Mar­ket­ing ver­sus data pro­tec­tion: Who holds the trump card?

When going online, pri­va­cy state­ments, cook­ie guide­lines, oblig­a­tions to give one’s con­sent and the like over­whelm the con­sumer. Those “fea­tures” are not only labour-inten­sive but also alarm­ing because mar­ket­ing and sales depart­ments lose 10% of their poten­tial cus­tomers with every addi­tion­al click. Yet they are essen­tial for achiev­ing data pro­tec­tion com­pli­ance and, more to the point, to avoid enor­mous fines. Does mar­ket­ing make a bet­ter case for get­ting its way or does data pro­tec­tion have a trump card in attain­ing its goals?

In her Duet Inter­view with Petra Dahm, strate­gic con­sul­tant and for­mer copy writer, cre­ative direc­tor and strate­gic plan­ner in the adver­tis­ing world, Dr Cal­daro­la, author of Big Data and Law, dis­cuss­es the trade-off between two stake­hold­ers with dif­fer­ent needs as far as dig­i­tal busi­ness is concerned.

It is essen­tial for a company’s sur­vival to sell prod­ucts and/or ser­vices. How­ev­er, it is also impor­tant that its hard-earned rev­enues not be lost by enor­mous data pro­tec­tion fines for non-com­pli­ance (up to 4% of the world­wide turnover of a com­pa­ny group) , as we have seen in an ear­li­er inter­view with Prof. Dr Schrey. One can observe dif­fer­ent phe­nom­e­na in dig­i­tal activ­i­ties: (1) com­pa­nies seem­ing to become bold­er in sell­ing activ­i­ties on the inter­net; (2) at the same time, con­sumers feel­ing anx­ious that their data is not secure – accord­ing to sur­veys, (3) con­verse­ly, con­sumers scrolling imme­di­ate­ly to the end of a doc­u­ment with­out even mak­ing the effort to read seem­ing­ly end­less infor­ma­tion in order to give their con­sent to com­pa­nies hav­ing com­posed, for the most part, long, detailed and seem­ing­ly trans­par­ent data pro­tec­tion state­ments. What must com­pa­nies do to be com­pli­ant? What trend have you observed? And which con­se­quences do the behav­iour of poten­tial cus­tomers and ven­dors list­ed above have with regard to the intend­ed legal goals?

Petra Dahm: Com­pa­nies are def­i­nite­ly get­ting bold­er in their dig­i­tal activ­i­ties. Over the last five years, glob­al sales via data-dri­ven por­tals and e‑commerce have almost dou­bled (source: Sta­tista). The pan­dem­ic and the asso­ci­at­ed con­tact restric­tions have accel­er­at­ed this devel­op­ment even fur­ther because COVID-19 has pro­found­ly changed sta­tion­ary and dig­i­tal com­merce with­in just a few months – a trend which clear­ly has the poten­tial to remain with us.

Accord­ing to a fore­cast by the Insti­tute for Retail Research IFH Cologne, growth in Ger­many alone is expect­ed to dou­ble, and the mar­ket will increase to up to €88bn in sales. The gen­er­al will­ing­ness to open up to dig­i­tal tools has also been sig­nif­i­cant­ly strength­ened by the pan­dem­ic – both on the part of com­pa­nies as well as on the part of customers.

How­ev­er, there is still dis­sat­is­fac­tion with the online shop­ping expe­ri­ence because, accord­ing to the mar­ket research com­pa­ny For­rester Con­sult­ing, Ger­man cus­tomers, in par­tic­u­lar, are not pro­vid­ed with a suf­fi­cient­ly intu­itive user expe­ri­ence – both when search­ing for suit­able prod­ucts or ser­vices on the inter­net and when nav­i­gat­ing an online store itself. This cir­cum­stance can be attrib­uted to a num­ber of fac­tors: On the one hand, it results from a rather poor dig­i­tal strat­e­gy of com­pa­nies that is not yet ful­ly devel­oped in many cas­es, but is also du to the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) intro­duced since 2018, and oth­er guide­lines, such as the very com­pli­cat­ed reg­u­la­tions of the cook­ie noti­fi­ca­tion or opt-in/opt-out pro­ce­dures which have all made life dif­fi­cult for com­pa­nies in this coun­try. For all these rea­sons, pages or noti­fi­ca­tions are encod­ed, not to be pre­sent­ed in a visu­al­ly appeal­ing way, or the nav­i­ga­tion is so com­plex that con­sumers either will­ing­ly click on online offers with­out know­ing the rel­e­vant back­ground infor­ma­tion. After that one fatal click, they are then lit­er­al­ly flood­ed with fol­low-up offers and feel pow­er­less and frus­trat­ed. The alter­na­tive sce­nario is to sim­ply refuse every­thing from the out­set, leave the page and men­tal­ly des­e­lect the service.

