When will Privacy regulators tackle data access and data portability?

Just looking at the German Competition Authorities decision around Facebook and their interpretation of the use of Consent. That will have a big impact.

Whilst I’m no big fan of GDPR (overhype and under delivery so far versus what could have been), it does seem that by the time of the first anniversary of it going live that the regulation will be starting to show its teeth and have some real impact.

The problem with that is it will probably take a decade to deliver real improvement, and even that will only be on the ‘defence’ side of personal data capabilities. That is to say, a ten year to eliminate the bad stuff which just should not be happening.

So far the regulators seem to be ignoring the more enabling the ‘offence’, ie the more enabling aspects such as data access and data portability.

Of course one could argue that it is not the regulators job to build out positive capability on the side of the individual. I would argue otherwise; if more bandwidth was put on the positive side of what individuals could do with proper access to their data then a lot of the bad things would go away more quickly. Nodding towards data access and data portability and then doing nothing about clear failure to deliver helps no one;

Personal RFP’s….what are they, and how do we make them happen?

At the VRM West Coast workshop, Don Marti led a session on Personal RFP’s, which then led to the issue being debated further on the mail list and built out in this post by Alan Mitchell. Here’s my contribution, looking as much from the CRM/ recipient perspective as the VRM one – ultimately I think that until we look at both simultaneously then we won’t get much up and running at any kind of scale deployment.

Firstly, I think we need to get our terminology in order; as Craig Burton pointed out…we do not yet have a clear VRM lexicon accepted and understood by all project participants.

Here are a couple of references from Wikipedia, that relate to/ illustrate the background to the terms Request for Information (RFI) and Request for Proposals (RFP). I think we need to look at both in tandem because typically they interact with each other.

Request for InformationA request for information (RFI) is a standard business process whose purpose is to collect written information about the capabilities of various suppliers. Normally it follows a format that can be used for comparative purposes. An RFI is primarily used to gather information to help make a decision on what steps to take next. RFIs are therefore seldom the final stage and are instead often used in combination with the following: request for proposal (RFP), request for tender (RFT), and request for quotation (RFQ). In addition to gathering basic information, an RFI is often used as a solicitation sent to a broad base of potential suppliers for the purpose of conditioning supplier’s minds, developing strategy, building a database, and preparing for an RFP, RFT, or RFQ.

Request for ProposalA request for proposal (referred to as RFP) is an invitation for suppliers, often through a bidding process, to submit a proposal on a specific commodity or service. A bidding process is one of the best methods for leveraging a company’s negotiating ability and purchasing power with suppliers. The RFP process brings structure to the procurement decision and allows the risks and benefits to be identified clearly upfront. The RFP purchase process is lengthier than others, so it is used only where its many advantages outweigh any disadvantages and delays caused. The added benefit of input from a broad spectrum of functional experts ensures that the solution chosen will suit the company’s requirements. Effective RFPs typically reflect the strategy and short/long-term business objectives, providing detailed insight upon which suppliers will be able to offer a matching perspective.

I think the background to these terms is key to how we must think of them in VRM world if we are to understand how best to deploy them. What does that mean in practice?

  1. The RFI and RFP processes originate from professional procurement functions, that have the time, funds and incentive to make the process work
  2. There is an implicit logic in the process for both parties, architected around eliminating guesswork and waste; i.e. we’ll tell you what we want to know about (RFI) and, based on that information, what we want to buy (RFP) to save you having to market and sell to us; and by being more organised we’ll be able to do a more efficient deal for both and generate a win-win
  3. They are business processes, not just technologies or data flows
  4. The communications channels through which the interactions and transactions are exchanged should be standard, mass market, not niche
  5. They need two parties, issuers and respondents, both of whom understand how the process works, and both of whom have to do a lot of work to make the exercise work
  6. They typically relate to fairly complex requirements, because the cost of the process is high enough to eliminate the value in applying it to simple/ low cost purchases
  7. The buyer requirement/ seller response is rarely just about lowest price, items suited to that are dealt with in commodity markets

In addition to these characteristics, it is also worth noting that over time intermediaries have emerged (e.g. TEC) who, amongst other support services, make whole series of standard RFI and RFP templates available at no or low cost in order to stick themselves into the value chain.

