Integrating Privacy into their data strategy is today’s top priority for companies. It may even be critical to their survival. To go into the topic in more depth, we interviewed Guillaume Tollet, associate director at fifty-five. Specialist in data analysis technologies, business models as well as regulatory and ethical best practices, Guillaume has over 10 years’ experience in a strategy consulting firm – working at Dentsu as Data Director and then as DPO for the entire group. His current role sees him helping companies in their data and digital projects.
Hi, Guillaume. How is data privacy becoming a critical issue for businesses?
To answer this, I need to explain the various issues surrounding the topic to give you a better idea of what is at stake. At fifty-five, we understand data privacy in 3 different ways.
The first is regulatory. Following the implementation of the GDPR in 2018, global legislation has become much tougher. This is particularly the case in France with the CNIL’s latest recommendations, in the United Kingdom with the ICO’s positions and to a lesser extent in California with the CCPA.
There is also a technological dimension. Today’s major browsers dictate their own laws, in particular by limiting tracking via third party (advertising) cookies. I’m thinking in particular of Safari’s ITP system or Firefox’s ETP, as well as Google announcing the end of the third-party cookie on Chrome within 2 years.
Then there is the third factor of user behaviour. Prospects and customers are more sensitive to privacy and intrusive advertising. Their navigation on websites and applications is therefore strongly influenced by privacy issues. Users have also understood that they have new rights and that brands have new privacy obligations. This is why more than 33% of French Internet users have set up an adblocker, including almost 50% of 18-24 year olds.
It is therefore necessary to take into account the combination of these three privacy issues when thinking about the data strategy of advertisers and publishers. It is also essential for them to review their marketing and data use cases, their technology tools for deploying and activating data, and their data governance in light of these challenges.
In practical terms, what will change in 2020?
This year has already seen two major developments in data privacy legislation. On 14th January, the CNIL published its draft recommendation on cookies and other trackers for the French market. This will surely have a ripple effect on other countries’ privacy regulations. It essentially specifies the practices to be put in place to enforce the law on trackers on both websites and mobile applications. In concrete terms, there are major changes at several levels that complement the guidelines and provisions of the GDPR – namely, no longer considering continued browsing as acceptance of cookies. From now on, explicit consent is required by clicking on an ‘Accept’ button. The other requirement is the balance of attention so as not to influence the choice of the Internet user. In other words, refusal should be as simple as acceptance. The types of actions, the design, the size of the text and the colours displayed should be completely equal. Consent must also be granular and capable of being stored. Users must therefore be able to manage their preferences through large families of cookies (advertisers, social networks, audience measurement) because they have different purposes and involve different types of trackers and players.
The other major event in early 2020 was Google’s announcement that it would phase out third-party cookies in its Chrome browser within 2 years. This is a significant development because Chrome has a very large market share (60% in France) and all advertisers and publishers use almost exclusively third-party cookies to carry out targeted advertising on the web. It is therefore a major upheaval for all advertisers and publishers who use this standard, especially as Google has not given much information on the alternative it is considering.
There are increasing concerns about marketing analysis in the future. How will companies manage regulatory constraints and what system will replace cookies? 2020 is going to be a pivotal year for the entire data marketing ecosystem.
What are the main risks for non-compliant companies?
I can see three main risks for companies that are considered to be in non-compliance.
First of all, a financial penalty under the GDPR of up to 4% of worldwide turnover or €20 million (whichever is greater). For certain businesses such as SMEs or start-ups, such a fine can be devastating. Although this risk of heavy fines has helped to raise awareness at the executive level, with a market that is becoming more mature, there are additional potential dangers for a company that should not be underestimated.
The second risk is to business reputation. The CNIL can issue formal notices or impose sanctions for non-compliance publicly and openly. These announcements will be widely reported in the press, which will seriously damage the brand. When we see that many companies are spending millions of euros to maintain their brand image and gain the trust of their customers, it would be unfortunate if these efforts were cancelled out because of non-compliance issues. This is especially the case since trust is a key asset for a brand in today’s marketplace.
Finally, there is a third real financial risk of having to comply in an emergency without having planned for it. As an example, let’s look at a security flaw in the computer system. If the CNIL catches a company in non-compliance and nothing has been anticipated, they will have to act urgently and invest far more money to correct the error than if they had budgeted, planned and carried out regular system checks.
What would be the best approach to adapt to these regulatory changes?
In the short term, in terms of Analytics, I think it would be wise for advertisers and publishers in the French market to seriously evaluate, starting this summer, the possibility of implementing an exemption from consent for audience measurement, in compliance with the 8 rules set out by the CNIL. The goal is for a company to be able to measure all the traffic on its platforms, websites, mobile sites and native applications (because a significant part of the traffic before consent will be automatically lost without this exemption) while limiting the tracking and uses of the data. The other crucial requirement, in my opinion, is to look at the hybrid measure, applying to France only for the moment, that is offered by AT Internet – a proposal whose details have already been presented to the CNIL. It consists of activating the CNIL exemption by default and then switching to a consent mode in order to achieve a more granular data exploitation and a more advanced audience measurement.
In the longer term, it will be necessary to consider the post-cookie marketplace. The solution will undoubtedly be to rely more on first-party data, also thinking about reconciliation around unique identifiers. This will unify data from the analytical, CRM and CDP systems and involve moving from cookie-based logic to ID-based logic.
What traps do companies need to avoid in the compliance process?
The main error is to only focus on the compliance of the data tools. It is of course essential to ensure the legality of the technologies used to store, process and cross-reference data. But often advertisers are content with just that. It is also necessary to thoroughly review the marketing and data use cases to see if they do not go too far in defining the objectives and the purpose of the data used to achieve them. It is also necessary to ensure that data governance is in place to ensure ongoing compliance. This will involve assigning privacy representatives in the company’s key departments (HR, Marketing, Advertising, CRM) so that they can raise the alarm if there are any potential issues. A three-way decision-making process (Marketing, CIO and DPO) must also be put in place to approve any data marketing-related actions that need to be taken.
In your opinion, what is the ideal timeframe to work to?
The ideal timing would have been to start the compliance process before the GDPR came into force in 2018. It’s important to underline this because companies that have already dealt with these issues for the last 2 years have acquired a very strong understanding of privacy topics that will certainly become a competitive advantage in coming months and years.
Nevertheless, there is no need to panic, companies can always catch up. But they need to act quickly because privacy requirements are going to increase in 2020. The current period should therefore be seen as a transitional period to catch up on any delays and to be ready for the next regulatory and technological deadlines. Companies that are not ready by the last quarter of 2020 will, in my view, be at risk and in a situation that is concerning for their long-term viability.
Finally, how do companies turn legal obligation into opportunity?
In terms of data tools, the privacy-by-design approach is obviously an advantage, as companies will have to adapt to legal constraints in the coming months if they want to survive. But in order to transform the constraint into an opportunity, they will have to take advantage of this major change (legal, technological and behavioural) to rethink their marketing approach around the KPIs they want to follow (what we call the KPI Framework at fifty-five). The aim will be for companies to integrate the regulatory, technological and behavioural limitations into its schedule of objectives. These new indicators will have to be balanced between marketing pressure and intrusiveness. This will also involve changing the messages and interactions with customers and prospects. When I look at average email opening rates that don’t go above 5% at the moment, I tell myself that this pivotal year is an ideal opportunity to reflect on our data strategy and create new and more efficient ways of interacting with our customers.
