How to prioritize data privacy in core customer-facing systems
Evolving global data privacy regulations are keeping marketers on their toes. In April 2024, the American Privacy Rights Act (APRA) was introduced in the Senate. The proposed bill would create a federal consumer privacy framework akin to the GDPR, which regulates consumer data privacy protections in the EU. If the APRA passes in its current form, US citizens would gain the right to access, correct, delete and export all collected data.
This fraught regulatory and cybersecurity environment means we must take a new, better approach to consumer data collection, protection and tag management. Change is especially urgent considering recent risks exposed in Google Tag Manager’s (GTM) client-side tagging platform (the #1 tag manager globally). GTM has been proven to enforce default consent principles, inject hidden scripts and even hide potential data leaks. These activities could expose organizations to millions in possible fines or cybersecurity vulnerabilities.
GTM and client-side tagging strategies aren’t the only options for marketers looking to enhance their re-targeting efforts through consumer data collection. I urge leaders to consider the following ways to prioritize data privacy as they work with potentially sensitive consumer info.
Minimize data collection
We all know the value of consumer data — and let’s be clear: Data collection isn’t the enemy. However, collecting only customer data that is strictly pertinent to our business needs is safer and far more secure. Unnecessary data is cumbersome to manage and protect, making a leak substantially more likely to occur. It’s also expensive to maintain.
Leaders should reduce data collection by minimizing data fields and only directly inquiring about data that informs re-targeting or analytics efforts. For example, nice-to-have information, like a customer’s birthday or middle name, shouldn’t be prioritized over must-have data like first names and email addresses.
It’s important to note that collecting peripheral information can also create a tedious customer experience (CX) that disincentivizes customers from providing data in the first place. So, practicing temperance offers both privacy and experiential benefits.
Build a secure data pipeline
Consumer data must be collected and handled securely throughout its lifecycle, from collection/ingestion to expiration/deletion. Organizations should consider implementing the following measures to protect data:
- Role-based access control (RBAC): The principle of least privilege should always be applied to systems containing consumer data. In other words, system users should only maintain access to data and resources relevant to their role. This is especially important for consumer data, which may contain personally identifiable information (PII). PII should never be accessible to non-relevant users. RBAC helps to mitigate PII dissemination by restricting user access to certain data sets.
- Encryption: Organizations should consider encrypting customer data to further protect it from unauthorized access. Doing so ensures that stolen data is unreadable to bad actors, minimizing the damages associated with a breach.
- Data loss prevention (DLP): DLP software ensures that PII and other consumer data aren’t lost, misused or improperly accessed. It categorizes data sets by relative sensitivity (i.e., “common knowledge” info vs. PII) and prevents unauthorized data transmissions.
- Server-side tag management: Unlike client-side tags, server-side tags load and deploy on a website’s server, improving web performance for customers and data governance. Since tags are executed on the server, they don’t expose PII directly in the user’s browser, reducing the risk of data being intercepted by malicious actors through browser-based attacks. Furthermore, server-side tag management gives organizations greater control over when and how data is collected and handled. This centralized control helps ensure compliance with data protection regulations.
Share data only with trusted third parties
About a third of data breaches in 2023 occurred due to vulnerabilities in a partner’s data protection and cybersecurity policies. Critically, the GDPR and the California Consumer Protection Act (CCPA) hold first-party data collectors accountable for downstream breaches. So, you must be selective about which entities you share data with.
Before creating a data-sharing agreement with a third party, review the organization’s data storage, collection and transfer safeguards. Verify that the organization’s data protection policies are as robust as yours. Further, when drafting an eventual agreement, ensure that contract terms dictate a superior level of protection, delineating the responsibilities and expectations of each party in terms of compliance and cybersecurity.
Due diligence on the front half of a relationship is necessary. However, it’s also essential to maintain an open line of communication after the partnership commences. Organizations should regularly reassess their partners’ commitments to data privacy by inquiring about their ongoing data protection policies, including data storage timelines and the intent of using said data. Transparency in a partnership is vital, as it enables your organization to take swift action against external vulnerabilities.
Enforce consent upon collection
Most customers can opt out of data collection and tracking at any time. (Even if this isn’t the case in a particular jurisdiction, legislation is likely on the way.) This preference is known as “consent” — and enabling its collection is only half the journey. Organizations must also proactively enforce consent to ensure that downstream data routing doesn’t jeopardize or invalidate a customer’s express preferences.
Organizations should consider tools and solutions that dynamically and anonymously enforce consent. Certain solutions can integrate with an existing consent management platform (CMP) to enforce consent across an existing customer ecosystem. By enforcing consent at the moment of collection, these solutions ensure that third-party sharing doesn’t invalidate a consumer’s preferences.
Looking to the future of data privacy
Data breaches and privacy scandals have left many consumers wary about their relationships with online brands. Only one in 10 consumers fully trust organizations to manage their identity data. As global regulations evolve to acknowledge these valid consumer concerns and cybersecurity breaches increase in frequency, marketers become vital stakeholders in creating a privacy-forward future.
By taking concrete steps to minimize data overconsumption, safeguard PII, enforce consent and vet third-party partners, marketers can garner consumer approval while also staying ahead of the rising tide of new legislation. Ultimately, the companies that thrive will not just be the ones with the most data but the ones who’ve earned the right to be its stewards.