Marketing Data Protection: Know More About Your Consumers Without Increasing Risk

Marketing data protection is a growing concern for every marketer and brand leader. Consumers feel like they’re being watched, governments feel like their power is threatened, marketers fear that reliance on third-parties might one day leave them out in the cold. We can only assume that, in this environment, a change will come.

We can’t know exactly what that change is or how fast it will come either – all we can do is hedge against the risk of third-party data being the only data we use. For brands that can afford it, it’s essential to prepare for this possibility by building their own reserves of first-party data. We love digital marketing for its advantages – greater specificity, relevance, targeting, attribution and in most cases ROI. Most of these advantages are possible because of the data available through digital channels, and in particular Google and Facebook’s advertising and tracking capabilities. 

These platforms are powerful, but in order to continue practicing data-driven marketing long into the future, you need to be conscious of both generating first-party data and protecting it. Suspicions about data security are what have led us to this crossroads, so you won’t be getting anywhere by generating data that’s unprotected. Furthermore, if you’re building up first-party data, any breach could leads to fines and legal liability. As a marketer, marketing data protection is an essential consideration to what your future mix will look like. 

Marketing data protection comes down to three things: storing data in a secure way, transferring data in a secure way, and using data in a way that is transparent to the consumer. Understanding all of these is usually a CIO’s job, but for marketers today, you need to be informed about how your data is managed in order to know that it’s going to be a secure, reliable resource in the future. 

*Keep in mind that this is only a primer and does not constitute legal advice – if you have a question about how you need to engineer your own marketing data protection protocols, talk to your IT leaders, your lawyers, or both.*

marketing data protection self sufficiency
A vast majority of brand marketers are prioritize data self-sufficiency, first-party approaches and analytics that help them maximize their performance – all to get ahead of changes in data protection standards. Source: Sizmek

Storing Data in a Secure Way

There are a variety of standards that can be used to understand how to protect data from unwanted access. ISO 27k is an essential set of standards that define how to protect data, marketing or otherwise. There are dozens of standards and certifications that apply to different aspects of your organization, ISO 27000 and 27001 specify appropriate information security processes, while ISO 27002 specifies all the topics that need to be addressed by an information security process. 

When we think of information security, the first thing we think of as users is usually passwords. Beyond not setting a password of “123456”, how are you supposed to be aware of whether you’re practicing good information security policy? Well, that’s where your CIO usually takes ownership, but all the things that they’re dealing with could include:

  • Setting and enforcing password policies (usually using strong password guidelines)
  • Managing access to networks and devices, particularly through offsite access (e.g. using VPN’s and avoiding public wifi wherever possible)
  • Avoiding malicious downloads on company devices by setting policies around what those devices can be used for (e.g. no illicit browsing)
  • Deploying encrypted solutions for communication and data transfer (whether it’s email, messaging or any other mechanism)
  • Physical protection at the data center (are there security guards? Is access to hardware managed, limited and monitored to avoid compromise or corporate espionage?)
  • Disaster recovery planning (so that things like power outages, natural disasters and backup processes don’t create more vulnerabilities or lead to lost data)

These policies will include any solution that you use across your martech stack, but implementing them doesn’t just apply to your own CIO or within your business – every one of your agencies, partners or other colleagues who handle your data also needs to practice similar due-diligence to what’s practiced within your organization. You can generally trust that platforms like Google and Facebook will practice high marketing data protection standards. But, when you think about all the vendors and contractors you rely on, you might realize that there’s a sea of vulnerabilities you may not be accounting for.

For instance, part of Equifax’s famous 2017 data breach was an unpatched vulnerability in a third-party-developed web portal. When you’re engaging a martech vendor for technology that’s used to store or collect first-party data, you need to ensure that whether you own the asset itself or are working through a third-party, the way in which that asset is managed is in compliance with the highest possible data protection standards. 

marketing data protection third parties
If the data you hold is valuable to you, it’s also probably valuable to someone else. Legally, you’re required to protect Personally Identifiable Information, but ensuring your partners and vendors also protect your first-party data is essential to being successful with a first-party approach. Source: US GAO

Transferring Data in a Secure Way

Today, no real brand is not going to have an HTTPS website. Most people browsing the internet will get a warning when they’re on a site that’s not secure. When you start managing Personally Identifiable Information (PII) that isn’t just related to contact data, but also to healthcare or financial records, you also face greater regulatory scrutiny through HIPAA and FINRA in the United States and similar policies in other markets. 

If you have agents transferring documentation related to these fields as part of your customer acquisition process (think a health insurance claim or new bank account information), you’ll usually also need to use secure messaging solutions, whether through email or through an encrypted portal.

