Ensuring Data Privacy with MarTech Vendors with Janus Visser and Twan Lammers - EP017

Ensuring Data Privacy with MarTech Vendors with Janus Visser and Twan Lammers - EP017
Life After GDPR Podcast #EP017 w/ Janus Visser & Twan Lammers hosted by Rick Dronkers

This episode was recorded live at the Digital Analytics Summit on the 13th of October in Amsterdam. In this second session I was joined by Janus Visser who is the Director of Cloud Nine Digital and Twan Lammers who is a Digital Data Analyst at Commercial Banking at ABN AMRO Bank N.V.

The three of us have lots of experience with implementing marketing technology for clients and it was great to mutually share insights about what should change in the future, what our clients should change and how to approach that.

Life After GDPR Podcast EP017 w/ Janus Visser & Twan Lammers

Make sure you follow Janus Visser on LinkedIn and Twan Lammers on LinkedIn.

Make sure you follow the show:

If you want to help us out, please share the link to this episode page with anyone you think might be interested in learning about Digital Marketing in a Post-GDPR world.

Talk to you next week!

-Rick Dronkers

https://lifeaftergdpr.eu/episode-017/

Transcription Disclaimer PLEASE NOTE LEGAL CONDITIONS: Data to Value B.V. owns the copyright in and to all content in and transcripts of the Life aFTEr GDPR Podcast, with all rights reserved, as well as the right of publicity.

WHAT YOU’RE WELCOME TO DO: You are welcome to share the below transcript (up to 500 words but not more) in media articles, on your personal website, in a non-commercial article or blog post (e.g., Medi), and/or on a personal social media account for non-commercial purposes, provided that you include attribution to “Life After GDPR” and link back to the https://lifeafterGDPR.eu URL. For the sake of clarity, media outlets with advertising models are permitted to use excerpts from the transcript per the above.

WHAT IS NOT ALLOWED: No one is authorized to copy any portion of the podcast content or use the Life after GDPR Podcast name, image or ness for any commercial purpose or use, including without limitation inclusion in any books, e-books, book smaries or synopses, or on a commercial website or social media site (e.g., Facebook, Twitter, Instagram, etc.) that offers or promotes your or another’s products or services without written explicit consent to do so.

Transcripts are based on our best efforts but will contain typos and errors. Enjoy.

[MUSIC SOUND EFFECT BEGINS AND FADES]

[00:00:00] Rick Dronkers: Hey everybody. Thank you for tuning into the Life After GDPR podcast where we discussed digital marketing in a post GDPR world. Today's episode was a live recording from the Digital Analytics Summit in Amsterdam, and in this session I discussed how to handle data privacy for all your MarTech pixels. and I discussed it with Janus Visser from Cloud Nine Digital and Twan Lammers, who is a Digital Analytics Specialist at ABN AMRO and all three of us work, or used to work at consultancies. So we all have experience with implementing marketing technology for clients been doing that for a long time.

[00:00:49] So I think it sparked an interesting discussion of how we got to where we are today, and how we perhaps should change the future, what we should change in our behavior, what clients should change and how to approach that. So hopefully, like this episode and next week, we should be back with a normal podcast recording.

[00:01:10] Welcome to the second podcast session of today. My name is Rick. I'm the host of the Life After GDPR podcast, and I am joined by Janus and Twan and we are going to talk about marketing technology vendors in the broader sense, right? We've talked a lot about Google Analytics, but we've also mentioned that Google is probably the tip of the iceberg when it comes to privacy regulation and that it will probably spend a wider net than just Google. But before that, guys, do you wanna introduce yourselves?

[00:01:40] Janus Visser: Sure. Janus Visser responsible for Cloud Nine Digital. It's a Dutch data consultancy, and what we do for clients is making sure that data i trustworthy and compliant as long as you manage that in the current landscape, it's a challenge. We really make sure that the foundation of data is there to do analytics, to do marketing and go from there.

