Most companies don’t really know where they stand – they don’t have consent rates as a key performance indicator. They have just been focused on getting people in through the doors.
One thing is clear – the balance of power in data is shifting. Where once organisations could rely on permission to use personal information, consumers are increasingly expecting to exercise more control. While that does not yet mean providing consent for each and every type or occasion of use, it does mean having access to controls to change permission if desired.
This is likely to be enshrined in law under the proposals in the Data Protection Regulation, together with other changes that will further this power shift. That is why gaining a better understanding of what consent means to consumers and how it can be gained and managed right now will pay dividends.
Fortunately, this year has seen the single biggest exercise in consumer education around data usage and data protection. Cookies may have been around for as long as there have been web browsers, but it took the ePrivacy Directive in 2011 and enforcement in 2012 (in the UK at least) to put them in the foreground. As a result, consumers have been seeing notices and links to further information which can only have raised their awareness of why companies collect data.
As one source in a major financial services brand points out, “companies that have done particularly well and gained cookies acceptance all use boxes across the bottom of the page.” That ensures website visitors have a change to see privacy notices and make a choice, although the source adds, “I don’t think many people take the time to go through them all.”
While it is clear that awareness of cookies is now at an all-time high, it is also debatable whether the consent being given is genuinely informed. “The jury is still out on that one,” opines the financial services marketer. What the industry can claim unreservedly is that it is making every effort to comply with the law.
If consumers choose not to fulfill their side of the bargain by reading the information provided, that has to be considered their responsibility. “It ticks the box from a legal perspective, but whether it does so from an ethical perspective? That is still to be seen,” he says.
Cookies notices should be seen as a dry run for the much bigger exercise in winning consent that is likely to be required from 2014 onwards. If every consumer has to provide clear, explicit consent to their data being used for marketing, then all of the data currently held might be ruled unusable since it does not carry this level of permission.
“I have been talking to our lawyers about the data we hold and asking if we could use it. It is fascinating, because the lawyers say we can’t use it for analysis if we haven’t got permission to use it for marketing,” says the source. The new regulations have proposed a separate, specific consent requirement for profiling (although this may yet get amended) which would bring to the fore a formerly backroom use of data in the same way as cookies notices have done.
There is a real question as to whether requiring consent for profiling is for or against the consumer interest, since in marketing it is only used to filter communications and make them more relevant. That is an evident benefit to individuals with no real downside.
When it comes to pricing, the argument is more nuanced, with regulators concerned that individuals do not suffer any material impact on their lives from automated decisions made without human intervention. That is precisely what algorithms to set prices and premiums according to risk or demographic profile are intended to do. Telling the consumer this happens could seriously spook the marketplace without creating any real advances in consumer protection.
“When you look at an organisation like ours, it doesn’t take any pricing decisions, it is all done by algorithm. That is why prices change,” notes the financial services source. Across a global business with multiple products, each segmenting their marketplace and adjusting prices accordingly, the need for profiling consent would have a serious impact. “We can only hope the relationship with the customer means they will give that permission and also help us to keep their data clean,” he says.
It is not just commercial organisations that need to understand the rules and boundaries of this data exchange. Policy makers and politicians have to find the right balance between consumer concerns, business needs and ethical priorities. It is the job of governments after all to make choices which are sometimes unpopular or appear ahead of public opinion.
That is one reason for the recent white paper produced by think-tank Demos, “The Data Dialogue”, written by Jamie Bartlett and drawing on consumer research by O2 and Populus (see box). “None of the potential gains of the information revolution can be realised unless people are at the heart of any new settlement,” he writes.
“Finding the right balance between guaranteeing the economic and social benefits of information sharing and ensuring consumer concerns are respected requires a sophisticated understanding of what people know and think about the subject. Knowing where the public stands, therefore, is vital to companies and policymakers,” writes Bartlett.
At the heart of this settlement has to be transparency about where and when data is captured and for what purpose. This may be one of the original eight principles of the UK’s Data Protection Act, but technological developments have expanded activities way beyond its original conception.
