CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
June 8, 2022
If you’re concerned data privacy regulations might make it harder for you to do your job as a marketer, you’re not alone.
Seventy-three percent of marketers believe privacy concerns will make delivering data-driven, personalized marketing significantly more difficult. Easy access to a wealth of user data has been a game-changer for the marketing profession; but what the Lord giveth, the Lord taketh away.
Becoming compliant with data privacy regulations is non-negotiable, especially if your company hopes to get customers and users from the 50+ jurisdictions with a data privacy regulation in effect. Since compliance is a must, it’s best to make sure your voice is heard once your organization starts evaluating solutions. After all, it’s your job that will be impacted the most — lawyers and data privacy professionals are focused on making sure the organization stays compliant, not how privacy software affects other teams.
Marketers, however, can add a lot of value to the evaluation process. When your organization starts to consider privacy software, make sure you have the opportunity to ask the right questions to ensure the solution you pick makes your job as easy as possible.
As a digital marketer, the two most important numbers for your role are the number of people visiting your website and the number of people converting on your website.
Surrounding those numbers are a slew of other numbers: new and recurring visitors, form submissions, referral sources, page views, visits by demographic, visits by persona, visits by industry — the list goes on.
Analyzing these numbers both informs your marketing strategy and tells you how successful that strategy is. Asking visitors for consent to track metrics like these keeps you in compliance with data privacy regulations, but it also reduces the size of your data set, which in turn, makes it harder to do your job. That can be more than a little panic-inducing.
Fortunately, there are approaches to gathering consent that minimize compliance’s impact on your analytics data.
What you’ll want to avoid is a solution that requires you to build your cookie consent banners. There are dozens of different jurisdictions with their own required language, design constraints, disclosure needs, and other requirements for a cookie consent banner. Obviously, developing and implementing all these individual banners is a time-consuming process, especially since the privacy landscape is changing all the time, and you’ll need to update different jurisdictions' banners accordingly.
If you’re working with a legal department or a data privacy professional, they might be inclined to implement a General Data Protection Regulation (GDPR) banner across the board. It’s the most comprehensive regulation, and a banner that meets its requirements will likely meet the requirements of other jurisdictions.
That’s great for the legal department, but not so great for you. Visitors are used to interacting with the banner relevant to their local regulations, so being confronted with a needlessly complicated banner might discourage them from consenting to sharing their data.
So, the biggest thing you can do to ensure you have access to a robust data set for analytics purposes is to make sure your privacy solution manages cookie consent banners globally.
Your vendor should serve up compliant banners for each jurisdiction, ensuring users only interact with the relevant banner that they’re familiar with. This feature alone will go a long way toward minimizing the impact that asking for consent has on your analytics.
For the unfamiliar, tags are code segments provided by external parties (such as analytics and marketing vendors) that integrate their products into your website, including cookies.
If you use tracking cookies, then you use tags, and you most likely use a tag management system, like Google Tag Manager (GTM). GTM helps website owners identify which tags are active, define what conditions should cause individual tags to trigger, and manage other tag-related tasks.
Often, data privacy software needs to be integrated with GTM or your alternative tag management system. As users accept or decline analytics, marketing, and/or personalization cookies, your privacy software needs to interact with those GTM triggers to signal whether the tag should fire or not — and therefore, whether a cookie is dropped on the users’ browser or not.
But given the fact that the average enterprise website has anywhere between 50 and 150 third-party tags, the actual work of integrating a privacy software solution with GTM can be time-consuming. Afterward, you’ll need to engage in ongoing maintenance as the tags and cookies you use on your website change. Basically, any new tool or script you want to implement on your website will require tweaking on the back end.
Fortunately, there is an alternative approach to blocking cookies and tags that doesn’t require a GTM integration. The approach taken by the Osano team is to block cookies client-side, in the users’ browser. Rather than live in your website’s backend, telling GTM which tags can fire and which can’t, Osano simply blocks or permits cookies based on classification rules without interacting with GTM at all. GTM can still do its job; but if one of its tags attempts to drop a forbidden cookie, Osano simply blocks the cookie. As a result, there’s far less integration and maintenance work required.
(We should note that some may still want to integrate Osano with GTM for a variety of reasons; we made sure that is still possible with Osano.)
When most websites load instantaneously, a few extra seconds of delay can be very noticeable to your visitors. There’s no shortage of evidence demonstrating that load speed matters to website visitors. For example:
It can be difficult to assess how much of an impact a given solution will have on your site in advance, but there are steps you can take.
During the evaluation process, you can ask the vendor representative what impact their solution typically has on Google Lighthouse scores. Lighthouse is an open-source tool administered by Google that you can use to assess a variety of metrics for a given website, including load speed.
While a knowledgeable vendor representative will be able to either give you or find an answer, you can also take advantage of any free trial periods to contrast your website’s performance prior to implementing data privacy software with its performance afterward. If there’s a large drop in performance and/or if it differs significantly from what you were promised during the sales process, it may be worth evaluating other solutions.
While cookie consent management tends to receive all the attention, making your website compliant with data privacy regulations also means providing users with a means of making a DSAR, or data subject access request.
Under a DSAR, a user may request to see what data your organization has on them, request a correction, ask for that data to be deleted, and more. The challenge lies in finding the relevant data, not exposing other users’ data in the process, and executing on the DSAR as required by data privacy regulation.
Often, there isn’t a person dedicated to handling DSARs at a company. Especially in organizations without a privacy professional, DSARs are often handled by whoever is in charge of the website — which is usually the marketing department.
You’ll want to ensure your data privacy software features an automated and repeatable DSAR process so you can comply and do your actual job.
Since cookie compliance is such a focus, it can be easy to evaluate solutions solely based on their ability to secure and manage user consent. But data privacy software goes beyond cookie consent; it should be focused on compliance in a holistic way. Make sure the solution you evaluate also makes complying with other aspects of data privacy regulation (like DSARs) easy and painless.
It can be tempting to think of data privacy compliance as just a box to check off, but doing so could leave you saddled with a clunky solution that interferes with your ability to market your organization.
That’s exactly what happened to Mailgun’s Head of Growth Marketing. They had let their legal and developer team handle vendor selection and wound up with a data privacy solution that was a non-starter for their marketing department. After struggling to get their old solution implemented, they shifted gears and began re-evaluating solutions — this time, with the awareness that marketing was an important stakeholder to include. The result? They chose Osano.
You can read more about Mailgun’s data privacy journey here. Or, if you’d rather kick off the evaluation process yourself, feel free to get in touch with us to schedule a short demo of the Osano consent management platform.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”