[00:02:01] Twan Lammers: And I'm Twan Lammers, I'm a Data Analyst at ABN AMRO. I'm involved in commercial banking, so mainly close domain for all our commercial clients. And I have a background in consultancy before that.

[00:02:16] Rick Dronkers: All three of us have had to deal with privacy legislation and legal people. We should be able to have a good conversation about this topic. Let's start off with the basics. mArketing technology used to be, here's a Javascript can you please implement it on the website? There was quite a lot of that and probably a lot of websites that haven't been touched in the last five years will probably still fire. Do you guys feel partly responsible for this?

[00:02:42] Janus Visser: I'm a consultant. I'm never responsible. No. The thing is with, I think the best way to explain what history has given us is the same thing that happened at Meta or at Facebook. They no longer have control about what they're doing. They can't explain where all the data is coming from, what they're doing with it, where they sending it, where with whom they are sharing it, and that black box, that blind spot is something I think, well Facebook now has come into the news lately regarding that loss of control and that everybody is baffled that have no visibility about what they do with customer data, but I think many companies can't really answer that question with a hundred percent certainty.

[00:03:28] Rick Dronkers: Yeah. So they can't answer the question, where did you get the data from? Where is it stored? What does it contain?

[00:03:34] Janus Visser: Yeah. Why does that five year old website still push data towards Hotjar while you're not using it anymore.

[00:03:39] Twan Lammers: Yeah. I think also that technology went very fast and so there was, I think, a big knowledge gap what people knew which were involved with marketing pixels or those kind of things. And they just asked, Okay, please put this pixel on my page. But they didn't knew, Okay, what would it send? And so at first I think we had some cases where it wanted us to send email addresses and those kind of things.

[00:04:04] And then we advised our clients, okay maybe that's not the smartest thing to do. Yeah, it is your decision to do it. A Lot of that happened in that time period, which you described. It was where people just don't know what they did and that, yeah, I think just when went on and on and on and now there is seems to be some kind of setback to that, to at least.

[00:04:28] Janus Visser: There is a demand for an increased control.

[00:04:31] Twan Lammers: Yeah, definitely. I think so. Yeah.

[00:04:32] Janus Visser: It's the same thing which was touched upon by Simo Ahava earlier today, where for all this marketing vendor technology, the interaction of the client or the platform itself is the source of data. And that's also lack of maturity where we've seen that those platforms were basically build in a horrible fashion and transport it. Email addresses, phone numbers, even banking addresses via the URL from page A to page B. But that meant that every JavaScript that was implemented had access to that URL and that personal data completely changing the format of the data set.

[00:05:07] In terms of following the GDPR, changing the demands that are put on that data set, what you can do with it. You can't deal with it. And those leaks have been not going to call names because we don't have enough time for that. [Laughs] And there's so many cases in which that happened.

[00:05:25] Rick Dronkers: We went a little bit from a cowboy era and now we have to pay the price for that.

[00:05:31] Janus Visser: That's a bit blunt. It's not a price we were growing up. Yeah, we are being pointed into the responsibilities we have in this field. So yeah, we're going to do some stuff. We're not be able to do everything we wanted, but I think it's a very good place to be in. The rules about data governance and data management should be introduced into the average marketing tech stack management. We should follow the rules of IT and security and all those other parts of the business that have already been working with the digital space since the eighties.

[00:06:08] Rick Dronkers: So one of the things that will require is the introduction of process, Because if you wanna be compliant, you have to adhere to a process. You have to go through certain steps before you implement the Javascript, right? Do you already see this happening at, in your case, at certain clients? Perhaps in your case, since you work at a bank, obviously there's gonna be process. [Laughs]

[00:06:31] Janus Visser: Yeah.

