At this stage, it feels like the removal of third-party cookies, Schrems II, GDPR regulations, and new data regulations are all over the place. It can be hard to keep up, so this blog post is here to help you out! Read along about the latest legal updates, the removal of Google’s third-party cookies, and how to tackle the challenges ahead*
*All information is based on interviews with Voyado’s General Counsel, Cecilia Lindström, and Product Director, Felix Kruth.
Please note that Voyado is not a law firm, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as a retailer. You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
Let’s dive right into legal updates. It might not be your favorite topic, but it’s of huge importance since it determines how you’re allowed to market your products. Staying compliant also means showing your customers that you care about their privacy for real – something meaningful, instead of just a privacy notice stating the ordinary “we take data protection seriously.. jadda, jadda…”.
We have listed a bunch of new regulations and updates within the legal space that you need to stay on top of:
- Schrems II – the verdict that invalidated the EU-US Privacy Shield, which companies relied on to transfer data between the EU and the US. Schrems II is actually a good thing! It has highlighted the issues with foreign legislation and transporting data to the US. And to stay on the right side here – you need to make sure that the suppliers you are using offer the right level of security for your customer data.
- Profiling – the processing of multiple data points to predict future behaviors, to personalize customer journeys. Did you know that working with profiling (or personalization in marketing language) requires explicit consent? But, if you provide a service where profiling is included – you may get around this rule! The perfect way to do this is to offer services that include profiling in your loyalty program. Customers tend not to check privacy boxes, but they do want to become members if you make your loyalty offering attractive. Just make sure to be transparent on the profiling your doing in your privacy notice!
- The new consumer rights act – several consumer legislation acts were updated in the spring/summer 2022 to reflect the society we live in today – and the legislation now also includes digital services. You need to make sure you have updated your terms and conditions and included digital services, technical updates, and guarantees (if you are using guarantees in your marketing). Talk to your legal contact to make sure your terms are updated currently.
- The price information act – the EU directive related to marketing something at a lower price/discount/sale. You are now required by law to state the previous lowest price for the previous 30 days to avoid misleading. This might affect your email templates if you don’t already have a field for the previous lowest price and new price.
- The marketing act – the directive looking at false recommendations and reviews. You are now required to either verify reviews and comments for your products or include a text informing that you have not yet verified the reviews and the correctness of comments.
- Dark patterns – the notion of purposely misleading the user with design elements. For example, writing “I want to receive marketing communications” in red, and “I do not want to receive marketing communications” in green or making it more difficult to end a service than signing up for one. That’s actually illegal. And when a user wants to opt-out, you are not allowed to ask for a specific reason as a requirement for the opt-out. According to GDPR, you need to offer a clear and transparent opt-out. And in the case of dark patterns, there might actually be more burdensome fines involved because you actively mislead the customer. Future legislation making this even stricter is also on its way.
If you’re not compliant with these new regulations, you are risking large fines and putting your goodwill in jeopardy! Some of the recent fines for not being transparent towards the customers resulted in an administrative fine of 7,5 million SEK.
Challenges moving forward
The challenges ahead are actually not so much about the removal of third-party cookies, but that the landscape is so complex right now. But when there are so many things going on – we tend to focus on the things we understand (which are third-party cookies now) but that does not give us the full picture! What is the full picture?
4 driving changes within the privacy space
It’s not so much about third-party cookies. It’s about these four driving forces in the privacy space:
- GDPR – has been around since 2016 and many are still not fully compliant. But the most troubling issue here is Schrems II that we mentioned, regarding the third-party data transfer from the EU to the US, and the use of compliant services.
- ePrivacy – the regulation that converns cookies. And changes are coming fast within this space, for example:
- You need consent for all cookies that are not necessary (like for example saving a customer basket automatically)
- You need to specify the data that the cookie tracks, and its purpose
- You must allow users to access your service even if they don’t allow certain cookie use
- Browser & OS – are constantly updating their privacy efforts, led by Apple and Safari. They have restricted the visibility of emails opened, implemented IP relays, and of course, removed third-party cookies.
- New acts – all the ones we mentioned in the section above! But there will be more coming, so you need to make sure you stay on top and keep up with the new acts.
The different cookie flavors
The removal of Google’s third-party cookies
Third-party cookies have already been removed from the majority of all browsers. For example, iPhone users that primarily use Safari, have been without third-party cookies for years. The next big thing now that everyone is talking about is the removal of Chrome’s third-party cookies – which will take place in 2023 or 2024.
Within the operation systems, Apple has removed their in-app tracking – which means you need explicit consent. And it’s these things that make your paid marketing a lot more expensive, which leads to ad companies wanting to get around this rule. To block what ad companies did, browsers started restricting first-party cookies – which led to unintentional changes that affected:
- Web analytics
- Marketing automation
- A/B testing
Navigate through the new privacy landscape
GDPR, ePrivacy, Browser & OS updates, and the new acts have given us a new privacy landscape that we need to navigate. And there are three main things that have you need to stay on top of to work smart:
- You need explicit consent for a lot of different things. You will not be able to get around it now that the fines are increasing.
- The unintentional effects after removing in-app tracking that you need to find ways to work around.
- Less efficient cookies – due to the explicit consent, we can only assume that many customers will press no, because that is what happened when Apple removed in-app tracking and required consent – about 80% pressed no.
The effects of the new landscape
To get a better picture and understand what the new privacy landscape will do, here are the three biggest changes that you need to face:
– It will be harder to understand your customers
Attribution, testing, marketing automation, and retargeting are affected if you don’t work with customer-first data.
– It will be more expensive to acquire and retain customers
Ad platforms will have a hard time targeting.
– You need to rethink your business fundamentals
Companies that adapt will grow – the ones who don’t won’t make it.
Solutions to the challenges
Yes, there are challenges, but no, you don’t have to panic. But to continue to succeed – you will need to implement a customer-first data strategy.
This means revolving your strategy around these two:
- Zero-party data – when a customer freely and actively shares data
- First-party data – data collected directly from a company from a customer who interacts
In order to implement this kind of strategy, you need some sort of customer data platform. With a CDP, you can input compliant data, store it, analyze it, and then output it into actions. We probably don’t even have to mention that the CDP will have to offer consent, so you can rest assured that you stay compliant, but now we did.
Reconsider the points of sale
In the e-com space, you will want to encourage the visitors to create an account to get the customers to actively identify themselves. You need this to get the data on the customer to give them a great experience. You can also utilize an email marketing strategy that allows a soft- or auto login that is cookie-less.
In stores, you need a plan to get people to identify themselves. The customer needs to fully understand all the benefits of giving you, their data. The store personnel is responsible for telling what value the customer gets from it.
Loyalty is everything
What are you as a company doing to get your customers to come back to you? If your customers know the value of returning to you – they will give you the data, you need. This is the key to succeeding in the new privacy landscape! Because when you have their data, you can do all the things that are difficult now, like:
- Targeted ads
- Timed offers
- Marketing automation
5 tips to summarize
- Review your cookies and consent processes
- Include profiling as a service in your loyalty program and make memberships more attractive
- Check if you need to update your email templates to adapt to the new price and customer recommendations legislation
- Make loyalty a key question in your organization and customer offering