Recently the Attorney General of California (Rob Bonta) announced that Sephora had reached a settlement with the state for continued violation of tenets of the California Consumer Privacy Act (CCPA). According to the settlement, Sephora had been notified of their violations and were unable to address and/or correct them within 30 days of notice which forced the state to sanction the brand via financial penalties in the amount of $1.2M dollars. Brands have been struggling to bring marketing and information technology stacks into compliance with modern data and privacy regulations that are being issued by various world governments (e.g. CCPA, GDPR) hoping that regulatory auditors would be lenient and/or forgiving. California has clearly stated that they are no longer taking the issue lightly and have given fair notice to businesses and data processors to comply. The South Korean Personal Information Protection Commission (PIPC) has also started cracking down on brands and recently issued over $71M dollars in fines to Google and Meta (Facebook) for using improperly gathered data to personalize advertisements. The European Union GDPR authorities also continue to hand out very sizable fines to businesses misusing user data and user consent. While it can be a very challenging task to contend with strict and ever changing regulations; the problem can be broken down into workable units (especially while partnering with consultants such as AMP Agency). Where possible it’s easiest to adhere to the most limiting regulation your brand is subject to so that there is no need to maintain or defend multiple workflows based on customer residence or other criteria. Some helpful guidelines regarding the gathering and maintenance of consumer marketing consent: Leave nothing to chance, spell out exactly what you are doing with the data Consent language must be clear and easily understood Consent must be freely given, no deception or coercion Consent is a one-time non-editable event You cannot change consent without asking You cannot change refusal of consent You can ask for new consent or different consent Consent must be a positive action Must be a click or checkbox …. “Yes, I agree” or an actual signature Absence of action is not consent You are generally allowed to send non-consensual communications when they are specific to: A transaction that requires confirmation or notice such as an eCommerce order notification A communication that is required as means to complete a contractual obligation on part of the user or organization A communication that is required by a specific membership or operational model where said model is clearly stated in a terms of service (e.g. operational emails to a franchise owner, delivery of a digital magazine subscription) As part of a Marketing Organization you need to be able to answer these questions: Is the organization capturing personally identifiable information such as name, address, birthday, gender, photographs, phone numbers, email addresses, IP addresses (this list is not exhaustive)? Is the organization capturing financial data, biometric data, genetic data, or any data regarding a user’s physical health? What kinds of data processing or models are already being performed? What are the current and anticipated use cases for processing user data? How long do you intend to hold the data? Do you have existing consents for user data? Can you provide a record of active consents? How was user consent to capture and process data collected? How does the organization flag and handle a user’s withdrawal of consent? A simplified action plan/checklist you can use to plan your adherence to regulatory guidelines: Audit your existing data and vendors - Look across all systems and integrations - Your vendors’ liabilities are your liabilities! Document how the data is being used - How, where, when, and why Update your policies and procedures - Make sure the data is secure and exposed only on a “need to know” basis - Make sure there is a data breach policy - Make sure there is a listed contact in data policies such as a Chief Data Officer, including various methods of contact. Build mechanisms to capture clear consent - Where possible turn on Double Opt-In policies - Update the Terms of Service where applicable - Deploy Web Forms with clear notices and positive consent action items (e.g. user checks checkbox) - Build a subscription preferences page and make sure communications adhere to it - Add cookie/tracking pixel disclaimers where applicable Regather user consent whenever the data is unclear Respect consent and preferences - Use Opt-out and exclusion lists - Make sure segments contain proper audiences Provide a means to update and/or revoke consent - Provide useful content options in a preferences center - Send unsubscribe confirmations Make sure consent is always a positive action - Click, checkbox, signature Make sure you have policies to handle customer data requests- Right to be forgotten (deleted from all systems) - Right to full disclosure (data record report from across all systems) Remove anything broken or out of compliance Implement all of your new best practices into all your future campaigns - Always remember consent is key! - Always remember consent is revocable!