[00:06:32] Rick Dronkers: And how do you see that evolving from marketing? Cause from an IT perspective? I think, yeah, we all have to deal with it, and we all know that in order to get something live on the website, they usually go to a couple of steps, right? So it's more ingrained there. With marketing, I feel like we're lagging behind a little.

[00:06:47] Janus Visser: There's one very good thing happening is that marketeers are becoming more aware of what they're doing with data and that compliance should be a part of it. So I see more cases happening where the marketer actually knows that they have to involve a compliance officer or the legal side of things, and even at companies that don't have the rules in place as ABN does, because in that case, you simply have to jump through a thousand hoops before you can move anyway. But even at the companies that give a lot of liberty and space, I see people becoming aware of, I should think about this a bit more before I'm going live.

[00:07:24] Twan Lammers: Yeah, I think that's maybe one of the advantages to being at a bank is all those we call them, risk assessments are already in place. So, we do that for everything we do. So that's not a new thing for us, but it is time consuming and so that, yeah, I think other companies need to adapt to that so that it will take a lot longer than just, Hey, I have this script can you put it on my website? That will be a problem. So that will take a lot more time just to see, okay, what the risks am I accepting to do? So, which data is sent to the vendor? And then if the everything is in place, then eventually you can have some scripting on your site.

[00:08:07] Janus Visser: I must say that those processes that take too much time are also the key to circumventing those processes because we mostly work for marketeers. Marketeers are creative people. They are chaotic in the best case. They wanna move forward. They want to have it done yesterday instead of four weeks from now. If you put in processes that constantly hinder these people to work within their creativity and in their speed, they're going to circumvent them.

[00:08:36] And that's the one thing I'm trying to integrate our clients is a certain amount of speed and urgency in which a compliance check can be done, in which a security check can be done. And in some cases we even just align with a compliance officer during a sprint cycle. So that means not asking legal, can you look into this?

[00:08:57] And eight weeks later you have an answer note in the same week the compliance officer knows they have to be part of that sprint cycle because that is what we agree upon. That makes it easier to follow certain processes and does adhere to those processes.

[00:09:13] Rick Dronkers: How do you see the role of technology vendors? The Hotjars let's take, leave Google out of it for a second, but all other technology vendors? What could they do to make this process better and to make our lives easier?

[00:09:28] Janus Visser: I discussed it this morning with a colleague of mine. The one thing to safeguard privacy is to follow what the data subject, the person who is the data about agrees to it. So that's consent. And that's one thing I see that is missing in most serious vendors. So the big boys is having consent as a dedicated attribute to those profiles to either follow to base business ruling on, let's take Google.

[00:10:00] I am going to introduce it. How awesome would it be if consent was a standard attribute, that is part of every user engagement, but it's also taken with to Google Ads, to DV360, to BigQuery because what you do with the data, the purpose of which you process it, that's where you ask consent for.

[00:10:20] There are situations where a person is, okay, you can use my data to analyze your website, but you're not allowed to track me and use me in advertising. But the Google marketing platform` is so integrated that all happens on the same data file. You need to be able to differentiate in that entire life cycle.

[00:10:41] And that's what I see that vendors can improve upon this. Making sure that you give the features and integration possibilities to keep consent as metadata to every profile and make sure that there's business ruling upon them.

[00:10:54] Rick Dronkers: Having consent state available throughout the entire data flow. A lot of people will add it manually, like we do it for our clients in GA4. We add, we just add the consent state manually as a parameter for this specific reason.

[00:11:08] Yeah. But yeah, it would be nice if Hotjar did the same right. And if any, any other two did the same and it was uniform across all of them, would save us a lot. From a contract point of view and from like a process point of view, is there anything they can do on that side as well? Vendors?

[00:11:24] Janus Visser: Yeah. They are dependent on legislation. So what we see now with Scrums do. On the contract side, we can't solve, this is a political thing that that should be solved. All and all completely different, different levels. So I feel in terms of contracting, They are fine cause they're trying to offer you standard contextual classes. They're trying to offer process agreements. But that doesn't change the risks for the people using those vendors or the risk for the vendors themselves. It's only moving around that risk from point A to point B. So on a contract level, I don't really see the improvements there.

