With new and changing laws focused on the protection of consumers’ data, it is a significant challenge for marketers to not only stay informed, but adapt their technologies, data practices, and loyalty strategies to comply with existing and proposed legislation. While these laws are intended to have consumers’ best interests in mind, marketers know the importance of data and its ability to serve personalized experiences, offers, and rewards to better serve their audience.

For perspective on evolving data, privacy, and security best practices, Loyalty360 spoke with supplier members for a deep dive into data and privacy best practices on adapting to new laws and regulations, and potential impacts for customer loyalty.

Advising Clients on New Data Regulations through Direct Opt-In
Over the recent years, brands have been faced with changing data and privacy regulations in California (CCPA) and the EU (GDPR), and now those restrictions are going into effect in Virginia (VCDPA) and Colorado (CPA). While some brands needed to embrace data and privacy legislation earlier than others, the topic has been – and remains – top of mind for marketers worldwide. However, many brands still wonder where to start or have trouble determining the best (or fastest) way to ensure they comply with privacy regulations.

Tim Glomb of Cheetah Digital says, “The fastest way to comply with privacy regulation is to have a direct and explicit opt in directly with the consumer. That means getting a zero-party data opt in that doesn’t put someone like Facebook, Google or another party in between both of you.”

Brierley advises clients on the key components of the legislation, required timing for compliance, and risks for non-compliance.  Much of this information was used as a springboard for clients to loop in their legal teams to ensure corporate compliance and make necessary changes to privacy policies/terms & conditions.  The company guided both necessary technical changes and changes to the collection and management of customer data that would both accommodate legislation and maintain the integrity of program reporting, ultimately spearheading projects for the implementation of the changes.

Glomb adds, “For compliance and being able to allow a consumer to make changes to your permissions on certain parts of their data, that takes technology. Your CDP needs to be a true CDP and ideally have compliance features baked in. Adding -party software to manage compliance and consumer requests is still nascent, but companies like Qonsent.com are solving this problem.”

Elisabeth Keller, Chief Client Officer, at Brierley says, “On an ongoing basis, we constantly monitor news of privacy law changes and work closely with our legal counsel to understand upcoming changes and potential ramifications to how our clients manage their customer data and by extension how we manage their data.  As new regulations are enacted, we recommend necessary technical and data management changes- driving implementation by deadlines.”

Technology Evolves with Privacy Concerns
With many marketers leveraging third-party platforms to store customer data, or leverage customer information to manage loyalty/reward programs and strategies, supplier partners have had to pivot as well – adapting their platforms to meet marketers’ needs.

At Iris Powered By Generali, its chief responsibility is to protect the identities of end users.

“We need to exceed expectations when it comes to using our clients’ data,” says Eugenia Blackstone, Iris Powered By Generali “Even more challenging, most of our clients rely on us a B2B2BC solution so not only do we need to process end user information but store and manage it for use by our security partners who are traversing the dark web to locate breached information. This requires a real commitment not only to cryptography and modern use of technology but also to people and processes committed to its appropriate use. For us, the challenge is 24/7, and we are constantly making improvements to our technology, process, and planning.”

Brierley’s LoyaltyOnDemand platform was designed with data privacy in mind and the principles of GDPR/CCPA were incorporated straight “out of the box.” The individual’s right to be informed of any data held, to be forgotten, or to opt out is built into the product and easily configured to ensure clients are managing their customers’ data in alignment with privacy legislation. 

For data security, the classification of personal information is configurable per client. Those member attributes are thereafter encryption and included in data subject access and the right to be forgotten requests.

Says Cassie Preston, Director of Client Services, CRM & Loyalty, at Baesman, “We act as stewards of customer data our clients choose to share with us in the pursuit of better understanding what their customers want. The same way customers trust our clients with the information they provide, our clients trust us.”

Cheetah Digital’s Customer Engagement Platform puts the customer at the center of its solutions. The company tracks, processes and purges, in real-time, any new customer data as well as any signals restricting use of any given individual’s personal data. 

Says Glomb, “You can feed in new data or compliance signals via batch, streaming or even manually if needed. But our real-time engine processes huge volumes of data needs for brands such as Starbucks, who has some of the most intense personalization and real-time data needs as an enterprise global brand.”

As Brierley brings clients on or as clients expand to new regions or areas, it also advises on data hosting based on residency requirements and export restrictions under data/privacy laws; helping customers understand where data should be hosted as well as considerations for data transfer across borders.