Apple is aggressively pursuing end-user privacy improvements and marketing them as positive enhancements to their users; at Apple’s 2021 Worldwide Developers Conference (WWDC21) the company has announced several new privacy enhancements to the default applications and services within MacOS, iOS, iPadOS, and WatchOS. As with recent proposed changes to iOS14 and the App Store marketplace, the new enhancements are designed to provide transparency to end users about the ways in which they are tracked online and provide options to opt-out of tracking altogether. This will primarily take the form of increased notification popups prompting users to allow or deny permission to allow reporting of behaviors and activities from within applications, emails, and websites. “[The changes] will arrive as part of the fall software update to iOS 15, iPadOS 15, MacOS Monterey and iCloud.com.” At the moment these OS updates appear to be scheduled for release in September of 2021. As with the recent announcements by various providers to move to a cookie-less web in the near future, the changes Apple is introducing into its ecosystem are a clear indication that brands will need to take a thorough look at their marketing data collection procedures and usage of 3rd party services and trackers. Investments into 1st party data collection, server side analytics, and native in-app tracking events will help mitigate current and future marketing changes due to a rapidly evolving focus on user data privacy. App Tracking Transparency (ATT) Starting with iOS 14.5 app developers must disclose tracking to the end-user and “ask users for their permission to track them across apps and websites owned by other companies” (see User Privacy and Data Use - App Store). This change led to a precipitous drop-off in opt-ins with nearly ~80% of the iOS 14.5+ user base choosing to decline participation in 3rd party tracking within apps. This is compounded by the iOS 14.5 adoption rate with 90% of devices released in the last 4 years running on iOS 14 and 85% of all iOS devices running iOS 14. iOS 15 will now also include the ability to run a privacy report to review “how often each app has used the permission they’ve previously granted to access their location, photos, camera, microphone, and contacts during the past seven days” and make changes as they see fit. Given the iOS 14 adoption metrics it can be presumed that the majority of iOS devices will update to iOS 15. Intelligent Tracking Prevention (ITP) Intelligent Tracking Prevention has been included in Safari web browser versions going back to 2017 and was originally built to protect unsuspecting end-users from agents that were surreptitiously collecting data and inputs from browser sessions. The agents targeted were primarily spyware, malware, or other scripts built for nefarious uses such as identity theft. Overtime, ITP has evolved to also provide tracking protections from a much broader set of legitimate 3rd party tracking cookies and pixels. Similar to ATT, the intention of ITP is to provide web users with transparency into how, when, and who is tracking their browsing activities. ITP has the potential to prevent 3rd party tracking cookies and even analytics events (such as Google Analytics) from properly reporting activities or attributing activities to a unique user id. Although Safari does not make up a large market share of browser sessions, this may skew web analytics and events negatively. Safari 15 will be included in the rollout of iOS 15, iPadOS 15, and MacOS Monterey with some minor updates to ITP 2.3 such as blocking agents from recording a user’s IP address. The lack of IP availability makes it much more difficult to stitch together user profiles from other data sources and will have an impact on marketing activities such as retargeting. Apple is now also including ITP in other default applications with the biggest impact being the inclusion of ITP into Apple Mail. This inclusion in Apple Mail is significant to both MacOS and iOS devices as it will potentially prevent tracking pixels contained within HTML emails from loading, severely impacting email open and click metrics. This is especially concerning as the Apple Mail app in iOS currently makes up 38.9% of total email client market share. Desktop Apple Mail makes up 11.5% of market share for a total impact of potentially 50% of all users sent marketing emails not reporting basic email metric information. Link decoration has been a common work around to some of the challenges that ITP has presented wherein data is included in the URL query string of links that can be detected and read on the target server. Another approach is to pass links through a proxy service that tracks clicks and attribution before redirecting to the intended destination. This allows 3rd party services to exchange information about a user to each other without cookies or database connections. Common examples of link decoration include Google UTM parameters for GA attribution or Facebook Client IDs for FB conversion pixels. Link decoration detection and suppression have been part of ITP since version 2.2 and its inclusion in Apple Mail makes