The Privacy Process Runaround: Do Your Vendors Really Help You Comply?

Brands are being hit with a wave of new rules, thanks to laws like GDPR and CCPA. And they can’t expect sympathy from consumers who suspect them of “surveillance capitalism.” 

The laws differ on some points. But all mandate two things: consumer access to data and consent for data usage, according to Winterberry Group’s new white paper: Marketing’s Privacy Mandate: Navigating A Fragmented Ecosystem of Solutions And Organizational Demands.

Of the firms polled by Winterberry Group and IAB, however, only 14% are well-prepared, while 5% are extremely prepared and 43% are somewhat ready. Another 15% are slightly prepared, and 15% are not prepared at all. 

Part of the confusion stems from the fact that there are 200 vendors offering privacy solutions of varying quality. These tools are designed for different teams within an organization — i.e., legal, privacy and compliance; IT, data management and information security; and marketing and business.



At the same time, providers of other types are leaping into the fray, hoping to grab some of this business -- and they may be adding to the confusion. They include:

  • Email Service Providers (ESPs)
  • Mobile Marketing Platforms
  • Personalization engines
  • Data Management Platforms (DMPs)
  • Customer Data Platforms (CDPs)
  • Marketing Clouds
  • Identity Management Solutions

What does a company need to achieve full compliance? First, ask yourself if your firm has these tools for handling consent:

  • Console/portal — A user-friendly dashboard for managing consent.
  • Consent collection—Banners on websites that help consumers provide — or deny — consent.
  • Content storage and management — This includes documentation and verification of such elements as prompt wording, privacy notice accepted by users and opt-out levels.
  • Mobile SDK for mobile apps
  • Third-party solution integration across cookies, mobile apps and ad solutions. 

Marketers need to “assess their consent management complexity, understand where there are gaps, and determine whether a third-party solution is the most effective way to close the gap,” the study notes.

And if they need outside help, they have to determine whether it should be from a specialist CMP or an existing provider.

Now, ask yourself whether you’re ready to manage subject access requests. Do you have:

  • Portal/front-end — to manage the process
  • Verification and authentication — to confirm identity and location
  • Process management — This covers ticketing requests, including time stamps and locations, and data collection.
  • Review and approve — Often, this will require human approval.
  • Delivery — This isusually in PDF form and usually sent in the manner/channel in which the request was received — i.e., email, web portal, in person.
  • Management and/or coordination of any exercise of rights  As previously outlined, different laws provide consumers with additional rights such as the right of removal, rectification or portability.

Once again, the firm has to decide whether third-party vendors can close the gap, or if existing providers can do it.

Here are some tips from Winterberry Group on how to proceed. We quote:

  • Start by recognizing that privacy is no longer simply the remit of the legal department.
  • Clarify marketing’s role and align with other functions and departments.
  • Learn the landscape and language to earn your seat at the table.
  • Drive the company to evolve. 

These findings are based on interviews with 40 marketing, business, privacy and product leaders. 

Next story loading loading..