The Problems with a Band-Aid Approach to Data Governance and Compliance

Regulations like GDPR and CCPA are changing the ways that brands, agencies, and technology companies approach marketing data. Now that CCPA enforcement has begun, there’s more interest than ever in the cottage industry of point solutions taking advantage of fear, uncertainty, and disorder to sell short-term “compliance” products. 

It’s understandable why this set of firms is attracting investment, as they are stepping in to supposedly help solve a very big advertising issue. But too many are merely helping their clients put a band-aid on the problem, rather than tackle the larger issues of true governance, compliance, and risk management. 

With so many unanswered questions, these solutions leave their clients vulnerable to potential fines. Taking a broad, checklist approach to data compliance also means brands, agencies, and solutions providers are leaving valuable data — and money — on the table. Huge chunks of data that could be used in different marketing situations are jettisoned out of uncertainty about their compliance. Rather than continue a fear-based band-aid strategy that throws the baby out with the bathwater, the ad industry needs to adopt a philosophy of managing privacy and data governance at the edge.

The problem with band-aids

Much of the conversation around data collection has focused on the need to get all operations to comply quickly or else face potentially stiff penalties. This has forced many to adopt blanket approaches to compliance, where they’ve ensured that their data operations or technology are in complete compliance with both GDPR and CCPA across the board.  

It’s a quick fix, but potential issues loom. American entities that avoided Europe due to GDPR now must comply with CCPA. Compliance and governance only get more complicated with other potential state privacy laws on the horizon. Adopting a blanket approach so that practices are in compliance with every single law will result in data getting dumped for no reason. 

Living at the edge

Managing privacy “at the edge” means that all data governance is done within jurisdiction. GDPR is different from CCPA, which is different from what a New York privacy law may look like. Building a data strategy that is somehow compliant with every law in every region at the same time can get complicated, but the bigger impact is that it starts cutting away valuable data. 

For example, the most recent reports of a potential New York law included a “data fiduciary” concept that is absent from CCPA and GDPR. This might mean that data collection practices become stricter in New York than elsewhere. If that’s the case, it doesn’t make sense for an advertiser to adhere to New York law within California or Florida. This is further complicated when state laws inevitably change as well, like the pending CPRA ballot initiative in California.

Rather than a blanket data governance plan, the industry needs to prioritize data collection that complies with the laws of each state on an individual basis, in near real time, ensuring that every party is in adherence but that there is no overprotection potentially eliminating valuable data without cause. This is what managing at the edge entails. 

Moving to data granularity

As more privacy laws pop up, blanket policies and compliance band aids could result in brands cutting away 20% to 40% of the data they would have previously collected. A big portion of that data is likely usable in different scenarios, but a failure to operate at the edge means that brands are cutting away portions to be on the safe side.

Rather than jettison huge chunks of data because it may not be compliant, the industry needs to adopt granular data governance controls that provide a view into the circumstances of every piece of data.

All of the concern about the end of third-party data underlines just how many players in the ad industry haven’t put substantial effort into understanding and enacting data governance plans. Taking a more granular approach to data and tagging every piece of information as it is collected is more work, but it also maintains access to the valuable data on which brands and agencies rely. 

Adopting a data governance strategy that works at the edge allows the industry to gather data while adhering to different restrictions by jurisdiction. As more privacy laws emerge, in New York, Michigan, or wherever else, this strategy will only grow in importance. The ad industry needs to adapt, but it doesn’t have to broadly adapt to every single law all at once. Instead, it needs to adopt strategies that can adjust to the next policy that comes along, ensuring compliance and consumer safety without overreacting.

The result is that no brand or agency leaves money on the table, while maintaining strict compliance and safety from potential fines. Threading this needle takes work, but it’s not impossible.

Marc Sabatini is CRO of Aqfer.

Tags: