Months later, some are asking the same thing. With tightened restrictions on how businesses can collect and store data, is the favorite tactic of brands and consumers alike extinct?
What is the GDPR?
The GDPR is a regulation on data protection and privacy for all individuals within the European Union. It tightens collection and transfer restrictions of any businesses that process the data of European citizens, including ones outside the EU.
It took effect in May 2018 and made headlines in the digital marketing world for being the first to classify cookies — a vital source of behavioral ad targeting data — as personal information.
With the new rules in effect, violators can incur penalties up to 4% of their global turnover or 20 million Euro, whichever is greater.
GDPR and personalization
While GDPR brings some overdue protections to user security, some advertisers believe it’s a threat to their most valuable tactic: personalization.
According to research, an overwhelming 98% of marketers agree that personalization helps advance customer relationships, and nearly 90% say their customers expect personalized experiences.
Providing these personalized experiences requires large scale data collection. The trouble is, businesses are often less than transparent when it comes to collecting that data.
Often, it’s only after a security breach that consumers realize just how much data they’re offering up. Facebook comes to mind as one of the tech giants willing to beg forgiveness over asking permission. But they’re not the only ones.
A great visualization from Data Is Beautiful showcases how insecure user data is, and how often it’s compromised on a large scale:
These are just breaches in 2018 (and a few months into 19) of 30,000 records or more.
Looking at the list, you’re likely to see more than a few companies that have your personal information, meaning, there’s a chance your data is floating around in cyberspace.
Even if it’s not “floating around” in the hands of people it shouldn’t be, there’s still a good chance it was bought or sold without your knowledge, “legally.” Perhaps more disturbingly, if you know what “it” is, related to data, you’re in the minority, says the Harvard Business Review:
So, how many businesses have access to your data? What is it, and how much of it do they have? It’s impossible to know.
And that’s what GDPR aims to solve for EU citizens, at least to some extent, by putting tighter regulations on data collection, and slapping those who don’t adhere with heavy fines.
The question some are asking is: “Is personalization possible to the same level it was before GDPR?”
No. GDPR has ruined personalization.
Here’s an opinion without much coverage, and for good reason. GDPR hasn’t ruined personalization. It’s just made it a little more difficult to collect troves of data.
As you’ll see later, that’s not necessarily a bad thing. Now, we look at the biggest data collection issues facing personalization under GDPR.
1. Websites have to notify visitors before tracking cookies.
By now, you’re no stranger to the opt-in bar at the bottom of most websites. There’s a chance your site employs one too:
These little bars make it possible for users to physically opt into the collection of their personal information as defined under the new GDPR regulations. Cookies can still be tracked, but only with explicit permission from the visitor.
To the user, this is perhaps the most noticeable change to their browsing experience. To some marketers, it’s one of the biggest barriers to data collection.
Pre-GDPR, this agreement was implicit. The visitor landed on the page, and, in exchange for content, traded information about their browsing behavior. Today, it requires a click to accept. This new rule, though, doesn’t have to be as stifling to data collection as it may seem.
To get users to agree to cookie tracking, emphasize the benefits of opting in, like you would on a post-click landing page. Here’s an example from MyCustomer:
Here’s a similar example from ClickZ:
If that fails, some websites have gated their content until the user accepts. This should be a last resort for businesses that would rather have no visitor than no data. If traffic isn’t a problem and cookies are highly important to your marketing strategy, then it may be a viable solution.
2. Blanket opt-ins are no longer permitted.
Those opt-ins that lump a bunch of offers into one really long consent form that nobody reads? Under GDPR, those don’t fly anymore. According to the GDPR website:
The conditions for consent have been strengthened, and companies are no longer able to use long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Applied to marketers, this means:
- No more jargon. Make your consent forms easy to read and understand.
- No more one-time, offer-wide consent. Just because someone submits information in exchange for an ebook doesn’t mean you can sign them up for your newsletter. Ask for permission each time.
- Don’t make opting out so hard. Opting in is usually a piece of cake. For many businesses, opting out requires several purposely friction-filled steps.
3. Data disclosures must be made readily available.
By now it’s no secret that many businesses deal in data. They generate it, they sell it, they buy it, they use it.
