Data protection and privacy regulations, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States, give individuals the right to govern how an organization uses their personal data. These regulations allow people to opt in or out of having their personal data collected, processed, or shared, and require organizations to implement reasonable procedures and practices to obtain and respect their customers’ data use consent.
What is consent?
What do we mean when we talk about “consent” in the context of data protection and privacy? Simply put, it’s an individual’s decision about whether and how data about them is collected and used. Easy to define, but extraordinarily complex in practice.
Organizations have multiple types of information about their customers, including transactional data (such as membership renewals), behavioral data (such as URLs visited), and observational data (such as time spent on specific webpages). Additionally, customers can have multiple types of contact points (such as email addresses, phone numbers, and social media handles). Adding to an already complex challenge, the purposes for using customer data can vary across an organization’s lines of business and can number in the dozens.
Consider the example of an online sports franchise that has two different lines of business: football merchandise and memberships. The organization will need to capture the following information to use a customer’s data with their consent:
- Organization: Contoso Football Franchise
- Line of business: Football merchandise
- Contact point: email@example.com
- Purpose for using data: Email communications with promotional offers for football merchandise
- Consent preference: Opt-in/opt-out
A customer’s consent to collect and use their data must be obtained for each data source, contact point, and use or purpose.
The challenge: Obtain consent for multiple types of personal data and contact points
Every industry around the globe is affected by privacy legislation and related requirements, from the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry, to the Children’s Online Privacy Protection Act (COPPA) in online services, to legal frameworks such as the GDPR, to state-specific acts such as the CCPA. Requesting and respecting your customer’s consent for each contact point, type of data, and the purposes to which the data is put—which must comply with all applicable data protection and privacy regulations—quickly becomes a monumental task.
The solution: Include consent in your customer data platform
One way to be sure you’ve captured granular levels of consent preferences is to ingest customer data from various sources—transactional, behavioral, and observational—into a customer data platform (CDP). A CDP like Microsoft Dynamics 365 Customer Insights helps you build a complete picture of individual customers that includes their consent for specific uses of their data.
Unified customer profiles in Customer Insights provide 360-degree views of your customers, including the consent they’ve granted for using their data. Customer Insights enables companies to add their captured consent data as a primary attribute, ensuring that you can honor your customers’ preferences for the collection, processing, and use of their data. Capturing consent preferences can help you power personalized experiences for customers while at the same time respecting their right to privacy.
Respecting customers’ preferences for specific data use purposes is key to building trust relationships. Dynamics 365 Marketing automatically applies consent preferences through subscription centers to support compliance with the GDPR, CCPA, HIPAA, and other data protection and privacy regulations.
Why include consent in a unified customer profile?
Here are three common scenarios that illustrate the significant advantages to having consent data as part of a single, unified customer profile.
Consent data is specific to lines of business and, hence, is often fragmented.
Consider our earlier example of the online sports franchise with two different lines of business, football merchandise and memberships. This organization is likely to have separate consent data captured by each line of business for the same customer. It makes a lot of sense to unify these consent data sources into a single profile to enforce organization-wide privacy policies.
The customer can revoke consent at any time and expects the business to honor the change with immediate effect. For instance, when a customer who is browsing a website revokes consent for tracking, it must stop immediately. Otherwise, the business risks losing the customer’s trust and could be in violation of regulatory requirements.
When customer consent data isn’t stored with the unified profile, there can be significant delays in syncing data between the marketing application and the consent data source. As part of a unified profile, however, consent data can be updated automatically and the updated profiles can be used to refresh segments, ensuring that customers who have revoked consent are excluded from the segments in a timely manner.
Personal data is anonymized or pseudonymized. Anonymized or pseudonymized customer data is often used for machine learning and AI processing, for instance. If customers’ consent to use their data for this purpose is recorded in separate anonymized or pseudonymized user profiles, it becomes much harder to map a given customer profile across different data sources. When the consent data is stored in a unified profile, however, the organization can continue to get the benefit of data from combined customer interactions when the user identity is anonymized or pseudonymized.
Check out the following resources to learn more about customer consent, unified profiles in Dynamics 365 Customer Insights, the GDPR, and the CCPA.