[00:12:01] In terms of the process, and that's one thing I'm trying to introduce to clients if they start li stening, is making a map of all the vendors you have, tools you use from those vendors and whether or not the tool itself is going to manage a part of your compliance requirements. Cuz certain tools only receive data, to as an endpoint, there is no further movement of data in the life cycle, and the tools should only receive a certain part of the data set for which consent has been granted. For instance, Telium with Event Stream and IQ and Audience Stream, that is a compliance management system. So they get basically all the data and share it to different parts. So that is a very different vender setup requires a very different process compared to HotJar, which has a single purpose and a single use, and is not going to share data after they use it. So that's an end point. So there is a difference between data using applications and data distribution applications and the responsibilities that are in there to manage your compliance requiremetns. Absolutely not sure whether that's an answer to your question. [Laughs]

[00:13:11] Rick Dronkers: We're exploring. So let's bring it to what we can do, right? And then I'm gonna call the people on this table where the people are responsible for implementing these scripts, right? It's at our company or at our clients. What can we do when it comes to implementing all these marketing technology scripts in order to move a step forward. What are the processes we can put in place? What I see at ABN is that we work closer to our legal department as well to implement GA4 at the moment. So that's a big step. And we're all also talking to Google with them, and I have sessions with them just to see how we can get closer together. And I think that's a really important step to fill that knowledge gap because we aren't legal people and they aren't development. So that's what we need to solve with each other, I think, and have the best interest both in the end user, but also in with our company. Yeah. Is doing and how it is doing, and also with our, all our the strategy that we have as a bank. That's a really important thing.

[00:14:16] Janus Visser: I think the introduction of privacy first and privacy by design, really truly believing in adding that to your ethical standard in work. Cuz as a analyst or technical analyst or as a consultant, you already adopt a certain standard for quality of work. That's your pride and joy. Making sure everything works as intended and data quality is of the higher standard possible. Why not add privacy to that? Make that part of that ethical standard of your work. First asking the questions, Should I, do we want this? Is this necessary? Can we minimize the data?

[00:14:54] Twan Lammers: Yeah, the problem there is that the, I think the analyst isn't a problem there, so I think it's more in advertising and those kind of departments that really data to...

[00:15:07] Rick Dronkers: It's always the advertisers. [Laughs] Of course.

[00:15:12] Twan Lammers: also end clients with that. I think end clients always want more revenue at the end and they don't have more budget for it. So that's why we are going into all these small innovations. And that's what happened already. And I don't think that a data analyst should be a legal person in the end because that's not what he wanted to be when he started it. [Laughs] He already knows a lot about it. I think that the knowledge about legal stuff went up on in data analytics a lot. Yeah, but you need to ask yourself, is that where we want it or not?

[00:15:50] Rick Dronkers: Yeah. But I do think privacy, like privacy by design, I do think it's more of a generic mindset and also like an IT thing more than a legal thing, right? Like, so thinking from the ground up about how could this data potentially end up infringing on privacy, of course. I feel like, yeah, we haven't done that because yeah, we were just implementing JavaScript, right? We were doing fine and nobody thought about that. And now you know, we see the ramifications. So yeah, I think that like, that's probably something that will evolve over time as people just get introduced to the concept more and more.

[00:16:29] Janus Visser: And it's an additional special. So, if you have an analyst that truly deep dives in data and likes to crawl around in tables in BigQuery, of course I'm not going to expect from that person to have a meaningful conversation with a lawyer or a ad founder asking for a lot of data. And the other one says, No, absolutely nothing.

[00:16:48] Twan Lammers: But that is where we end are ending up at the moment.