So, how will you use your customer’s data? They need to know.
This ties in, somewhat, with the previous point, but it’s crucial enough that it warrants its own section. This is the takeaway: People need to know what you’re doing with their data.
What you’re collecting is important, but so is what you’re doing with what you’re collecting. This should be readily available in an easy-to-read format.
4. Only collect what you need.
When building forms, the best number of fields to use is the fewest that you need to provide the best service possible. This is what the GDPR recommends for data collectors: Only collect what you need.
Referred to in the legislation as “data minimization,” the rule also calls for the handling of data by only the people who need it to carry out the processing.
No more collecting as much data as possible in case you’ll need it later. Get concise with your forms, and prevent the mishandling of data by permitting only those who need it to use it.
5. Offer people a file on themselves.
According to the GDPR blog:
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them – which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller.
A “controller” refers to one who controls user data, and whether intentionally or not, this rule could keep them in check more than any other.
Now, controllers are required to keep a data file on their users who have the ability to transfer it to another controller. And it’s possible “another controller” to them means “competitor” to a business.
With the idea that the data they collect could, at any time, be transferred to a competitor, this may prompt marketers and data engineers to squeeze as much use out of as little data as possible. Gather only what you’d be comfortable giving your competitor.
6. Allow customers the right to be forgotten.
This would be a major personalization killer, but it’s unlikely to deal a major blow to businesses. Customers need to be allowed the right to have their data erased from a database, and possibly, third-party processing of that data halted. Exercising this right would likely serve as a last resort for data subjects who were targets of ad bombardment or data mishandling.
GDPR has improved personalization.
While it’s easy to look at GDPR as an impediment to personalization, more than a few people believe it will improve the tactic.
In an article for Martech Series, Egil Brginland says:
Moving beyond GDPR, privacy requirements will actually help to drive better customer experience as organizations will only be able to use relevant and up to date information to individualize customer experience. It will also require them to explain how individualization is made possible, and sell the value of it, creating better customer relationships based on transparency and trust.
Research already shows that consumers are willing to give up their personal information in exchange for a better user experience. What they don’t like is having it taken from them. Before GDPR, this was as routine practice. Now it incurs heavy fines.
Beyond transparency, Amy Manus of Goodway Group thinks GDPR will help organizations better manage their data:
It's causing them to streamline the amount of data they’re storing; letting go of data can be scary for any organization. But inversely, this whole data deluge has continued long enough, and marketers are becoming more cognizant of what data is going to help aid in the relationship they have with customers during their journey. So, overall, just streamlining their approach and strategy for how and what data they use is a necessary exercise many marketers have been putting off for some time.
While it might sound like a great problem to have, data inundation is real. For many marketers and engineers, making sense and use of that data is their biggest organizational challenge.
For others, simply collecting it is tough. In another Martech Series article, Jonathan Lacoste thinks GDPR could solve that problem too.
First-party data, he explains, is highly relevant but hard to scale. Third-party data is easy to acquire but often irrelevant. “Declared data” is what Jonathan calls the best of both worlds.
Now that GDPR is in effect, and businesses must declare what data they’re collecting, this could lead to a less guarded user attitude toward information sharing. When you had to be wary of what you shared or opted into online, now, for EU citizens, it’s less concerning. This attitude could lead to a greater willingness to contribute more data if it’s in the user’s best interest.
After all, the GDPR does not restrict data. It simply restricts how it can be collected. And, while it’s too early to tell how GDPR will affect personalization long-term, one survey from August 2018 indicates that consumer attitudes have improved toward brands.
According to Marketing Week, 27% of consumers feel their relationship with brands has gotten better, and 41% of brands have seen an improvement in the way brands communicate with them via email.
GDPR is here to stay
Whether you believe the changes to be better or worse, they’re here, and disregarding them means risking much more than data. Personalization is still possible with GDPR, it’s just a little more difficult. Years from now, we’ll likely all agree it was for the best.
Want to learn how you effectively personalize the user experience for each audience you target? Get a demo of the Instapage Personalization solution here or your free copy of the guide below.