My view of the above is that a) the originators of the terms RFI and RFP now have finely honed processes for dealing with them, they do enable win-wins for buyer and seller, and intermediaries have emerged to deal with some of the hard stuff – like finding common terminology, and b) they are typically not automated processes and thus not not at all like what will actually be required to do the things we have commonly described as Personal RFPs in VRM discussions, (e.g. i’m here, and I need a stroller for twins).

SO: Before we progress, we may wish to change our terminology around the RFI/ RFP issue – to more accurately reflect what the individual needs; otherwise we risk being confused with the prior deployments of the terms which actually have very little in common with what the individual might deploy right now.

Here’s my view of what those needs are:

  • To be able to articulate a requirement for information about a product or service in ways that can be discovered by potential suppliers or other third or fourth party service providers (assume by a machine but not exclusively so). This area is where Alan suggests there is the biggest gap at present; and that’s quite right – if that gap was not there we’d have had personal RFP type things going on years ago.
  • To share that requirement for information without compromising ones data privacy beyond that required to receive the information sought.
  • To match ‘information requests/ buying intentions with their equivalent information provisions and proposals (that’s the really smart bit!!!!).
  • To receive responses to the information request through one or more communication channels.
  • To be able to interact with responses, including follow up to complete a sale, or to extend an information request.

If we look hard enough we’ll find that there are already architectures out there, that do 2, 3 and 4 – and bits of 1 are around that can be picked up and added in, either directly or (more likely) via fourth party services. For example, the architecture below has been doing its stuff on the web since way back in 2000; a proposition called 2busy2surf that was way ahead of its time. Unfortunately that business has now gone, but the architecture and buyer-seller matching engine has been white-labelled into 20 or so propositions since then. It is still churning out stacks of permissioned requests for information and requests for proposals, and returning matched information packages or offers. These come direct from the selling organisation, or more typically through the affiliate markets (third party services).

RFI & P Architecture 1

So, to get what we used to call personal RFP’s up and running, what we need to do, in my view, is:

  1. Sort out our terminology/ lexicon
  2. Build out the Requirements Articulation piece, adding search maps, comparison engines and other added value buying services into the spec)
  3. Tell the story of the architecture
  4. Get it running in a few business in a more overtly VRM way
  5. Publish the architecture as an open standard

That’s going to take a bit of time and effort. It’s on the agenda for the User Driven and Volunteered Personal Information working group at Kantara; this group has now been approved and will be up and running shortly. I’ll post the details on how to join that as soon as I have them.

Thoughts anyone?


Hard Re-set Required for Direct Marketing to Re-invent Itself

(Cross post from Right Side Up)

As a buyer of far too many computing gadgets over the years, I’ve become very familiar with the term ‘hard re-set’. This is typically used to describe a situation in which a system has got its inner workings so tied up in knots that the only way to fix it is to wipe the slate clean and start again.

I’m increasingly of the view that a hard re-set is what is required to re-invent the direct marketing industry (in which I include Facebook, Adwords et al) and in doing so prevent it from self-destructing. Before we get to what that hard re-set will involve, let’s be clear about what the problem is.

In my view, what’s killing the industry (which I’ve been part of since 1986) is its determination to cling on to the principle that unless an individual has ‘Opted Out’ then they are fair game to be targeted with marketing messages.

In some aspects of the direct marketing industry, e.g. direct mail prospecting, the interpretation of ‘opt out’ is not subtle, i.e. we’ll physically mail you with whatever we like, when we like…..and enough of you will respond to make it worth our while.

In other areas, e.g. e-mail marketing or loyalty/ retention marketing there is at least some form of value exchange in place….give us your contact details and consent so we can market to you, and we’ll let you have a look at content ‘for free’ or we’ll give you a discount on something you may buy (both of which, by the way, we may cover the cost of and more by selling your contact details and related data to someone else).

There are further aspects of the industry that are prone to what amounts to self-serving behaviours on behalf of the direct marketer. These typically involve the ‘grey areas’ such as ‘soft opt-in’ (deriving an opt-in from an existing ‘relationship’ rather than a pro-active customer consent); advertising within service communications; selective interpretation of how to use industry suppression files (such as the Mailing Preference Service in UK or Do Not Call list in USA); weak design of suppression files (i.e. too many exceptions left in place); burying the use being made of personal data either by summarising to a meaningless level, or losing within privacy policies that no-one reads other than those who drafted them.

