A Privacy-First MarTech stack
It is no coincidence that most digital advertising environments are quickly migrating towards cohort-based targeting and aggregated, anonymous reporting. At the same time, enhanced data anonymization techniques, and a growing list of built-in privacy features in the most popular public clouds, will result in shorter data retention periods and a replacement of individual customer records with statistical (AI) approaches for a wide range of tasks.
Changes in the first group affect marketing data activation. Changes in the second group affect the deeper layers of the MarTech and data analytics stack. And yet, there is a logical cascading effect from one to the other, which could well turn into a virtuous cycle.
ePrivacy and top-down disruption: the unbearable uselessness of Consent Management Platforms
I’ll stick to the “ePrivacy” term to cover both the legal and self-regulatory environments tackling privacy challenges on the data collection layer. As such, it affects UX-related decisions in terms of cookie consent and prevents fingerprinting or similar techniques for pseudonymized (non-PII) user tracking.
Alongside California’s opt-out rules (as amended in the California Privacy Rights Act) and the EU ePrivacy framework*, we would here find Apple’s latest battery of privacy-enhancing measures (Private Relay, Mail Privacy Protection, and App Tracking Transparency), Android’s new policies (two steps behind), and the demise of third-party cookies in Firefox, Safari, and Chrome.
I believe it is fair to say that the sudden overlap of all of the above results in the complete unreliability of user-level “deduplication” across web or mobile properties. In particular, few Consent Management Platforms (CMP) have adapted to the most recent update to valid consent requirements in the EU**, and most CMP deployments have been forced to make use of “dark patterns” to guarantee minimum sample sizes. Even more important (as they count on built-in enforcement tools), Apple’s new policies are jointly doing away with IP addresses, tracking pixels, mobile device IDs, and fingerprinting.
In other words, no matter how many times we bother people with consent requests, we will be faced with a complete inability to deliver on either the promise to end users or its value to the business.
Of course, there is a silver lining in these increased challenges in terms of user experience. Finally deprecating the now ubiquitous consent management pop-ups (their outcome now proving useless) will give people a small part of their lives back.
*Article 5.3 in the 2002 ePrivacy Directive, updated in 2009 and soon to be replaced by an ePrivacy Regulation.
**Following the Court of Justice of the EU’s (CJEU) Planet49 sentence and its impact on current European Data Protection Board Guidelines.
GDPR, Privacy by Design, and the bottom-up squeeze
The GDPR (and worldwide clones) challenge runs much deeper. By introducing accountability at every layer and demanding the application of Privacy by Design principles, the well-entrenched practice of collecting as much data as possible — with the hope of putting it to work at some point in the future — has come to an abrupt end. New privacy laws demand the prior definition of a purpose, as well as a legal basis for that purpose, with a limited, clearly stated retention period.
But there is much more: personal data (stretching well beyond the boundaries of PII) comes with increasing risks and costs, as data controllers are forced to accommodate data subject requests at scale (or facilitate the exercise of other end user rights) while being responsible for data breaches, and having to ensure that sensitive data categories or automated decisions are dealt with appropriately.
In case we needed an icing on the cake, international data transfers have become another nightmare, with US-based SaaS providers losing one instrument after another as a legal means to give shelter to their customers’ data (with the Privacy Shield framework now defunct and Standard Contractual Clauses being subject to burdensome complementary measures as a result of the 2020 CJEU Schrems II ruling).
Perhaps as a result of such regulatory pressure (with the Bullseye firmly placed on their Big Tech owners) the public clouds have been rather proactive in the release of tools and measures to help their (business) customers do more with less. These tools are now available at data collection, data analysis, or information delivery level, including anonymization services, solutions for the automated de-identification of PII datasets, differential privacy tools, or aggregated insights.
Needless to say, an increasing reliance on all of the above, coupled with the aforementioned limitations on the data collection layer, is about to have a major impact on any third-party solutions plugging into such a backbone.
A Privacy-First Marketing Cloud?
We have witnessed the steady growth of today’s Marketing Clouds (Adobe’s, Salesforce’s, Oracle’s, IBM’s…) over the past fifteen years. I would dare say that their original promise has not changed one bit: A unified view of the customer across digital properties, devices or “experiences” that can turn demand generation into the holy grail of predictable science (feel free to check a WebTrends deck from 2006).
Whether embodied by Tag Management Systems, Data Management Platforms, Customer Data Platforms, or whatever the next flavor of the season may be, this promise will keep on selling incredibly well to the countless business executives who have decided to subject the once human-centric marketing discipline to the dictatorship of short-term ROI and “CFO-centricity”.
Best of all, the promise has never been delivered beyond very specific domains and (as I have argued) it never will. But the magic does exist, and Marketing Cloud vendors know it all too well: peer pressure and filter bubbles will turn any fantasy into a business case, and any business case into a proven methodology. But then again, even Isaac Newton believed in the Philosopher’s Stone!
In any case, I do believe it is time to move on. It is time for a Privacy-First Marketing Cloud, guaranteeing transparency and control on the consumer side. Furthermore, it seems only natural that the consumerization of corporate IT results in propagating some of that newly gained honesty to the B2B SaaS space: it is also time for a BS-free Marketing Technology stack.
We already had all of this in mind when we decided to put a wish list together for what a Privacy-First Marketing Cloud could look like, a couple of years ago:
- It does what it promises. Zero-Party Data activation that beats consent-based profiling and behavioral targeting.
- It spares its customers all of the risks derived from the use of dark patterns (through CMPs) and indiscriminate data collection. In fact, it spares them the risks of collecting, storing, or processing personal data altogether.
- It puts people in control through self-service tools for the exercise of their rights.
- It provides powerful insights by leveraging aggregated data.
- It only speaks of AI or Machine Learning when a particular feature does deserve the label.
But talking is cheap and life is too short. So we are actually building it :)
