In Part-I of this story on Hyper-personalization, I mentioned how I preferred the Kirana store in my neighborhood market that offered a more personalized experience. But, what if, the store owner took things a tad too far by showing up at my doorstep during odd hours and bringing me stuff even when I didn’t order them or knew personal details about my life that I never shared with him. That would be immensely creepy!

There’s a thin line that divides hyper-personalization and privacy breaches, and brands should carefully tread that line. One slip and they enter the creepy realm.

While handling such a vast amount of user data, brands have to careful to avoid data privacy breaches and disinformation – something that the social media failed at. Even if a brand is confident about its data security infrastructure, it should still be conscientious about breaching the trust that a consumer places in it by sending incredibly personal messages that may have creepy overtones.

According to Sehgal, when one’s privacy is invaded by the new/emerging technologies, it turns from cool to creepy. He puts forth the following scenarios as examples of user data collection that can be construed as creepy.  

They know where “You” are – Smartphones are tracking where you go, along with the duration and frequency of the visits.

They know what “You” purchased – While this can seem like a harmless activity because you might receive good suggestions and could genuinely prove to be helpful. However, in cases when an item that one of your family members purchased, starts appearing as suggestions, simple suggestive ads displayed on different platforms (websites and apps) can turn creepy. 

They know “Your” secrets – The data is tracked even when you browse in the incognito mode.

They know “Your” profile – When you enter a store and the salesman greets you with your name, even when he/she doesn’t know you. As creepy and unrealistic as that sounds, don’t think this is not possible – it is. Hyper-personalization is not only limited to online advertisements, but it also has the potential to impact the physical world.

He believes that it’s usually the product manager’s job to oversee the flow of data from the relevant databases to the customer’s screen. Most of the “creepy” cases arise when this “flow” hasn’t been thought through or executed well, thus exposing sensitive data to customers. 

Treading The Tightrope

The important question that arises here is how can brands find this delicate balance between trying to create a personalized experience for the customers – with the right amount of value and relevance – and not enter the creepy realm?

The privacy paradox is also at play here wherein customers are wary of data privacy breaches and don’t trust brands with their personal data, however, they are more likely to divulge their data to brands in exchange for enhanced personalized offerings. 

According to Sehgal, the ultimate goal of marketing is customer loyalty and to deliver benefits and utility without creeping out the customers. He believes this can be achieved by walking the thin line between personalization and privacy. Businesses should consider the following privacy by design principles while formulating user experience.

1. Keep it open: Brands must ensure that they provide complete transparency when it comes to the data collected and its purpose. Providing a brief and easily understandable privacy notice, obtaining consent from data subjects prior to processing their personal data are a few keys ways of attaining transparency. 

2. Be user-centric: Brands must provide users control over their end-to-end personal data through the experience cycle.

3. Be proactive, not reactive:  Brands need to be upfront and proactive in anticipating potential privacy issues and deter from such situations. Brands should follow principles of data minimization and limit disclosure of personal data.

4. Positive sum game: Brands must provide high-quality customer experience without sacrificing consumer privacy – e.g. using first-party permissions and giving the customer the control to decide the kind of personalization they expect creates a win-win situation.

He reiterated the importance of companies being clear and transparent while handling user data and what it is being used for, both internally and/​or when sharing it with third parties. According to him, a simple blanket consent from consumers for data collection is not enough, he believes that brands should offer customers different preferences for different services as well as an easy opt-out (of data sharing) option. He shared the following best practices.

1. Data collection used to be about high volumes, whereas now it needs to be more targeted – companies should only be contacting people that are likely to have an interest in what they’re offering. This calls for a shift in mindset among the marketing teams.

2. Provide a certain degree of assurance to the consumer that their data will be protected from unauthorized use or disclosure.

3. Privacy-enhancing technologies can be used to ensure that genuine choice and control is offered to the consumer, making it easy for consumers to choose what they share or do not share

4. Offer valuable benefits to those consumers who choose to share data, such as exciting offers, rewards or information in exchange for data. 