Usually, this kind of stuff takes place after the marketing funnel has done its job. However, if you’re triggering remarketing actions (through email, advertising or other channels) based on interactions your agents have had with a consumer, you need to make sure that the way in which that information is leveraged and triggered doesn’t create a vulnerable access point to the PII it relies on to function.

The first-party data you generate will most often be collected through websites, forms or interactive experiences that generate and aggregate data about a consumer. If you’re remarketing on the basis of prior purchases, you also need to confirm that your own organization’s data protection standards are met for every single application you use to generate, maintain, store or transfer the first-party data about your consumers. This limits both vulnerability and legal liability if ever any data is compromised (and also enables your brand to pursue legal action if a vendor doesn’t meet the expectations they set). 

PII for SOC2
Personally Identifiable Information can be incredibly broad in some cases. With the more data you collect and channels you use, you not only create more vulnerabilities, but also more potential for legal and financial liability if the data is ever compromise. Source: Braze

Using Marketing Data in a Way That’s Transparent

Transparency is the last step for your marketing data protection strategy, but it’s also the most important. This means that disclosure is essential whenever you interact with and collect information on consumers. Because of this, you can also take the opportunity to generate and use first-party data in ways that will engage and satisfy customers in better ways.

GDPR has in many ways led to the shift we’re experiencing in how we develop and use marketing data. In particular, one of the biggest elements there are users agreements and privacy policies. The documents are meant to define the expectations, uses and limitations of how user data is used by all elements of an organization, including its marketers.

GDPR specifically requires user agreements to be easy to understand. Consent to collect and use data must be given freely, voluntarily, and explicitly. This means that you can’t simply rely on “implied consent” – users must express it somewhere (whether by checking a box or some other affirmative action). Within this, you must also specify every reason for which you use a given piece of data. The EU addresses specific examples for reference here:


“In the email address and IP address example, you can’t explain these uses as part of a single, long paragraph detailing the operations of your marketing team, with a single consent checkbox at the end. Instead, you must explain each data use case separately, giving data subjects  an opportunity to consent to each activity individually. 

If you have more than one reason to conduct a data processing activity, you must obtain consent for all those purposes. So if you store phone numbers for both marketing and identity verification purposes, you must obtain consent for each purpose.”


You don’t have to renovate your privacy policy just yet – most of this applies only to marketers active in the Eurozone and most large organizations will have already addressed these challenges with the launch of GDPR in May 2018. Detailing every possible use for every piece of data ultimately may also be, practically speaking, unenforceable – though that in no way means you should not try to live “to the letter of the law”. The real takeaway from this change is in how you should look to respond to consumer expectations: people will be more used to knowing what their data is used for and will more often expect you to disclose those reasons as they provide you with the data you need. 

How This Change Gives You New Opportunities

It’s important to disclose how you use data upfront about this in order to not interrupt the experiences you provide. For instance, in the case of an interactive chatbot or website, you want to advise users of a privacy policy right as they enter the experience. The surprising thing is, this new dynamic actually increases engagement with your marketing efforts – a full 83% of consumers are willing to share their data if it enables a more personalized experience!

Marketing today generally relies on demographic and other broad-based personalization methods that aren’t always reliable. This is primarily because that’s the only kind of data that is generic enough to be used by all the types of brands who might go to Facebook and Google to run their marketing campaigns.

Even these platform-players accommodate brand marketers with newer features like Custom Audiences, but they don’t necessarily enable you to collect specific, declared intents from consumers on a personalized basis. Generic data isn’t what gives you advantages as a marketer – unique insights are where you get your edge. When you enter into an agreement directly with a consumer, rather than a third-party, you now have the opportunity to collect unique information that you and no other brand has access to. You can then use that information to both refine your overall marketing strategy and hyper-personalize your messaging across every you use to communicate. 

marketing data protection interactive experience
With interactive experiences, you can disclose why you’re collecting data and generate more of it, both improving the experience itself and your ability to personalize things like remarketing messages as the customer journey evolves.

This makes marketing a safer space for consumers – one where they can actually receive emails, ads, messages and see websites or consume other content that is truly personalized to their expressed concerns. The more they share, the better an experience they get, while also feeling more secure in the way their data is used online. 

Making sure marketing data is properly protected is now part of your job, but it opens up opportunities to use that data in new and creative ways. Being transparent about why you want a piece of information and disclosing the reason to the consumer actually increases their likelihood to share it. Rather than making the consumer a subject in your marketing experiments, they can be an active participant that helps you learn more about them, feels safer throughout the process and ultimately provides you with better marketing outcomes than ever before.


Contact Automat to learn more about creating transparent, opt-in interactive experiences that generate more first-party data and sales