But….guess what….. despite all this trickery, selective interpretation and manipulation, it’s still not working. Opt Out rates continue to climb on internal and external suppression files……, at least until the next work-around or piece of marketing spin makes them dip for a few months, before the inexorable upwards march continues…..and response rates on many direct marketing activities are zero.

What’s the direct marketing industry response to this? It’s simple – find new direct channels (e,g, Google Adwords, Facebook) and/ or send more messages. After all, e-mail costs peanuts to send, and on ‘digital’ we can at least pretend we have permission to market’. So, I’m really looking forward to counting how many ‘twelve days of xmas’ e-mail campaigns I get targeted with this year (in fact I got my first this morning); which marketer can turn down the opportunity to send e-messages 12 days in a row?

Of course none of this would matter if marketers were sending messages that were highly targeted, using good input data, and thus were relevant to the recipient. They are not – the average 98% non-response rate is enough evidence for that (wouldn’t it be good for the mind-set change if Marketing Directors tracked campaign performance via non-response rates instead of the response rates they ask for now!!!). And this issue of relevancy of message is where we realise that the inner workings of direct marketing as currently deployed need that hard re-set:

• Sending relevant communications requires rich, ‘needs’ based data (typically expressed as ‘intention’)
• The only source of accurate needs/ intention data is the individual
• But the individual knows that handing over rich, needs based data will increase the amount of direct marketing they are exposed to
• So they either don’t hand it over, or enter flawed or dummy data to get at what they want (where consent is being swapped for information)
• Leaving organisations to derive ‘needs’ from other sources (e.g. transaction history) – and thus send irrelevant messages informed by best guesswork.

As an aside, when deriving from transaction and interaction data, some organisations will direct market better than others…Amazon, Tesco, Network Solutions are some who do it well – at least in the current modus operandi. They typically take the time and effort to do rich analysis on the raw material they do have, and send communications based on it. But even their raw material has flaws; to illustrate:

• Amazon regularly send me e-mails along the lines of ‘other people who bought MySQL for Dummies bought MySQL for Beginners’; the problem being that the MySQL book I bought was for a developer working with us. The chances of me buying another one are zero – that need has long since gone. Of course Amazon could provide me with tools to flag that this book was not for me…..but why would I want to spend time cleaning up data (unless, of course, it was exportable to my own record)?
• Tesco – I have a Clubcard although could not honestly say that it ever influences my buying behaviour as I’ll buy groceries from whichever supermarket is near where I happen to be and rotate around the online deliverers waiting for one to come up to scratch. That said, Tesco don’t seem to bother me much with direct marketing, so I’m obviously not in a high value segment (according to the data they have anyway), and they are probably making enough money from me in re-selling what they do know to the FMCG manufacturers.
• Network Solutions. These guys are my favourites, they try so hard on cross and up-selling and have designed much of it very well that they could be a ‘poster child’ for CRM. The problem is they just don’t know when to stop deriving ‘new stuff we could sell’ from the scraps of data they have access to. Consider the screen-grab below, which is what they present me with each time I’m on their site. Granted, I do live in England; but surely even the most optimistic marketer is not going to expect to sell www.iainhenderson-england.com to a Scotsman!!!!


So….back to that hard re-set…..

I believe that there are four components of a solution that, when deployed, would revolutionise direct marketing; and in doing so build a more receptive customer base. A genuine win-win that would far outstrip the short-term headaches. The components are:

Cross-Media Suppression File

The first, and most fundamental, the hard re-set itself, is making available a blanket opt out of all direct marketing suppression file. That is to say, a reference file within which an individual can register their preference to receive NO direct marketing messages at all from point of registration onwards – unless they have actively and overtly opted in through a consents management vehicle under their control. This file would include all direct media (direct mail, e-mail, SMS, telephone, mobile telephone, VOIP, pop-ups/ i.e. tracking cookies – and any other direct media invented over time). The file would be created as a stand alone entity, but could be configured to take in feeds from existing suppression files such as Mailing Preference Service, Do Not Call, the proposed Do Not Track etc.

