might”, “we could”, and so on.
Be more specific: Tell your customers in few simple words when you do, and maybe why.
Because you do!
And explain why it is to the customers benefit and not first to yours and then to theirs. Saying so is one thing. Making your customers believe it is another one.
The third step to take is to limit the data asked for when customers sign up for newsletters or are interested in a white paper. While it is understandable that there is a desire to get much data for proper lead qualification it is equally understandable that customers provide fake data and spam-box email addresses. Their doing so is proof that they would like to be sure that they received value before paying for it with their data. The obvious way out is doing something that Gigya calls ‘progressive profiling’. Ask for less data first. Ask for the right data, that customers are willing to give, and progressively, as they build trust in you, ask for more as they are willing to give it.
Taking these three simple steps – and talking about having taken them – will bring you a long way.
Don’t ask your customers to blindly trust you, but prove that they can trust you.
Then they will do.
This is the foundation for your success.