Multiple Laws Do Not Necessarily Mean Multiple Programs
When brands operate in multiple regions with differing privacy laws, developing a cohesive loyalty program across all channels becomes increasingly challenging. With varying requirements from country to country, privacy regulations can quickly become a major headache for marketers. However, how should brands best prepare themselves now for additional, or potential, legislation coming down the road, especially in the United States?

Cheetah Digital suggests a top-line umbrella approach, especially as more states look to enact legislation. Glomb elaborates, saying, “Figuring it out across all brands early on means you can scale and add other data restrictions (state level or other) quickly. Making the investment now will pay off as more legislation is imminent.”

Elizabeth Keller, Brierley says, “The short answer is that yes, companies should prepare all their brands to follow the same data/privacy standards across the board.” 

With the ever-increasing focus on data privacy, brands can expect more legislative activities in the future including a future U.S. federal data privacy law.  Bearing this in mind, it is a good practice to be consistent across brands and business units, with all brands following the principles outlined in GDPR / CCPA regardless of whether their sales area operates within a state or region impacted by new data and privacy regulations.

As new legislation will be forthcoming, adopting these principles proactively will help ensure that clients have the necessary protocols in place for the management of data under the privacy legislation.

Iris Powered By Generali pursues a universal standard for all customers, whether they reside within the United States or abroad.

Blackstone explains, “The standard we pursue is GPDR and our reasoning is that not only is it a requirement for us to do business in Europe, but it is in large part copied by many other laws and regulations that are popping up throughout the United States and around the globe.”

Because GPDR is perceived as the gold standard and many seek to replicate it, it has significantly eased the overall burden of understanding and complying with all other acts (and these other acts frequently publish guidance on how they compare to that standard). If it will not imperil the company’s overall operations, Iris Powered By Generali recommends brands make the commitment to a standard that is universally accepted where they do business and develop a plan on how to best integrate it into their overall business plan. This approach will not only ensure they are aligned with that standard but pays big dividends with consumers who are demanding more and more that they take these privacy standards into account.
 
The Impact of Privacy on Personalization
 
Supplier members stress that collecting zero-party data is key to maintaining personalization efforts in customer loyalty programs with the new data and privacy regulations.

Antavo believes privacy regulations had an indirect effect on personalization efforts. Attila Kecsmar  explains, “Data is the crux of relevancy: to give personalized rewards and offers, first you need to know what your customers like and dislike. Luckily, privacy laws and the restrictions for third-party collections haven’t meant the end of the world for companies: they just need to put more emphasis on zero- and first-party data. As for how to do it, loyalty programs are both the solution and the incentive. They can reward a wide variety of data collection methods, such as surveys, so that customers have a vested interest in answering. Moreover, loyalty programs themselves are a source of information. For instance, customers within the highest tier are a segment themselves.”

Tim Glomb, Cheetah Digital, minces no words when he states, “The brands that are buying, selling or bartering with data brokers are screwed, sorry to say.”

At Baesman, the company believes privacy regulations illuminate an opportunity to establish a feedback loop for customers, so they can tell brands how they want to be engaged.

“What’s better than hearing from the customer directly on what, when, and how they want to engage?” poses Cassie Preston, Baesman. “It’s an opportunity to build trust with your customers and through that earned trust, personalize how they experience your brand to build a deeper connection and we are energized by that prospect.”

The sentiment holds true at Brierley, where its team believes loyalty programs establish a connection with customers and serve as a powerful tool for collecting robust zero- and first-party data which allow brands to know their customers and create direct and personally relevant customer connections and interactions across touchpoints.

Through loyalty programs, there is an inherent value exchange – customers are sharing their data, a valuable and personal asset, with the understanding that they are receiving benefits from joining the program and trusting that the brand will protect the data and use it in positive, personally meaningful ways.

Says Blackstone, “We have some significant challenges when it comes to managing personalization across our organization. Whether it be within our marketing team, customer support group or within our customer product line, we all have to be sensitive to the fact that they must be focused on how they collect, store, and use personal information (and make sure our clients and end users are aware of how they are using it).”

Preston says it’s more important than ever for brands to be transparent with customers about how their data will be used, from the point of collection, all the way through to ongoing touch points that enable a customer to stay informed by a trusted source - the brand to which they’ve subscribed. And it’s important for brands to advocate for their customer’s rights by letting them know what they are as it relates to their own personal data and how it’s utilized.