[00:16:51] Janus Visser: Yeah. And then everybody's looking at each other and nobody ha has the answer. We introduce an additional person who is tech savvy, who knows what BigQuery or any other ad vendor is going to do with the data and what they would like. And who also understands the GDPR and understands why a lawyer is saying what he's saying.

[00:17:10] That's just an additional role into a larger process because I feel that the people working with the distribution tools such as tech management CDPs, you have a gatekeeping function. And in most cases, you're not a individual owning that tool. It's a team that owns the tool. So that team can also be extended with a person who safeguards the privacy side and compliance side of things. So a dedicated person who gets through the boring stuff.

[00:17:39] Rick Dronkers: I also feel personally, currently a lot of vendors are basically Avoiding this discussion. Usually, they operate across the world, so it's hard. I get that it's hard to operate different regions, different privacy legislation, but they're also just trying to make sure that they don't say anything that can get back to them. But I do feel that it's also a unique opportunity for vendors to actually do speak out and position themselves like, okay, we are taking a step to make our platform. We have an option you can hit and then it's GDPR compliant on our end for as far as we can guarantee that

[00:18:15] Janus Visser: Looking at a GDPR in, in, in principle, in basis, yes, this could be done. And we see that Piwik for instance, has really a good emphasis on that unique selling point. But most vendors we like to use that the best in the business are US based. Which means that with the current legal void officers two, yeah, of course they're going to avoid a conversation like fire because there is no way they can comply because they have to adhere to Visa 702 in the Cloud Act and the GDPR and those are conflicting legislation. Yeah. So the legal void is currently not an option for the vendors to speak out, I do see that the Adobe Telium and Google Arm introducing or reintroducing features as a privacy safeguard mechanism. But I think they should push those boundaries way further. Really go the extra mile and yeah, they've been slow.

[00:19:11] Rick Dronkers: Yeah, true. They could have done more. So practically speaking right now, what do you do if a client in your case comes to you and says we wanna add Hotjar, what's the process you walk through with them?

[00:19:25] Janus Visser: In most cases we hope for a good consent management solution on the website. So we do have the data about the data subject, whether or not you are allowed to share data with Hotjar. That is really depends on the client whether we are happy with that solution or not. It fits all of the requirements and in some cases we have to go through the entire process of adding the vendor as a data processor on the legal side. So they have to go through the data processing agreement stuff. In some cases they don't care, and it's just about fill in the form and we're going to solve it afterwards, and you can go live. That is a quite pragmatic solution. Just know that it's going to get there, but please continue. It is accepting a bit of risk but in most cases it's just making sure you know in what consent category you wish to activate the code and start sharing data with the tool.

[00:20:20] Twan Lammers: Is that changing now? My time as a consultant, It was most of the times that I talked to the client about, Hey if you're implementing Hotjar, there is a solution to mask the PII data, but it won't mask everything. So it's just form fields by default. And then you have a telephone number over here and an email address over there, and that's what you'll need to do manually. But that was all initiated by the agency at that time? Do you see a movement in that as well, that clients are asking for it more to be compliant with implementing those tools?

[00:20:58] Janus Visser: Not really. There's still a huge knowledge gap about the risks that you introduce with a certain application and the way they handle HotJar is introduced by the conversion optimization team as an analytics tool, and they have absolutely zero clue that their front-end has a moment where it doesn't use a form, but it does show credit card details. That still happens for consultants and the people in the tech teams implementing these solutions. It's still very much on their side to flag those potential risks. And that is, that it depends on individuals is a problem in itself.

[00:21:39] Twan Lammers: Yeah, true.

[00:21:39] Rick Dronkers: Question for you. Have you thought about telling your clients that you need them to go through that process before you are willing to deploy it for them, right? So let's say you are their technology partner, they rely on you to deploy Hotjar or whatever kind of other tool. You could say like, okay, if you don't go through the to all the context, we won't do it. Which of course could be a negative business decision for you, short term.