In addi­tion, there are still con­sumer con­cerns about data secu­ri­ty, although accord­ing to a recent study by Deloitte, shop­ping behav­iour dur­ing the pan­dem­ic has also relaxed sig­nif­i­cant­ly in favour of con­ve­nience – one only has to remem­ber how read­i­ly per­son­al data was shared when vis­it­ing a restau­rant this year or recall the wide­spread use of cloud-based col­lab­o­ra­tion tools, such as Zoom and the like, and pri­vate, unen­crypt­ed WLAN-con­nec­tions in home office sur­round­ings. Or let us con­sid­er an even more press­ing issue: Health pro­tec­tion vs. pri­va­cy? Here it is also worth tak­ing a look at the dif­fer­ent behav­iour­al pat­terns of the var­i­ous gen­er­a­tions, par­tic­u­lar­ly in terms of tar­get group seg­men­ta­tion – while the Baby Boomer, GenX and GenY gen­er­a­tions tend to be more restric­tive with their per­son­al data, younger gen­er­a­tions are much more will­ing to dis­close their data in order to make use of online services.

When con­sumers vis­it a web­site and/or nav­i­gate through the inter­net, they are con­front­ed with “fea­tures”, such as pri­va­cy state­ments, con­sent, dou­ble opt-in and the like. Even though such require­ments are oblig­a­tory, have they been cor­rect­ly imple­ment­ed? Are they more of a deter­rent or even counter-pro­duc­tive? Why is the way com­pa­nies are ful­fill­ing these data pro­tec­tion require­ments so antag­o­nis­tic to consumers?

When con­sid­er­ing this mat­ter, it is cer­tain­ly nec­es­sary to dif­fer­en­ti­ate between glob­al enter­pris­es and small and medi­um-sized enter­pris­es (SMEs), which have pre­dom­i­nant­ly been active on local mar­kets, and are now mak­ing their way to inter­na­tion­al mar­kets. The key fac­tor is the com­pa­ny’s lev­el of dig­i­tal matu­ri­ty and how well it is posi­tioned in terms of its dig­i­tal busi­ness strategy.

I find it prob­lem­at­ic that two years after the intro­duc­tion of the GDPR, many com­pa­nies have still not suf­fi­cient­ly come to grips with the issue in terms of its sig­nif­i­cance for mar­ket­ing, sales and adver­tis­ing. In addi­tion, there is anoth­er dif­fer­ence between B2B and B2C com­pa­nies: name­ly that while in a B2C buy­ing process only one con­tact is deci­sive, in a B2B buy­ing process up to sev­en con­tacts or more are part of the sale.

Although the nec­es­sary admin­is­tra­tive or IT-relat­ed mea­sures may have been tak­en inter­nal­ly, such as data access con­trol, or data reten­tion, many SMEs in the B2B sec­tor have only real­ly start­ed to come to terms with dig­i­tal busi­ness mod­els, mul­ti-chan­nel approach­es, online mar­ket­ing and data-based analy­ses of online cus­tomer jour­neys and buy­ing process­es since the Coro­na pan­dem­ic, which means that there is a great deal of catch­ing up to do in terms of dig­i­tal com­pe­tence – and thus with regard to secure com­pli­ance with GDPR regulations.

In addi­tion to pure­ly tech­ni­cal exper­tise, it is par­tic­u­lar­ly impor­tant to act in a cus­tomer-ori­ent­ed man­ner – here, among oth­er things, an under­stand­ing of user expe­ri­ence and user inter­face is an essen­tial pre­req­ui­site for com­mu­ni­cat­ing reg­u­la­tions and require­ments in a user-friend­ly fashion.

