Why Some Companies Are Still Overcautious About GDPR
The art of balancing GDPR-dictated customer privacy and brand-growth strategies.
It’s been five years since GDPR (general data protection regulation) was put into action. Jay Gibb of Cloudsponge examines why companies are still struggling with the regulations and what can be done differently to ease up on being overcautious.
Surveying the changes of the last half-decade, we can say its effects have been, for the most part, positive; brands and social platforms have gotten more serious about protecting consumer information, and in consequence, European internet users have grown more comfortable online, confident that (with a few unfortunate exceptions) their data isn’t being used in ways they didn’t sign up for.
That said, there remain some lingering problems in the marketing field writ large. GDPR was such a massive, intimidating regulation that in the year leading up to it, many marketers overcompensated, interpreting the GDPR’s guidelines as conservatively as possible. This makes sense. At the time, it really wasn’t clear what was permissible and what wasn’t. And nobody wants to wind up on the wrong side of a powerful regulator.
Still, this over-cautiousness has needlessly held some companies back – especially when it comes to things like people referring their friends to businesses and newsletters. With five years of experience, we can now confidently say that things like that are totally acceptable under GDPR rules—and yet countless companies continue to neglect this valuable method of acquiring customers.
That’s a mistake, but luckily, it can be easily remedied.
GDPR Allows for More Than You Might Think
There are, of course, countless sensible reasons why a brand might want their referral program platform to allow consumers to input the email addresses of people they know personally. For instance, sending a holiday card or referral code or inviting people to join a travel itinerary you’ve created. We’d all agree these are benign, non-invasive activities – yet some companies are still scared to engage with them.
Part of this stems from a misunderstanding. It is not inputting friends’ emails that goes against the spirit of GDPR. Rather, what goes against the spirit of GDPR is exploiting those emails and using them to turn people into marketing assets non-consensually. Creating ghost profiles for them, putting them on marketing newsletters, and bombarding them with free trial offers – these kinds of activities are clearly contrary to what GDPR is all about and should absolutely be shunned by any self-respecting company or referral program platform. But simply permitting a user to, for example, forward an appealing recipe to a friend—that is not the kind of thing that GDPR was designed to prevent.
Think of it this way: when a user opens a Gmail account and sends an email to a friend, they are not literally messaging the friend themselves; rather, they are deputizing Google to use their technology to relay the message for them. Google is functioning as a third-party intermediary between two people with a tangible connection. Functionally, this is no different than allowing someone to send a holiday card or a referral code through a website.
See More: Protection Technologies in an Increasingly Data-sharing World
Cookies Are on the Wane and Consumer-Inputted Emails Matter
Beyond the fact that, under GDPR, this kind of overcaution is simply unwarranted, there are a few good reasons why companies on the fence about allowing people to input emails should rethink their policy.
The first has to do with third-party cookies. It’s true that the death throes of the third-party cookie have dragged on for longer than initially expected, but that doesn’t change the fact that they are, in fact, on their way out. Google is on track to completely depreciate third-party cookies by the second half of 2024, and, as anyone with an app knows, Apple has made it much harder for companies to collect consumer data by requiring users to actively opt-in.
In this coming post-cookie context, first-party data has (correctly) been touted as the future for companies seeking to acquire consumer information consensually and with maximum consumer trust. And the kinds of email addresses we’ve been discussing here – those inputted by friends, family, colleagues, etc. – represent one of the strongest categories of first-party data companies could ever hope to get access to.
This isn’t a secret—which brings us to the second reason that some brands should rethink their email policies. Namely, there’s a reason that countless major European companies, including Vodafone and British Gas, make use of this practice as a matter of routine. Keep in mind: large companies are usually the most cautious when it comes to these kinds of regulations. If they’re comfortable engaging in these practices, there’s no reason smaller companies shouldn’t be too.
See More: Death of Cookies: It’s Time for First-party Data To Shine
Balancing Caution and Effective Marketing
To put it plainly, giving customers the ability to activate their networks as acquisition channels for brands can be done well within the letter of the law. GDPR is fundamentally about privacy – it was not designed to hobble completely innocuous (and potentially lucrative) marketing opportunities for brands. And given the major advances in cybersecurity in recent years – particularly with things like “encryption at rest,” which makes hacked databases unreadable and thus effectively useless – there is even less cause for concern.
After five years of confusion and trial and error, what is and isn’t allowed under GDPR is now firmly established. So don’t let well-meaning but misplaced cautiousness prevent your company from reaching its full potential.
How have you navigated GDPR demands to ensure both customer privacy and brand growth? Share with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON GDPR
