How the Fragmented Privacy Landscape is Impacting Marketers

Q&A with Andrew Frank, Distinguished VP Analyst in the Gartner Marketing practice

From recent U.S. legislative efforts and subsequent developments in Congress as well as expanded online privacy protections proposed recently by the FTC, to the EU’s attempt to bolster accountability with the EU Digital Services Act, privacy laws are becoming more fragmented and complex for marketing organizations.

We recently sat down with Andrew Frank, Distinguished VP Analyst in the Gartner Marketing practice, to discuss how digital marketers can identify opportunities to be more transparent with consumers, and how they can react to a quickly changing landscape.

Members of the media who would like to speak with Andrew regarding this topic can contact Matt.LoDolce@Gartner.com to schedule an interview.

Q: As government entities increase their focus on regulating data privacy, what are some of the main implications for digital marketers?

A: Technical restrictions on cookies and mobile device IDs, as well as obfuscation of other personal signals like IP and email addresses, are having the most direct effect on marketing techniques. But the actions of local and national government entities may ultimately prove more challenging for organizations to deal with. That’s because governments, especially in the U.S., are not aligned on some of the conflicting principles that privacy laws bring to the surface.

Specifically, many privacy laws require deletion of data when requested by a user or when it has outlived its disclosed purpose for being collected. Others require certain data to be retained for periods that vary depending on the category of data and the region in which it was collected. This can lead to complicated situations where requirements may appear to be in conflict, which could worsen if states and regions continue to pursue the enforcement of local laws outside their geographical boundaries.

Regardless of how the privacy landscape unfolds, digital marketers must plan for more consumer adoption of privacy protection countermeasures as people become more attuned to the hazards they face from digital surveillance. For example, widespread tactics such as the use of IP addresses to infer the location of a website visitor and provide localized content are likely to become less reliable as more consumers adopt VPNs to mask their location and opt out via privacy changes on platforms such as iOS.

Q: What can digital marketers expect as consumers exercise new rights and capabilities to avoid identification and tracking?

A: Privacy-protection behaviors reflect a growing lack of trust in institutions that collect data without explicit consent, especially among younger cohorts.

As a result, digital marketers can expect:

• Their investments in digital personalization, in ad tech and in CRM products to require significant upgrades to remain compliant and viable.

• Difficulty in establishing loyal relationships with consumers who are not familiar with, or trusting of, a given brand.

• To offer consumers more transparency and control of personal data via better consent and preference management, including the ability to expeditiously remove their data on demand.

• More challenges in establishing the effectiveness of ad campaigns and customer analytics, leading to greater difficulties optimizing media and customer experience investments. This, in turn, is likely to accelerate interest in more advanced AI techniques to fill the gap, which require more expertise and caution to work with.

Q: What should marketers do in response to the shifting privacy landscape and consumer preferences?

A: To avoid becoming embroiled in legal and social controversies, organizations must identify and refine data collection and retention policies, and where possible reduce or eliminate data-processing practices that could expose them to partisan demands for disclosure or deletion.

Specifically:

1. Reduce expectations for the generic availability of personal data for marketing and personalization, and audit customer data and analytics processes to assess the potential impact of reductions in data fidelity and retention. Prioritize initiatives that offer users more control, and make better use of synthetic data and self-selected segment-level communication strategies that don’t rely on personal data.

2. Perform or support a privacy impact assessment covering all personal-data-processing activities, and communicate applicable rights policies and potential legal risks to employees and customers as thoroughly and transparently as possible. Adopt data minimization policies that limit personal data collected and retained.

3. Ensure that an organization’s privacy impact assessment identifies all personal data collection points and traces the flow of the data within and beyond the organization. Verify that personal data is either protected or destroyed at all stages of its journey, even if its sensitivity is not obvious. Be especially cautious of data shared with external parties through tags and other automated mechanisms.

The accelerating deprecation of various personalization, security, analytics, data collaboration and tag management practices will disrupt operations across the enterprise, especially involving third parties. Beyond data retention, business leaders need to prepare wide-ranging audits and strategies for heightened sensitivities, emotions and even liabilities associated with related privacy issues.