We our­selves see both ten­den­cies in the dis­cus­sions with our cus­tomers, which have espe­cial­ly been trig­gered by the pub­li­ca­tion of the first more sub­stan­tial fines: either online mea­sures are being mas­sive­ly scaled back or at least put on the back burn­er for fear of mis­takes in imple­men­ta­tion, a reac­tion which is actu­al­ly fatal, as this restricts the pos­si­bil­i­ties of dig­i­tal busi­ness mod­els, or penal­ties are, quite sim­ply, fac­tored in delib­er­ate­ly and accepted.

Do com­pa­nies take advan­tage of their mar­ket pow­er? In oth­er words, does the con­sumer real­ly have the choice of not accept­ing data pro­tec­tion rules estab­lished by com­pa­nies? Will the con­sumer find alter­na­tive offers from a dif­fer­ent com­pa­ny that has – in his eyes – bet­ter data pro­tec­tion rules?

One fac­tor which must be tak­en into account is that the appli­ca­tion of the GDPR is being inter­pret­ed com­plete­ly dif­fer­ent­ly, in part, by data pro­tec­tion offi­cers, but also by data pro­tec­tion lawyers. This impor­tant con­clu­sion was one we could reach from our own expe­ri­ences with dif­fer­ent cus­tomers. Since we our­selves con­stant­ly deal with the data pro­tec­tion guide­lines and, as a mar­ket­ing con­sul­tan­cy, nat­u­ral­ly also make cor­re­spond­ing sug­ges­tions to clients for online cam­paigns or mea­sures, this some­times leads to heat­ed dis­cus­sions and the client is forced to decide either in favour of a strict or a some­what lax­er inter­pre­ta­tion of the GDPR.

What we find lack­ing – espe­cial­ly after the pub­li­ca­tion of the first offi­cial eval­u­a­tion from June 2020 – is a clear and unam­bigu­ous pre­sen­ta­tion of the reg­u­la­tion for all par­ties based on best prac­tice exam­ples. Instead, we were main­ly giv­en a mere inven­to­ry of the sta­tus of the imple­men­ta­tion of the GDPR, which might be help­ful to sta­tis­ti­cians, but not for advanc­ing a prac­ti­cal approach to the regulation.

Above all, one thing must be kept in mind: the GDPR is based to a cer­tain extent on a lev­el of dis­cus­sion, which had already tak­en place 10 years ago, and since then, as is well known, a lot has hap­pened in terms of tech­nol­o­gy, analy­sis options, cus­tomer behav­iour, gen­er­a­tion devel­op­ment etc. Not to men­tion inno­va­tions, such as voice track­ing (voice assis­tant envi­ron­ment), eye track­ing (extend­ed real­i­ty envi­ron­ment), emo­tion­al track­ing (HR assess­ment envi­ron­ment) and let’s not for­get the advent of cloud com­put­ing (Indus­try 4.0/IoT envi­ron­ment) as well as the increased use of arti­fi­cial intelligence.

In the course of increas­ing­ly ubiq­ui­tous com­put­ing, we are no longer deal­ing with sim­ple, trace­able data pack­ages in indi­vid­ual silos, but with intri­cate, net­worked appli­ca­tions that require a sim­i­lar­ly com­plex view of data pro­tec­tion – both for com­pa­nies in terms of pro­tect­ing their intan­gi­ble assets and for cus­tomers safe­guard­ing per­son­al and sen­si­tive data.

The prob­lem is that the speed of tech­no­log­i­cal devel­op­ments presents almost insur­mount­able chal­lenges for a prop­er data pro­tec­tion impact assess­ment because it is not pos­si­ble to draw up or imple­ment new or adapt­ed reg­u­la­tions in the time need­ed and to train staff accord­ing­ly. There­fore, a dia­logue involv­ing all inter­est­ed par­ties should be held that already begins dur­ing the devel­op­ment of such tech­nolo­gies and is con­sis­tent­ly kept going.

My favorite quote is:

 

“In times of change, the great­est dan­ger is to act using yesterday’s logic”.

Peter Druck­er

Do com­pa­nies lose sales oppor­tu­ni­ties when apply­ing data pro­tec­tion require­ments? If so, what pro­por­tion of sales oppor­tu­ni­ties are lost? Can you give us a short overview of how mar­ket­ing and sales work to draw in poten­tial cus­tomers using dig­i­tal busi­ness mod­els, when a deci­sion for a spe­cif­ic action is nor­mal­ly tak­en, how much addi­tion­al time and how many clicks decrease a poten­tial dig­i­tal pur­chase, and, final­ly, explain why the “fea­tures” nec­es­sary for data pro­tec­tion com­pli­ance, such as con­sent, cook­ie guide­lines and sim­i­lar, are so dis­rup­tive with regard to mar­ket­ing and sales in the process of win­ning poten­tial cus­tomers on the internet?

