Do the companies we entrust with our customers’ data always know what these use cases are? Do we as advertisers, always know how our customers' data is being used? When evaluating marketing programs and potential partners that offer programs that will require accessing and using your customers' data, ask these questions.
The Dos and Don'ts of Data Contribution
In the earliest days of direct marketing, it was unheard of for marketers to share data outside of their four walls. The ability to acquire a new customer was challenging (still is) and costly (still is) and these coveted customers were protected at all costs. Paranoia over access to “my” customers was prevalent.
In the 70s and 80s exceptions were made in a very controlled way, with one marketer allowing another access to their customers through a reciprocal relationship. Brand A would allow Brand B to solicit Brand A’s customers in exchange for the ability to do the same. An entire business based on “customer list” exchanges emerged. “List” rentals followed shortly after as marketers realized they could monetize their customer database by “renting” their customers to other advertisers for the purpose of direct mail.
In the early 1990s, an entirely new concept around data and customer sharing evolved through the advent of co-operative databases. Advertisers would willingly contribute their customers’ names, addresses and purchase information, to a central aggregator of this data. The aggregation of this data then allowed for a comprehensive view of a consumer’s purchase history, allowing for names and addresses to be modeled and then sold as look-alike prospects to other contributing members for the purpose of more targeted direct mail. When consumers learned that their data was being used in this way, guidelines for consumer privacy began to be established. Advertisers were required to disclose to their customers that their data could be shared with others for the purposes of targeted advertising and consumers were given the ability to opt out of this practice.
By the late 1990s, with the emergence of digital advertising, this type of consumer data (names and addresses) could now be aggregated with online data and the need for regulations regarding consumer privacy became critical. Today, there are regulations about online browsing data collection and sharing.
What is acceptable practice for the use of a consumer’s personally identifiable information (PII), such as names and addresses, email addresses and IP addresses? What is acceptable practice for the use of a consumer’s personal information (PI), online and offline purchase data as well as online browsing data?
We are all familiar with the concept of notice and choice. Consumers must be notified as to how their data is being used and must be given the choice to allow or not allow their data to be used in any of those use cases. But, do the companies we entrust with our customers’ data always know what these use cases are? Do we as advertisers, always know how our customers' data is being used?
When evaluating marketing programs and potential partners that offer programs that will require accessing and using your customers' data, ask these questions:
- What data will I need to share? Is it personal information (PI) like browsing and intent data, personally identifiable information (PII) or both? Will I have to share online and/or offline transactions?
- Who will have access to the data? It is not uncommon to think the data we share is being used only by the company we contract with but, in that contract may also make it permissible for a sister or parent company to use.
- Will that data be aggregated with data from other clients? Will it be shared with other clients? You may be fine having your customers' data shared with your competitors, knowing that you will benefit from theirs as well. But you might not. And your customers need to know if this will be happening so they can provide consent or not.
- How will that data be used? Make sure you know all the use cases, not just the primary use case. Read the fine print. Some providers will collect more data than is needed to provide the solution. Make sure only the data needed is being accessed and used.
- How will my customers’ data be processed, stored and deleted? Companies collecting online browsing data (PI) from your website that have built and maintain their own in house identify graph (PII), are able to link PI and PII to each other, putting customer anonymity and privacy at risk.
- How will my customers’ online data be kept anonymous?
- Will you be selling my customers’ data for profit? Your customers have to give consent for their data to be sold and if they allow it, you may have the ability to share in those profits
- How is my customers’ data being kept secure? Have your perspective partner participate in risk assessments and data security audits if there is any concern based on the type of data being accessed.
- Are you GDPR and CCPA compliant? An important component of GDPR and CCPA and likely future legislation is to ensure you are in control of your customer data set. As shared data gets further shared with others, the likelihood of losing that control becomes greater. Make sure your partner is guaranteeing that will not be the case if you contribute part of or even all of your valuable asset.
Don’t be afraid to push on getting answers to these questions. As a steward of your customers’ data (both online and offline), you have a responsibility to manage and protect all data you collect… the data your customers have allowed you to collect. FTC rules around disclosure about browsing data are clear that it’s the website a visitor is browsing who has the responsibility to disclose how that visitor’s data will be used. When in doubt, consult your corporate attorney or an external privacy firm about a use case.