Chaudhary stated that most off-the-shelf personalization tools are already largely compliant with legal guidelines regarding privacy. “Even then, the CIO making vendor purchase decisions should be willing to ask tough questions to the vendors about their software’s privacy policy. It is easy for vendors to add additional security first and build features later. The other way round is usually very difficult,” he opined.

He also suggested that as an extra cautionary measure, brands can also run their hyper-personalization techniques on a smaller set of customers first, before taking it to a larger public. They should collect feedback proactively and measure their responses to different experiments until they hit a sweet spot between a better experience and non-intrusion. “This way even a small privacy breach can be detected early and brands can take corrective steps before rolling out hyper-personalization at a larger scale.”

Don’t Be A Creep; Keep Calm & Follow Regulations

As both brands and consumers are finding it difficult to strike the delicate balance between personalization and invasiveness, Governments have stepped in, on behalf of the two, to come up with regulations and laws that protect both parties. 

“As a marketer, I cannot stress the importance of consumer data and personalization in the effective delivery of content and services. Data helps brands tailor their communication and offers to the specific requirements of different consumer demographics. That said, it is also essential to regulate how the consumer-related information is leveraged to prevent its misuse. Policy measures such as the EU-GDPR become essential to ensuring that data – the most critical of resources in this digital age – is used judiciously,” Neha Kulwal, Country Manager, Admitad India told Analytics India Magazine. 

General Data Protection Regulation or GDPR is a set of rules in the European Union (EU) law that provides the citizens of the EU and the European Economic Area (EEA) more control over the processing and free movement of their personal data. It also aims to simplify the regulatory environment for businesses in a way that both EU-based businesses and citizens can benefit from the digital economy. GDPR is the part of the evolution of the legal framework happening across the world to keep abreast of the internet-connected world we currently live in – which includes cases of data breaches, privacy, and consent. 

The California Consumer Privacy Act is a privacy-centric bill – along the lines of GDPR – that primarily aims to protect the privacy rights of residents of California as well as offer them consumer protection. This consumer privacy legislation (Assembly Bill (AB) 375) was passed into California law on June 28th of 2018 has been dubbed as “almost GDPR in the US” by some. 

Earlier this year, in April, another privacy-centric legislation was introduced. U.S. Sens. Mark R. Warner (D-VA) and Deb Fischer (R-NE) introduced the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.

“The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not take under normal circumstances,” said the press release. 

Coming back to GDPR and the privacy concerns it addresses, Sehgal stated, GDPR has introduced a wider definition of “Personal Data” to include what we call “persistent online identifiers” such as cookies, which are often collected by personalization platforms. It has also provided provisions to obtain a data subject’s consent prior to the collection and processing of their personal data.”

He also mentioned the fact that GDPR requires data controllers to deploy appropriate safeguards such as anonymization and pseudonymization to ensure the protection of personal data elements.

We have discussed how GDPR helps ease the privacy concerns of consumers, but how does it help the brands engage its audience in a personal yet non-intrusive manner?

Sehgal states that many companies have a preconceived notion, that GDPR restricts the concept of innovation whilst processing personal data, however, that might not necessarily be true. “Collecting data [under GDPR] is fine if companies are clear and transparent about what it is being used for, both internally and/​or when sharing it with third parties.”

He shared the following ways by which GDPR helps brands with customer engagement. 

1. The important thing to remember is that GDPR doesn’t prohibit companies from collecting any data on customers and prospects. It just gives individuals more control over who can collect and store their data. In a survey of more than 8,500 consumers from six different countries, Deloitte and SSI found that 79 percent of respondents were willing to share their data if there was a clear benefit to them. 

2. In order to facilitate GDPR’s enhanced data subject rights, like the right to access personal data and the right to data rectification, brands need to unify the customer data from various sources into a centralized location, pooled and provided in a timely fashion.

3. This unified customer profile significantly helps brands comply with GDPR, but it also affords marketers a powerful tool for customer engagement and loyalty which can be used to drive new, highly targeted customer experiences based on previous purchases, activity or behavior. 

4. Leveraging the power of artificial intelligence and machine learning can help prove customer value over time using the unified first-party customer record as valuable seed data.