To be hon­est, it is very hard to give a gener­ic answer to how many sales oppor­tu­ni­ties are lost because, at the very least, a num­ber of para­me­ters are involved. For exam­ple, the stricter cook­ie direc­tive and the result­ing restric­tions on the inte­gra­tion of com­mon online ser­vices have severe­ly lim­it­ed both cus­tomer ser­vice and the analy­sis of user data, which can have a neg­a­tive impact on online mar­ket­ing plan­ning. Here, we see Europe at a clear dis­ad­van­tage com­pared to Amer­i­can or Asian com­pa­nies, for exam­ple, which sim­ply have com­plete­ly dif­fer­ent options for a tar­get-ori­ent­ed cus­tomer approach and for con­tin­u­ous­ly opti­miz­ing the cus­tomer jour­ney with tech­nolo­gies, such as pro­gram­mat­ic adver­tis­ing and pre­dic­tive tar­get­ing, and can thus ful­ly exploit the advan­tages of dig­i­tal marketing.

How much poten­tial is actu­al­ly lost can there­fore only be esti­mat­ed, but the fact that an online cus­tomer jour­ney gen­er­al­ly has more touch­points than an offline one means that the pos­si­bil­i­ty of bounc­ing back in the course of a jour­ney is cer­tain­ly high­er. What we def­i­nite­ly see in our own analy­ses of inter­na­tion­al com­par­isons is that the restric­tions imposed by the GDPR are hav­ing a mea­sur­able impact. As already men­tioned at the begin­ning, small and medi­um-sized enter­pris­es in Ger­many, in par­tic­u­lar, are still far from mak­ing com­plete use of the oppor­tu­ni­ties offered by dig­i­tal busi­ness mod­els. In this respect, I see a high poten­tial for dis­cus­sion and con­flict in the com­ing years.

Above all, the dis­pro­por­tion com­pared to the Big Five from the USA is a sub­ject for dis­cus­sion because, to be hon­est, from our point of view, a real­ly cut-throat com­pe­ti­tion is devel­op­ing here. Due to a tech­no­log­i­cal head start and less restrict­ed pos­si­bil­i­ties, com­pa­nies, such as Google, Face­book, Ama­zon and oth­ers, are devel­op­ing more and more intel­li­gent data analy­sis options and, above all, have the eco­nom­ic lob­by­ing and finan­cial resources, not to men­tion tech­ni­cal exper­tise, to stand up to Euro­pean data pro­tec­tion authorities.

We our­selves have just seen how long a clar­i­fi­ca­tion by the EU Com­mis­sion can drag on – in the mean­time, bil­lions of data points have already been gen­er­at­ed again: THE asset of every dig­i­tal­ly ori­ent­ed com­pa­ny. Inci­den­tal­ly, a sim­i­lar imbal­ance can be observed when look­ing at tech­nol­o­gy-ori­ent­ed start-ups in Ger­many in an inter­na­tion­al com­par­i­son – here we should not be sur­prised if tal­ent is poached or emigrates.

Are there real­ly alter­na­tives or are con­sumer asso­ci­a­tions, the Cham­ber of indus­try of com­merce, con­sul­tants and oth­er dig­i­tal pri­va­cy providers har­mo­niz­ing the appear­ance of the dig­i­tal jour­ney as well as how it pro­ceeds so that there is lit­tle or no oth­er possibility?

The advances in tech­nol­o­gy and the asso­ci­at­ed adjust­ments to data pro­tec­tion are devel­op­ing so quick­ly that we require a high lev­el of con­tin­u­ous train­ing and fur­ther edu­ca­tion to keep up. Above all, the com­plex infra­struc­tures described above require a con­sis­tent inter­dis­ci­pli­nary exchange between indi­vid­ual par­tic­i­pants so that prac­ti­cal and cus­tomer-ori­ent­ed solu­tions can be devel­oped that cor­re­spond to our Euro­pean under­stand­ing of privacy.