[00:22:06] Janus Visser: Cloud Nine Digital, I think is the only data consultancy in the Netherlands that has a dedicated data compliance and governance team. That means that we are the pain in the ass for certain situations ,and we have absolutely zero regard for the potential negatives about telling the client, You shouldn't do this. This is a bad idea. Cause the moment it goes wrong. For instance, we work for ABN, if I am not telling them the risks involved and they are being put on the table with a journalist seeing that they're doing something they shouldn't, how bad does that reflect on me as a potential gatekeeper in that system? So I have absolutely zero issue with being the asshole saying, no, you shouldn't.

[00:22:54] Rick Dronkers: Yeah. Cause I do think in the end that is where the change will need to come from, right? From the people who understand it. Like, if you do not know that Hotjar can expose credit card details becomes a difficult discussion to...

[00:23:06] Janus Visser: It's a constant education.

[00:23:07] It's really the growth in maturity. And that is one thing I really like about GDPR and I hope that the privacy regulation that is coming as a replacement for the directive adds an additional emphasis on that. You should truly understand what you're doing and what certain vendors are doing and where the risks are involved because it has been a free playing field for 15 or 20 years, and this is the first time we have to think about what we're doing.

[00:23:35] It's also something that's really nice about server-side tagging. It introduces additional reasons to actually think about the data you're sending, which is wonderful, which is a very good place to assert control. I really think that our industry is maturing in a way that, yeah, we're going to lose some features, but in the end we're going to make it a sustainable business.

[00:24:00] Rick Dronkers: I think you open up a nice segueway to server-side tag management there. [Laughs] If you work in our industry then probably in the last couple of months you've had affiliates or other ad networks besides Facebook was probably first with the conversion API and now they're all copying the conversion API, right? The server to serve for measurement. I have a feeling that it is being pushed by sales teams to advertisers. And they are in turn, pushing me to implement it, right? Because Safari ITP, everything's impacting their return on investment measurement, and now I have to implement this magic pixel for them via service manager to fix it all. To me, this feels like we're starting the cowboy era over again, right? The Javascript cowboy era, but then on service I manager

[00:24:48] Janus Visser: Without the ethical check in that implementation. Yeah, you're right. That's also what's what Simo Ahava told. Yeah. The server-side opens open a whole new world of doing bad and horrible stuff. The other side, server-side introduces a whole new world of additional controls we haven't had. So if you load the meta of the Facebook pixel, you don't do anything about it and add everything they ask you to add, you're going to send email addresses when somebody's typing it in a form. It's already shared with Facebook without any additional consent, without any doubtful hit on a button that they are allowed to share it with Facebook.

[00:25:28] So that is in all intense and purposes of data breach in that moment. So the original client side, JavaScript based tagging is horrible because you have zero control. And in most cases it's quite difficult to explain to either compliance or the legal team what data is actually measured and going from A to B cause it's not visible to you.

[00:25:52] On server-side it is your code on your server and you have to actually select that data points. You wanted to share them, you want to share with them. That introduces the option to actually make a well educated choice about what you're going to share and not. So with server-side you are able to introduce the processes of data minimization, which is an actual article in the GDPR.

[00:26:17] We finally have the tools to use that. So I am advising our clients, yes, please go to server side as fast as possible, only if it is for this additional sense of control with the option to increase your measure rates. But start with a single data point. Just only the hashed email address. Leave out home addresses, first name, last name phone numbers.Yeah, build it up. Start at minimal, make a good risk assessment per data point, move forward depending on how efficient match rates are. So yeah, I'm very glad about the introduction of server-side. [Laughs]

[00:26:52] Rick Dronkers: It has the potential to do a lot of good. I think we're done. I see people grabbing drinks so we should probably join them. Thank you both for hopping on the podcast. Thanks all. [Clapping]

[00:27:03] [MUSIC SOUND EFFECT BEGINS AND FADES]