network dots

Perspectives

Why GDPR and CCPA are strategic imperatives for the CMO

Should GDPR compliance be in the CMO’s job description?

The EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) privacy regulations provide an opportunity for CMOs to drive their strategic objectives, rather than become victims to the loss of consumer confidence and data.

Marketers most impacted by GDPR regulations

In most organizations, the marketing function represents the consumer-facing area of the enterprise. Marketers manage information that spans the entire consumer experience from demand generation to sales, collecting customer information at multiple points along the way.

Because of these interactions with consumers, marketers are the most impacted by the sweeping new privacy requirements being driven out of both the European Union (EU) and more recently the State of California—rules that affect an organization’s global operations. As organizations contend with the EU’s GDPR and CCPA, which both impose new digital privacy controls on organizations and their ecosystems, CMOs should manage their organizations’ approach to these regulations from a strategic rather than a compliance first perspective. By taking command of the process, CMOs can leverage the required investments to build deeper, trusted relationships with consumers instead of being impacted by the loss of consumer information from legally driven compliance efforts.

Customer relationships may be significantly undermined

The GDPR went into effect in May 2018. Failing to protect information can result in severe fines of up to four percent of annual global revenues. Following in the wake of the EU-driven GDPR is the first major US-driven privacy legislation impacting consumer privacy: The CCPA. Often times referred to as “GDPR-light,” the CCPA does not wield the same extreme fine potential, but does specifically outline the ability for consumers to join in class-action status and does outline specific minimum fines associated with inappropriate uses and protection of “consumer information.”

Future US and global privacy regulation are likely to have differing requirements and will therefore be increasingly challenging and costly to implement. For example, one of the many differences between the GDPR and the CCPA is how the CCPA has broadened the definition of an “individual” to also include a household. As a result, marketers will likely own the process of identifying and managing efforts surrounding the collection of data of specific individuals, as well as the data of a broad household.

Companies can find themselves at a significant disadvantage if they treat the regulation strictly as a short-term, legal compliance exercise. There are many examples where simply complying with individual requirements, and not effectively managing consumer interactions, could lead to the loss of first-party data:

  • The rules include specific requirements for lawful consent requests that require companies to secure consent through clear actions that imply the consumer is aware of what they’re opting in for. On an e-commerce site, for instance, the visitor would need to actively select certain information rather than select pre-checked boxes.
  • Additionally, an individual can request that their data no longer be used for marketing purposes. And, specifically under the CCPA, an organization is required to provide easy-to-access links for a person to utilize to request that their personal information no longer be sold.
  • Another area where CMOs can take action is through cookie consent. These messages that track information such as names and email addresses for visitors to websites have long been used by the marketing function as a mechanism for data collection. Now there are specific guidelines for the use of data that are captured.

Consider the potential consequences as consumers react to these rules. A consumer may decide not to share data with websites, shrink their digital footprint and concentration to trusted sites, or migrate to sites and apps that have more transparency around privacy and data usage.

Therefore, CMOs need to develop a long term view of the customer’s relationship with the brand, communicate the value of this relationship to the customer, and actively manage the points of customer interactions to deliver on that value.

As a by-product these interactions should be designed to meet privacy requirements. In short, CMOs need to understand their customer interactions so they can develop a disciplined process with a single view of the customer.

CMO’s strategic investment to enable privacy compliance

The GDPR and CCPA also hold organizations accountable for the actions of third parties in their marketing ecosystem that provide or handle customer data. CMOs need to hold externally sourced consumer data to the same standards that it applies internally to its first-party data, which means that they must be able to verify its compliance with privacy requirements. In addition, anyone that has access to the company’s consumer information, for example advertising agencies or platforms, must also meet the company’s privacy requirements. In today’s interconnected world CMOs need to execute through a more limited set of trusted vendors, with strong oversight through a third party transparency and compliance program.

It is clear that ongoing compliance with the GDPR, CCPA, and future privacy regulations will mean much greater effort and cost for handling consumer information, which will only be magnified by the fragmentation of systems, consumer data and points of interactions. For example, it is difficult to envision that, in a dispersed environment, a company can execute at scale the new GDPR consumer rights to be forgotten or for portability of their data. For compliance to be effective and sustainable the investment should instead be directed to unifying the underlying technology platforms with a single view of the consumer and its interactions with the brand. As well as minimizing the cost of compliance, and likelihood of significant fines, it will enable the CMO to deliver on their longer-term customer strategies.

This is not to say that the privacy compliance effort will be easy. There are new definitions of data, for example, GDPR recognizes the concept of pseudo-anonymous data and at the same time expands the definition of personal data. The concept of Privacy by Design is not new but it is now enshrined in GDPR. Online profiling and tracking requirements apply not only to websites but to other digital assets including apps and other emerging technologies. The CMO will need support across many functions including IT, security, legal, and HR. This complexity is reflected in the GDPR requirement for companies to have a very experienced Data Protection officer, who brings this varied background and reports directly to senior management.

The GDPR and CCPA both represent a major shift in dealing with information but also present an opportunity for CMOs to reframe the conversation with their customers and redirect the required major investments to develop a unified customer architecture that supports both privacy compliance and longer-term marketing and customer relationship strategies.

Did you find this informative?