So the research revealed that 85% of consumers know their online purchasing history data is collected and used – this is made highly transparent through uses like the Amazon product recommendation engine, for example. Tesco Clubcard has had a similar effect on awareness, with 81% of consumers aware of supermarket loyalty schemes. Even some of the newer uses have been noticed, with 67% aware of Gmail-based advertising.
Awareness does not necessarily translate into acceptance, with Demos claiming a “crisis of confidence” among consumers. It found that only 27% are comfortable with their behaviour data being used by Tesco Clubcard – remarkably low given the billions of pounds in rewards claimed by shoppers from that scheme. And when it comes to Google scanning the content of Gmail in order to insert contextual ads, just 10% of consumers are happy that this happens.
Bartlett’s conclusion is that, “data and information sovereignty is the next big consumer issue. There is a danger that this loss of confidence will lead to people sharing less information and data, which would have detrimental results for individuals, companies and the economy.”
Part of the solution lies in providing greater control to consumers and a “negotiated concept that changes with technology and culture”. That is appealing to policy makers and regulators, but harder for commercial organisations to implement since they have to build processes and assumptions that are tolerably future-proof.
At the heart of the new age of consent will undoubtedly sit a new generation of data collection procedures and privacy notices. As the DMA’s Data Tracker research has discovered, different wordings can reduce the level of opt-out by up to 30%, proving the importance of testing different concepts.
“It is difficult when you just ask the consumer to look at opt-outs and opt-ins out of context,” says Rosemary Smith, managing director of Opt-4. “One of the critical techniques is the brand tone of voice used in the statements so it doesn’t put people off.” Most consumers are attracted to brands through emotional qualities. When it comes to registering and providing personal data, the exchange shifts into a rational frame. This can create a jarring dissonance, unless that sequence is also warm and appealing (while remaining compliant).
She argues that the data industry needs to urge the European Commission not to use opt-in as the default mechanism for gaining explicit consent from consumers. “There could be a lesson to learn from email where opt-in is applied in the UK in a literal way, although not in other European countries. If you collect data for the purposes of a sale, you can use an opt-in which looks like an opt-out. A lot of brands are doing that,” she says.
This is reassuring because of the familiarity of the mechanism, which should reduce the drop-off by consumers at that point in the engagement. But it is less reassuring when you consider the low proportion of customers on most databases who have a permissioned email address. (Although it is significant that in the latest wave of the DMA’s Data Tracker research, consumers were more likely to offer their email address than a postal address.)
Asking the consumer to enter their email address and using that as the opt-in is another mechanism which generates decent agreement rates. “Whether that will conform to the explicit consent requirement is an open question,” notes Smith.
Apart from new methods of capturing consent and refined data capture notices, organisations will also need to rebuild their data management systems. A requirement of the new Data Protection Regulation will be to record when, where and in what circumstances consent was gained. That may require being able to show what wording was used and will certain involve far more dynamic flagging of permissions within data.
“Too many brands roll everything together, yet we all know there are different levels of consumer objection to each channel,” says Smith. For example, while 79% of consumers do not want to receive outbound telemarketing calls, only 25% object to direct mail. “If you don’t split that out in your database, you lose all channels,” she says.
It is fair to say that this shift will be a major wake-up call for companies. As Smith says, “most don’t really know where they stand – they don’t have consent rates as a key performance indicator. They have just been focused on getting people in through the doors.”
With a lot of marketers looking towards social networks to initiate (and even maintain) relationships with consumers, this could open up an even bigger gap in databases. There is a lot of mis-understanding about what data can be extracted from social and just how legitimate it is to use it for marketing.
While currently a grey area, it seems likely that regulators will soon start to get tough on practices like data scraping. If you doubt this will happen, just consider how European data protection authorities, led by the French regulator CNIL, are going after Google for its unified privacy policy. When one of the biggest digital companies becomes a target like that, it shows that things have got serious.
For consumers, the good news is that data protection is going to become more transparent, controllable and fairer. It will be more obvious why information is being requested, what it is used for and how they can control that. For organisations, the bad news is exactly the same – consumers are gaining more rights and they will want to see them respected. That is what will define the new age of consent.