tracking pixel workarounds within emails incredibly difficult and not worthwhile. In addition as a result of these changes to cookie policy in ITP, all Safari client cookies not set explicitly with a “Set Cookie” http header will expire in one day. On subsequent visits outside the initial 1-day timeframe, the user would be tracked as a new visitor. These non-explicit cookies are typically assigned from Javascript snippets using the “document.cookie” method. The forced expiration of cookie trackers especially affects tracking of anonymous visitors who have not been identified to the app/web-site via a 1st party login mechanism. The forced expiration of cookies in this manner makes it harder to track full user journeys as there are no easy solutions to link customer touch-points. iCloud Plus: Hide My Email & Private Relay Apple has also updated iCloud with a new iCloud Plus subscription option that includes two new privacy features: Hide My Email and Private Relay. Hide My Email allows the user to generate a one-off alias email address for use in marketing forms as a means to protect the user’s true email address; Apple will allow the user no limit to the number of aliases in use. Since the user will potentially sign up with multiple email aliases across different services it removes a key piece of personal information used in data stitching across various data sources. Private Relay is effectively an Apple provided VPN service that uses a double blind strategy to ensure that the user’s web activities are hidden from their ISP and Apple. With Private Relay in effect there will be no ability for IP tracking to occur in any browser or application while the user is connected. Since iCloud Plus is a paid subscription service it is unclear as to what the adoption rate may be across Apple devices but it can be estimated based on reported subscriptions across other Apple services to be in the 100M+ market share. In Summary Transparency and notification to end-users of 3rd party tracking has become a de-facto standard within Apple ecosystem User who are provided notification and opt-in/opt-out decision buttons select to opt-out the majority of the time as has been shown with iOS ATT notifications Primary keys such as email address and IP address are increasingly being obfuscated on Apple devices making user data augmentation and stitching of customer profiles increasingly difficult ITP is targeting workaround mechanisms such as link decoration, proxy servers, unique user ID (UUID) assignments, and social media buttons to prevent unintentional data sharing from end-users which is making conversion and attribution tracking increasingly difficult from Apple devices and browsers Inclusion of ITP into Apple mail clients may severely impact basic email metric reporting and any downstream campaign logic or optimizations built on basic email KPIs (e.g. open email triggers next campaign step) Continued evolution of privacy evaluations and criteria in ITP may impact conversion tracking, attribution, and basic web metric reporting from Safari based browsers Any easy technical workarounds to ITP are likely to be suppressed in future ITP updates as has been shown in ITP development history so far Owned technologies and platform solutions are very resource intensive but provide brands a more future-proof solution in an evolving privacy landscape Conclusion With all of the proposed privacy changes to the Apple ecosystem as well as changes in the broader Internet software market it is becoming increasingly key for brands to own and architect their own data collection mechanisms as a means to ensure meaningful marketing signals are still accessible. Efforts should be made across several workstreams: Increase 1st party data collection through owned channels so that key identifiers such as email, name, contact information are collected Drive collection via compelling content Exclusive promos Exclusive content Uniqure offers or forms of loyalty programs Rotating editorial content Exemplary service such as concierge services Foster 2-way conversations Store data in owned data warehouses or data lakes Increase conversion of anonymous users to registered users to enable deeper behavioral tracking and prevent ITP and VPN blockage of key metrics by utilizing identifiable 1st party app sessions (cookies) Reduce reliance on 3rd party vendors and service providers including Data brokers (list buys) SaaS analytics Data insights augmented with non 1st party data Channel attribution from 3rd party mechanisms such as query string links (see below) Social media login mechanisms that don’t generate a local session Where possible implement owned server side analytics to track key events and ensure continued capture of behaviors that enable marketing segmentation Key app events (both web and mobile) Key page/screen views Registrations and logins Evaluate experiments, optimizations or smart campaign flows that rely on open and click email metrics for potential impact Drip campaigns are of particular concern Evaluate usage of attribution or other data sharing through URL query string parameters or proxy domains (such as link shortening services) These are potentially impacted by ITP
