How a shared link and a bull turned into a crusade
It’s not uncommon to receive an email and wonder, “when did I sign up for this list?” And as a data consultant, I often take multiple queries from friends and family inquiring as to how it was they were talking about a certain type of shoe and all of a sudden they’re now seeing ads for that shoe — for the first time ever — on social media for the next two weeks. It can feel like getting skewered by a bull, which sort of happened to me. More on that later. Questions and worries such as these shouldn’t burden the consumer. It erodes trust, and the next thing you know there’s a QAnon like movement against big business.
“Big business is in cahoots with the government, see. And they’re like a pickpocket team on a crowded train car trying to steal as much as they can from the taxpayer, leaving them desperate for welfare. Then, see, they’re going to make everyone reliant on the government. It’s all a conspiracy to pit the little people against the rich.”
1940’s Gangster Caricature
Not sure how that turned in to a nineteen forties gangster worried about personal data on the internet, but that’s the voice that came forth. Regardless, it’s not coincidence that people would be distrustful of big business. They’re motivation is not to protect people or their data; adults have to take charge of their own information. Knowing the motivations of said businesses interactions with consumers can help, but that is opaque by design. Marketers and advertising agencies have thrived off of the allure of stats for about a decade and a half, now. The ability to “prove” one’s competence has sold multiple billions of dollars of consulting, ad space and platform seats. All of this largely taking place with the consumer oblivious to the vast information gathering that it takes to make this system thrive.
You can hardly blame the marketer. To validate their own existence in a data driven world, the ability to quantify the efficacy of their efforts creates black and white evidence of their value.
Sites are so heavily tagged with pixels to extract data, one might hear the faint whisper of a 256K modem honking, whirring and cracking in the distance, given the effect they have on load times. All of this so marketers can measure performance and personalize their offering to consumers. You can hardly blame the marketer. To validate their own existence in a data driven world, the ability to quantify the efficacy of their efforts creates black and white evidence of their value. Consumers are just asking for a value exchange, because the promise of personalization hasn’t lived up to the benefit of knowing and regulating what data of theirs has been collected.
In comes GDPR in Europe, and CCPA in California only a couple of years later. These are the two most ambitious privacy regulations in the ad world to date. CCPA (an acronym for California Consumer Protection Act) upholds California’s longstanding tradition of moving first on sensible regulation. You only need to look to their vehicle emissions standards for proof. The actionable part of the law sets forth rules for the marketer and rights for the consumer.
Rules for the marketer (paraphrased)
Data collection must be anonymous, or from an authenticated (a logged in customer via username, customer number or email) visitor to the site. Otherwise, the visitor needs to be given the option to opt-in or out of personal data collection. If the marketer doesn’t want to take on that work, they can block all CA resident data collection.
Data processing involves any set of operations used on personal data. Note, that aggregate or deidentified data can be processed and shared , but there is some ambiguity in the language. Therefore, processing may involve first stripping any personal identifier and, then pooling users based on known attributes replacing with a pseudonymous identifier.
Data selling pertains to handing over of personal data for any valuable consideration – monetary or otherwise. Thus, selling is not limited to direct payment in exchange for information. Instead, all commercial activity involving data leaving one environment and entering another with the reasonable expectation of some eventual commercial benefit, is selling.
Rights for the consumer (also paraphrased)
Right to opt-out is just like it sounds. If you’ve been on a European website, or spoofed your browser to look like you’re in Europe, you’ve probably gotten a pop-up or been redirected to a personal data management page when navigating through a site. This gives the consumer the option to share their data, or make the site expunge personal information.
Right to know whether personal information was sold or disclosed and to whom is a right that is pretty straight forward. A customer has the right to ask and obtain an answer from a company that they suspect has collected their data and sold it for monetary or commercial gain.
Right to access personal information allows a consumer to directly request their data and the company has to provide it to them in a reasonable time – 45 days at last reading of the law. The business must also provide a mechanism for the client to make that request. Usually this will be managed by software added to the website to take the requests, sift through them and respond appropriately.
What’s this mysterious bull got to do with anything?
A few days ago I get a text from a friend that wants to show me the latest in contact tracing (such a 2019 sentence). Little does he know, I’ve had some run-ins with this company in said link, but we can save the libelous prose for another time. Instead, I say, “wow the company that has troves of consumer and company data; the company that does business with payroll providers; the business that has a one-to-one marketing solution without authentication; they’re going to do digital contact tracing!?
This can’t be life. This is definitely not safe.
I’m getting annoyed all over again so I’m going to tell you that the company is el Toro. I’m not going to link to them because it would be a shame if they were able to do to you what they did to me. And what a B2B company did was send a marketing email to a personal address just a couple of days later, after two short visits to their site. They thought I might want to try their Account Based Marketing product. I guess they figure, no better way to prove we can create real account based marketing precision and scale than by displaying such prowess instantly!
This appears to be witchcraft. How did they do this?
I wanted to know the same things, so I went and checked the site code. Here’s what I found, in the green encased box.
Turns out, they have an Amazon script that fetches the email of the site visitor, based on of data attributes they can extract from the browser, IP Address, user agent, etc. Further, this bypasses ad blockers because ad blockers inhibit tags from setting a cookie on the site visitor. Glad we figured that out.
GOTCHA!
Actually, they got me. I don’t live in California. I live in New York City. I don’t have the right to request what information this site collected. I don’t have the right to opt out of this behavior. More importantly, I can’t ask them to delete the information they have, which is at least my email address. This would certainly be considered “personal.”
The only thing I know (and I only know this because I’m a practitioner in the space) is that Amazon, specifically AWS, has my email and they’re immediately posting to a match table that finds the email for the bull. I don’t want emails from a bull. Yet, I’ll have to unsubscribe and hope they don’t put me back in the rotation to be targeted again.
This law is only right. You wouldn’t walk into a store and be shot with a dart gun full of tranquilizers, get tagged like a shark in the ocean and then be followed in perpetuity whether you knew it, liked it or not. And this is the problem; there is no reciprocity, transparency or good faith. Consumers deserve better, and it’s about time brands enact data policies to do so. Or, like California, the government will do it for them.
Comments are closed