Persona/ Role Based Opt In Capability

Second – the capability for the individual to establish one or more ‘privacy profiles’ at persona/ role level. The ability to operate at persona level is key in that in different aspects of life an individual may wish to establish different communications preferences. For example an individual in their head of household mode may wish to receive ‘no junk mail’, but in their ‘Secretary of the Golf Club’ persona they may be happy to receive messages from useful business services only….but delivered to a different address.

Articulation of Needs/ Wants (Intentions) in Usable Format

Next – when the blanket opt out is established as a point of principle, the end user then must be enabled to opt back in to specific communications – but on their own terms. This means being able to specify some or all of:

Who they wish to receive messages from
• Which message types they wish to receive (e.g. offers, quotations, reminders, news updates)
About what do they wish to hear
• At what time do they wish messages to arrive
• Through which channel
Over which time period should messaging be switched on

Message Management Capability

Lastly we need a message matching and management capability. The above capabilities, in combination, generate a file of ‘opted in, buying intentions requesting matching offers’. This must then be matched against a file of ‘people/ organisations that want to sell stuff/ provide requested offers or information. Where a match is found, an introduction is made, where not – no message is sent (or that no messages matching criteria set are available). Ideally the message matching and management capability will be able to work across all relevant media. It should also have ‘closed loop’ reporting capabilities in order that all parties can track the success of their actions/ learn for future use. It should also help the recipient understand the upsides and downsides of the various media options in the context of what they wish to receive in order that they choose which works best for each message. (e.g. a mailed catalogue may be most environmentally damaging, but may still be the best means of deciding which conservatory to buy as it offers most detailed visuals and descriptions in a format that can be browsed in a relaxed/ un-pressured manner.

In addition to these 4 building blocks, there is an implied commercial logic in such a modus operandi. This is quite simply that by respecting individuals’ right to chose the direct marketing messages they receive the response and conversion rates from these messages will be much higher.

For example, I already know that I will lease a new car next April when my existing lease runs out. I have a pretty good idea which manufacturers I’ll consider, and which cars within those manufacturers. And what I don’t know now, I will research through buyer-centric information sources such as Which, Edmonds or similar. Once I’ve made up my mind on a preferred option, with all the options I want tagged, and two fall back positions then I’ll ‘go to market’ with a very clear spec, defined time lines, and money waiting to close the deal. I’ll end up with what I want at a fair price, and the suppliers I engage with will either have closed a sale, or come close without wasting too much time/ effort.

My colleagues and I have built a VRM Proof of Concept that demonstrates the above, it is accessible here.

This proof of concept shows a scenario in which the individual is fully in charge of the direct marketing messages they receive. It shows illustrative deployments of the 4 building blocks above. It’s not fully built out by any means – no organisation is using the suppression file in anger, only a few products and services in the opt-in table have any substance behind them (ipods and travel insurance), product/ service selection itself could be built out in many alternate ways, and e-mail is the only messaging protocol demonstrated.

…..but it does show how an individual could be empowered to only receive the direct marketing messages they want to receive….and only those messages.

What would be required to shift from the current approach to something like that shown in the Privacy Preference Service?

Firstly, let’s be clear – it’s not about technology, although that helps in specific aspects of the challenge. Also, it’s not about changes in legislation – all that ever does is raise the bar on a temporary basis until commerce demands that work-arounds be found. New/ upgraded legislation will emerge in the privacy space over time, and will help – but it won’t be leading the charge.

It’s really about that mind-set change, which is, of course, helped if it is underpinned by commercial logic. Organisations must recognise that they are alienating their customers and prospects by sending irrelevant marketing messages. They must also realise, difficult as it will be, that ramping up spend on data mining, customer insight, real-time ‘next best offers’, Facebook beacons etc etc, and all the latest CRM wizardry is not the answer. The real answer is to cede control of ‘customer needs’ data to the customer themselves, and to build tools and services that allow this data to flow.

That’s what Project VRM will do. The logic behind Project VRM is clear – that the tools require to balance relationships must be built on the customer side. Permission management tools such as those discussed above are a good start point.

Can I Own My Data?

(Cross post from Right Side Up)

Ownership sounds like such a simple idea…..