Unfor­tu­nate­ly, the guid­ance offered by indus­try or pro­fes­sion­al asso­ci­a­tions as well as offi­cial con­tact points, such as the cham­bers of indus­try and com­merce, usu­al­ly only pro­vide gen­er­al basic infor­ma­tion or focus on the cor­rect inter­pre­ta­tion of data pro­tec­tion direc­to­ries or check­lists. If you are look­ing for mean­ing­ful train­ing oppor­tu­ni­ties in the areas of marketing/sales or dig­i­tal busi­ness mod­els, you are usu­al­ly left with sem­i­nars or work­shops – and iron­i­cal­ly, these are often not even avail­able online so far.

Mar­ket­ing and data pro­tec­tion seem to have con­flict­ing agen­das. Which side nor­mal­ly prevails?

It is impor­tant to under­stand that mar­ket­ing has become extreme­ly com­plex com­pared to ten years ago. With the abil­i­ty to net­work ana­logue and dig­i­tal mar­ket­ing as well as the advent of com­mu­ni­ca­tion mea­sures, we are in a posi­tion to per­fect­ly per­son­al­ize offers- even a small-sized com­pa­ny is in a posi­tion to serve glob­al tar­get groups via mul­ti-chan­nel approach­es- and com­pa­nies right­ly expect analy­ses that are as com­pre­hen­si­ble as pos­si­ble and, in the best-case sce­nario, can be con­sis­tent­ly planned and read­just­ed on the basis of mea­sur­able data. With the data-dri­ven net­work­ing of a wide vari­ety of online chan­nels (web­site, social media, email mar­ket­ing, plat­forms, etc.), the colab­o­ra­tion of lead man­age­ment, trans­par­ent mon­i­tor­ing of the cus­tomer jour­ney, and pos­si­bly even direct feed­back from the prod­uct itself via IoT and auto­mat­ed after-sales ser­vices, these var­i­ous process­es and the asso­ci­at­ed per­son­al data can cer­tain­ly be mul­ti-lay­ered with regard to the indi­vid­ual mar­ket­ing and com­mu­ni­ca­tion steps with­in the cus­tomer jour­ney. When a cam­paign or sys­tem is set up from scratch, we there­fore advo­cate get­ting all the deci­sion-mak­ers from mar­ket­ing, sales, ser­vice, prod­uct, sys­tem devel­op­ment and data pro­tec­tion at the same table to define clear require­ments and expec­ta­tions from the out­set. How­ev­er, it becomes dif­fi­cult when a sys­tem or cam­paign is already up and run­ning and needs to be assessed to deter­mine whether it is a pri­va­cy-com­pli­ant solu­tion. This often leads to very exten­sive dis­cus­sions, since mutu­al under­stand­ing must first be estab­lished – and that is not always easy. In most cas­es, quick exter­nal advice is not pos­si­ble because care­ful aware­ness of the over­all strat­e­gy and the indi­vid­ual objec­tives is nec­es­sary – and acquir­ing this under­stand­ing takes time.

How do mar­ket­ing and data pro­tec­tion form an effec­tive trade-off of their needs and inter­ests? Are there bet­ter ways to syn­chro­nize data pro­tec­tion require­ments with­out los­ing sales oppor­tu­ni­ties? Any ideas?

If we imag­ine that the world will become even more con­nect­ed and mobile in the future, then we need to rec­on­cile this delib­er­ate­ly open and, in many cas­es, per­haps also desired infra­struc­ture of inno­v­a­tive tech­nolo­gies, such as blockchain, cloud com­put­ing, Inter­net of Things, Aug­ment­ed Real­i­ty (smart glass­es) and arti­fi­cial intel­li­gence with the strict reg­u­la­tions of the Euro­pean Data Pro­tec­tion Reg­u­la­tion. And we must ask our­selves quite hon­est­ly: is such a rec­on­cil­i­a­tion even pos­si­ble? The Euro­pean Com­mis­sion itself has just phrased it very nice­ly in the con­text of the draft for a Data Gov­er­nance Act (DGA): We are prob­a­bly try­ing to square the circle.

Mrs Dahm, thank you for shar­ing your insights on the chal­lenges of mar­ket­ing and sales in the dig­i­tal environment.

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with rec­og­nized experts, delv­ing even deep­er into this fas­ci­nat­ing topic.