Is privacy-centric marketing living up to its promises?
My LinkedIn feed recently brought to my attention a new handbook on privacy-focused marketing. Coming from a reputable industry source, it seemed worth exploring.
Analysis of Practices
Here's what was happening under the hood:
- Landing page: The request for personal information (name & email) to get a content piece about privacy creates an inherent contradiction. A more thoughtful approach would have been to prioritize value demonstration over data collection. The marketer should have asked himself: "What is most important for my business? For my audience? Do I prefer to have some contact info likely to be filled with junk, or demonstrate my authority as a subject matter expert?" Worse, the "handbook" turned out to be a dull marketing pamphlet like we see so often...
Requesting personal information while disseminating content focused on privacy creates a significant contradiction, undermining the value from the outset.
- Terms & Conditions: The use of a third-party lead generator and the potential sharing of data with multiple parties contradicted the very principles of privacy-led marketing. The form T&C linked to a 3rd-party lead generation data-processor (in the EU) instead of being worded from the data-controller perspective (in the US). Digging further into the privacy policy, I found the collected data could be shared with a slew of 4th parties, from GA to Google Ads and Facebook Ads Conversion tracking (which matches personal data), and others (Twitter, FB, LinkedIn), as well as ActiveCampaign for emails.
- Consent: The absence of a consent banner for non-EU visitors and the use of dark patterns in consent management further undermined the campaign's credibility. Of course, there was no consent banner whatsoever when visiting from outside the EU. I tested using a VPN and Incognito mode: the consent banner showed only "Manage Settings" and "Accept", which is a well known dark pattern.
- Consent Status: After rejecting all, everything was fired just as if I had accepted all... because the 3rd party lead-gen wasn't passed any consent status!
- GA4 Consent Mode: Misconfigured analytics calls, such as an incorrect Google Consent Status, indicated a lack of attention to detail in respecting user choices. The GA4 call was misconfigured and sent "gcs=11l1l1l1l1". The GCS parameter is the Google Consent Status and should have been gcs=100 when rejecting all tracking (or better still, in a #NoConsentNoTracking approach, this tag shouldn't be fired at all).
- Primary Purpose: The automatic subscription to a newsletter and the frequency of emails sent were at odds with the campaign's privacy-centric message. I was automatically subscribed to their email newsletter - which wasn't clearly stated as such - and received not one, not two, but four or five emails within the next 3 days... What was the primary purpose for asking the data in the first place?
Content Critique
The handbook itself, while promising insights into privacy-focused marketing, offered superficial content with considerable gaps in addressing the intricacies of marketing, technology, and legal compliance.
Marketing is about building trust. Instead of requesting contact information right from the onset, providing clear avenues for readers to initiate contact would have been more aligned with the principles of respect and transparency in data handling. Yet... there was nothing to be found in the document, no author profile, no email, no link to the website... besides, admittedly, links to learn more about their consulting services...
My Take: Handbook's Advocacy vs. Practice
The handbook's recommendations, such as explicit user consent, minimal data collection, regular audits, and privacy-led tracking, were clearly not reflected in the campaign's execution:
- ☠️ Users provide explicit consent for collecting and using their data. Why aren't the users outside the EU offered the same level of consent? If you really care about your customers' privacy, geolocation shouldn't make a difference.
- ☠️ Collect only the needed data and retain for the minimum time possible. Data should be collected to serve a primary purpose, not to feed your mailing list and not to remarket to them afterward. Or make it very clear and an opt-in option.
- ☠️ Data collection audits and Data Protection Impact Assessments (DPIA) are performed. Clearly, the person responsible for this campaign had not done any audit of the data workflows and with whom it could be shared.
- ☠️ Your privacy policy clearly outlines how you collect, use, and retain data. As a data-controller, you are ultimately responsible. Do not rely on any 3rd-party default legalese (but make them available).
- ☠️ Set up privacy-led tracking and ensure your tags fire properly. This seems to be the #1 issue. Why? Because getting the Consent Management Platform (CMP) configured properly is an issue, and then, even when the legalese are properly written, discrepancies quickly creep in because of the volatile nature of the martech environment, and finally, configuration of your martech stack is a challenge in itself.
"I’ll bring this up with my director of marketing."
- ☠️ An incident response plan has been prepared in case of a data breach. Upon contacting the campaign's organizer, the response was non-committal, highlighting a missed opportunity for immediate corrective action.
Action Steps
Transparency is the cornerstone of effective marketing. Practices that don't stand up to scrutiny need reevaluation. This experience serves as a reminder that in the era of digital transparency, actions speak louder than words.
As I mentioned in the past:
Marketing shines in the light of transparency. Every marketing move you make is just a tweet or post away. If the thought of seeing your marketing tactics exposed makes you uncomfortable, maybe it's time you re-evaluate them.
Disclaimer: While this narrative is heavily influenced by a recent personal experience, certain details have been modified to ensure the privacy and anonymity of the individuals involved.
🍓 Social & Behavioral Scientist (PhD). Expert in Privacy, Responsible/Ethical/Trustworthy AI and UX AI. EU Grants Writer. Interest in Inner Development (IDG) & Climate Change.
1yYou describe a practice that we still see too often. It's time for #marketing professionals to understand and take up their role on these issues. Protecting customers' #privacy is not (only) being #compliant but taking care of customers' interests and respecting them. Privacy is in no way (only) a #regulatory and IT problem but a true opportunity for businesses and #marketing professionals to (re)create #trust. Things will/can only change when #marketers will start caring about that issue and take the lead on it. #Misusing customers' #data, obtaining #consent that is neither informed nor free, or using tricks (the so-called #darkpatterns) to obtain people's consent or data is not marketing. It's just #disrespectful and #unethical business practices that can't be profitable in the long run. As a social scientist, studying #consumer privacy for 20 years, I can affirm that most consumers care about their privacy. They just don't know how to protect it efficiently in the current business environment. I wish #marketers could understand that such practices are not only deceptive, they create #mistrust and destroy their business. Stephane Hamel, happy to discuss this with you further. Audencia, AFM - Association Française du Marketing
B2B Marketing @ Slice
1yYou describe a standard lead gen tactic. It is ironic that it’s used so blindly by privacy oriented products. Marketing’s job is to understand target audience. And yet you see this sad state of campaigns that supposed to target DPOs. I guess many such campaigns are led by marketers who don’t share privacy values (or likelier: just don’t care). Many people don’t care, it’s reality. But it’s bad marketing because you go against what your target audience values.