How to reconcile data enrichment and consent?

“Too complex and too risky“. This is often the verdict that falls when, in a meeting, an acquisition manager suggests enriching the data collected via digital touchpoints. Indeed, since May 2018 (when GDPR came into force) and as the regulators directives have unfolded, ensuring compliance in terms of personal data protection while cross-referencing data for enrichment purposes can be a headache. A perception tempered by Arnaud Cecconi, CTO of Commanders Act.

“The situation is less restrictive than many customers think. Yes, many constraints apply to third-party data, and there is little room for maneuver. On the other hand, when it comes to first-party data, and especially if you think in terms of privacy at a very early stage in the process, there’s still a great deal that can be done to enhance it.

In practice, it all depends on the type of enrichment envisaged for first-party data. Three main types can be distinguished, with different consent requirements.

1. On-the-fly enrichment with external data

A wide range of external data can be combined on-the-fly with first-party data to better inform recorded events. This is a good way to go beyond data conveyed via the datalayer. For example with characteristics from a product catalog, or information accessible from an “official” identifier such as a registration card (to trace the specifications of a vehicle).

The good news is that for this type of use, consent for a basic purpose is sufficient. At least, as long as the information is not shared with third parties. Here, unsurprisingly, fuller consent will be required.

2. Enrichment via cross-referencing with CRM

This is of course a recurring intention: to cross-reference data connected online with what is in the CRM to verify and complete it. In this case, we’re not just talking about managing consent, but also user preferences. These preferences are sometimes set offline – typically as part of a conversation with the call center.

3. Deferred enrichment

To mark out the “customer journey”, it’s tempting to store data for later enrichment. Recurring use: storing the list of content consulted so that it can be traced back when a transaction takes place, in order to assess the influence of content on sales. A nice scenario for which specific consent – for data storage – is required. Without this approval, deferred enrichment is impossible.

While these 3 enrichments apply to first-party data, it should be noted that certain use cases with third-party data can still be under consideration. Using weather data, for example, remains possible as long as the geolocation is no finer than regional – which means masking part of the IP address.

Server-side to the rescue

Another legitimate question: can migration to server-side facilitate enrichment? While server-side does not change consent management obligations, it does offer a more secure and controlled environment for enrichment. Unlike the client-side mode, where JavaScript code execution takes place in the user’s browser, with all the uncertainties that this entails in terms of compliance with consents, server-side eliminates these concerns. In fact, server-side enrichment is performed on data that is already formatted and processed according to the consents obtained. The result is a much higher level of guarantee and control.

This is why switching to first-party-data (rather than third-party-data) uses and migrating to server-side brings flexibility and peace of mind. This contrasts with third-party-data and client-side scenarios. In such a configuration, doubts about regulatory compliance will be hard to ignore for a DPO who is inevitably – and rightly – on the lookout for risks. For brands, while the horizon looks rather bleak when it comes to third-party data, it remains wide open when it comes to first-party data. Here, many uses remain possible, with a great deal of value to be gained.