At first glance, the ownership of “my” data seems straight forward. I created it (or at least was involved at the beginning), it’s about me, so I own it. But personal data is a slippery concept. For one thing, a lot of the time it’s co-created – by me and my supplier, including my government. And tying down the legal specifics of data ownership is a bit of a minefield. Hence the recent and continuing debate on the Project VRM mailing list about whether an individual does, can or should ‘own’ personal data relating to them.

I take the view that individuals will ultimately have a form of ownership rights to data that relates to them. So far so good, but the word “ultimately” there is important, and frustrating. This will take some time to happen, and will relate to only some of the data in question. My view is that ‘ownership’ of personal data will come about through a combination of issues and events; and that this will all pan out over the next few years.

Firstly, the sensitivity of individuals to problems with firm’s use of data is rapidly increasing. The way most organisations gather and use data is often invisible to the individual, and almost always annoying to them. For one thing, there are regular and sizable breaches in data security. One example is the TK Maxx breach – which has now doubled in size from that originally admitted. Plus there’s a growing identity theft problem, with little sign of a solution in sight. And as we all know there are ongoing problems with spam to compound the everyday irritation of poorly targeted, invasive direct marketing. In the same ‘worrying’ space are large corporate acquisitions or investments (e.g. Flickr/ Yahoo or Facebook/ Microsoft) in which access to identity data initiated by and important to the subject are traded for a few dollars per record.

This increasing pain, without legal recourse, will drive some firms to offer commercial services to reduce that pain. These will include ‘who has data about me’ services such as Garlik, reverse-marketing services such as Pureprofile, transparency enablers such as The Trust Index (disclosure – this one is one of my hobby horse projects) and some plays from more traditional players in the personal data space such as Experian, Equifax or CallCredit. All are now beginning to explore how they can sell personal data back to the data subjects.

Another driver will be data breach notification legislation. It will be deployed in the EU and in many other countries. I expect it will be watered down, and won’t do too much in practice to change the accessibility of stolen customer data. The going rate, by the way, is £140 for 1000 credit card records – with security codes – or so I heard the last time I checked. But no matter, such legislation will at least build some additional legal rights on the side of the individual in the personal data space.

Next, opt-in-based direct marketing is going to become the norm across ALL communications channels – upping the value of ‘permissions’ data. This will be a sensible approach for large organisations to adopt commercially, largely for environmental reasons. And user-centric identity technologies (such as open ID, Infocard and i-names) will start to become more popular. They’ll impact b2c (or more accurately c2b) electronic relationships. People will want to restrict the flow of personal data into organisations, though people will see a clear trade off in offering personal data to get improved customer experience.

Meanwhile, the next generation of personal information management services will emerge. These alternative ‘single views of the customer’ will be available for organisations to tap into — with permission, and usually at a cost. This will be the trigger point for real change. For the first time, data sourced FROM an individual will be more valuable commercially than data gathered ON an individual. In practice, this is about “pull”: the commercial value of these new data sources comes from the higher response rates that come from the much improved relevancy of communications. ‘Pull’ beats ‘push’ every time at the micro, one-to-one level.

When this new value is created within the PIMS, commercial law swings into gear. Individuals and suppliers will build robust contracts around these new services and at last, we have something akin to ownership of our personal data.

In short, the point at which I will ‘own’ my personal data is the point at which I can actively manage it. If I have the choice over whether to sell it to someone, and can cover that sale with a standard commercial contract, then I clearly have title. But – and this is crucial – this doesn’t mean that I ‘own’ all the personal data that relates to me. Lots of it will still be lying around in various supplier operational systems that I won’t have access to (and probably don’t want to – much of it is not worth me bothering about).

Technically we can just about do this now. As ever, I think we’ll have to wait a bit longer for all this to build a mass market for personal data ownership and management. That said, I think we’ll start to see little signs of life in this space over the next 12 months. Watch, as they say, this space.

Talking of which, do any of you database marketers out there want to buy my ‘intention to buy’ data for the next 6 months? I’ll break it down by product / service category, add likely purchase dates, indicative amounts and existing preferences of various types… and send it in a format that feeds straight in to your CRM system. £10 per category for a one off use, and I can GUARANTEE that my data will be more predictive of what I’m going to buy than your own analysis or what you can buy in from other external data providers.

Iain Henderson