Brierley adds that accuracy in the use of data is critically important.  Brands must ensure that personalized data is delivered correctly – i.e., if member data such as name, point values, etc. is being used, it is imperative to ensure that the data is delivered correctly to the right member.

Baesman agrees, stating that privacy regulation continues to remind companies the importance of being good stewards about how to use customer data: Provide personalized experiences that benefit the customer’s unique relationship with the brand and being willing to remind their customer how much it values their loyalty, and empower customers to take their data privacy seriously to create a win-win engagement for both the brand and the customer.    
 
Compliance and Customer Experience is a Balancing Act
Balancing compliance and customer experience goes back to a value exchange and transparency. According to Cheetah Digital, brands build relationships when they come right out and make an offer (maybe a discount) in exchange for a piece of personal data (maybe their favorite hobby) and the right to use it to personalize messages, ads and offers. 

Brierley likens the balance of customer experience to personalization efforts, stating that loyalty provides the foundation for an amazing customer experience.  Customers who are members of loyalty programs expect to be recognized and receive a seemingly bespoke experience – this is part of the value exchange in joining the program – sharing data for the benefits of a personal and relevant experience.

Adds Graeme Cook, Senior Security Administrator, Brierley,Of course, brands need to ensure they are compliant with regulations, but should not become so risk-averse that they shy away from any level of personalized customer experience.”

Compliance, data privacy and information security always take priority at Antavo. When it comes to balancing with the customer experience, there’s not much room for compromise. Antavo suggest brands ask for compliance in a non-intrusive manner, or use visually engaging and witty surveys for collecting zero-party data.
Glomb explains it this way, “The ‘give to get’ transaction approach in marketing is no different than asking a new friend what they like for dinner so you can invite them over for a great experience that aligns with their taste. It’s human nature to ask, receive and reciprocate with a personalized experience.”

For Iris, successful strategies often start by having open discussions within the organization on the subject of privacy and pushing everyone to know that the entire team is responsible for protecting the privacy of the customers.

“To understand how to seek a balance between compliance and experience starts with a plan, then an audit, then active discussions across all groups on what is required and finally, frequently reviewing your overall progress,” says Blackstone. “The key here should always be to encourage all within the organization to ask themselves this question - Do I really need to use this information in this way and what am I doing to help ensure the data is protected?”

Breaking Down Compliance into Steps
Brands may find it overwhelming to comply with emerging data and privacy regulations all at once. Supplier partners can help by breaking down the strategies into easy-to-implement steps.

Antavo suggests companies keep a close tab on the legal and privacy situation of all the regions they are conducting business in. For this, brands should fill the role of Data Protection Officer as soon as possible, as they’ll be responsible for monitoring it, as well as helping the company adapt to any changes to privacy regulations.

Cheetah Digital proposes companies find a platform that has the features needed to stay compliant and give consumers options to manage their data. Not only stay compliant, but pivot hard to a zero-party data collection strategy that keeps record of not only an individual’s favorite flavor, color or hobby, but can also activate it for personalization in email, SMS, web messaging and other channels, including advertising.

Adds Glomb, “Make sure you are recognizing consumer/customer actions and give them value for those actions. If you strive to build relationships directly with your audience and provide value, they will reward you with the ability to use their data to keep those experiences unique and personal.”

Brierley breaks it down as follows, saying brands should:

  • Understand key elements of the legislation
  • Implement data management protocols to fulfill the requirements of the legislation
  • Act upon customer requests appropriately
  • Ensure accuracy of personal data used in communication, experience, and offers
  • Monitor news of upcoming legislation
 
Cassie Preston, Director of Client Services, CRM & Loyalty, Baesman, offers a similar approach, stating:
  • Hygiene your data - know how your audience opted in, what disclosures they saw when they did and what they’ve heard from you since regarding terms and conditions and privacy.
  • Personalize responsibly. Deliver a personalized experience by keeping the feedback loop with your customers open and using customer data in a way that’s meaningful for them. This goes beyond reminding them of their first name in your email subject lines!
  • Build always on mechanisms for collecting customer preferences and allow customers to have access to preference management any time they want - not just when they click unsubscribe.  Marketing technology investments like building a communication preference capture method can prove difficult and sometimes be costly but are often worth it to build customer trust. 
  • Dedicate a touch point to reminding customers you care about them and their privacy, and to share how the recent privacy legislation impacts their engagement with your specific brand. You’re a trusted source of information if a customer is subscribed to receive communications from you and this gesture may do a lot to further that connection.

Recent Content