Earning and Maintaining Customer Consent

Type: Whitepapers
Topic: Consent Mgmt

Introduction

We now live in a new landscape of consumer privacy protection created by a regulation powerful enough to be felt around the world. Living with GDPR means learning about GDPR and creating new policies and procedures for consumer engagement. Before exploring strategies for earning and maintaining consent, a quick review of the most pertinent regulation is
in order.

Simply put, the EU’s General Data Protection Regulation (GDPR) standardizes and strengthens privacy regulations across all European member nations. That means it protects any EU citizen and any company marketing to, selling to, partnering with, or producing from the EU must comply with its rules. Central to the regulation is a high standard for consent with fines as great as 20 million euros or four percent of total worldwide annual revenue, whichever is larger. GDPR requires that companies earn explicit consent for personal data collection, and that all identifiable personal information, regardless of where it is used, must be protected and proof of protection must be verified. The regulation even states that the protection of personal data is a fundamental human right. With that in mind, persons in the EU hold the right to access and rectify their data and can request that companies destroy all records related to them (also referred to as their “right to be forgotten”). In such cases, the burden of proof lies with the company.

Broadly speaking, GDPR gives consumers meaningful leverage against the companies that collect and use their personal data. For example, persons in the EU can request explanations from companies about personal data in their possession, the uses they intend for it, how long they plan to keep it and more. As the early effects of GDPR are felt – and immediately litigated for clarification and precedent-setting – another EU regulatory change comes closer to realization. Often referred to as the “cookie law,” the 2002 ePrivacy regulation will soon be updated. Experts predict the new ePrivacy will complement and extend GDPR while cleaning up privacy and security policy discrepancies between EU member nations.

Under the updated ePrivacy, online communications providers such as Gmail, Skype, Facebook Messenger, and others will be placed under the stringent requirements that govern traditional telecommunication providers. Prior consent to communicate to each individual account holder for texts or emails will be reaffirmed. In short, it will be another transfer in power from company to consumer.

Enterprise businesses with global customers, suppliers, operations or partners are almost certainly vulnerable to these regulations. Moreover, GDPR and ePrivacy represent a long-term global trend that shows no signs of slowing. With this in mind, GDPR-compliant strategies must be implemented to earn and maintain consent, the critical first step in any sales or marketing engagement with consumers.

When and Where to Collect Consent

Research demonstrates that consumers are willing to provide zero-party data information (including consent, preferences, and insights) when it is presented in context, offers a clear benefit to them (i.e. protects privacy, saves time, saves money, etc.), is easy to understand, and is an easy task to complete. Real-life application of this principle means that the ideal time and location for consent collection is determined by the customer journey. Structuring the ask from the customer’s perspective, at moments that matter, improves the odds of receiving permission to collect, store and use customer zero-party data at a later time. For example, asking for permission to send communications related to product updates during the registration process is relevant to that part of their customer journey and likely to elicit positive response.

The collection of self-reported zero-party customer data enables mutually beneficial engagements over the lifespan of the relationship. Asking the customer for their preferences, insights, opinions, and feedback is the essential key to maintaining consent. Identifying all potential customer data that improves the customer relationship and breaking the collection up over time is an effective strategy.

A good rule of thumb – one that aligns compliance with customer experience – is to understand why you are asking for customer information in the first place. This simple exercise of identifying the “why” behind the collection assists in overall decision making regarding the governance and logical right time to collect customer zero-party data.

To do this, create an engagement matrix that clearly identifies all types and frequencies of engagement, modes of access and means of consent. Global enterprise companies often find redundancies inside siloed corporate structures that must be reconciled in order clarify the individual purpose and timing of each request.

Spot collection is offered in prominent places and available any time. Contextual collection is tied to the
customer journey and, ideally, part of an escalating demonstration of trust and value. The presentation of a consent request typically takes one of two forms: spot or contextual. Spot collection is a universal request absent any personalized
orientation, such as a pop-up on a website homepage that all visitors see. Contextual collection is a request tied to a relevant personal activity, such as account registration, product research or a service request.

While spot collection adds value in a broader engagement strategy, contextual collection delivers the best results. To put it another way, spot collection is offered in prominent places and available any time. Contextual collection is tied to the customer journey and, ideally, part of an escalating demonstration of trust and value. As such, it offers the best opportunity to earn consent and to do so in a way that enhances the likelihood to maintain that consent over time.

How to Collect Consent

To explore the optimal consent collection process, it’s useful to think about it from the consumer’s perspective. Listed below are a few of the critical questions consumers ask when faced with consent requests and the corresponding principles gleaned from each.

What’s in it for me?

It’s a simple question that every consumer wonders when facing a consent collection request.
Research demonstrates that the answer must fall in one of two key categories: value or
convenience. Incentivize with discounts, enhanced access or some other benefit.

What will you do with my information?

Consumers worry, and understandably so, about data protection and privacy. Under GDPR, consumers hold the right to demand answers and businesses are required to specify their intentions. Get ahead of the trust curve by clearly stating why you want the data and what you plan to do with it.

This disclosure is clear and concise. It specifies that you:

• will receive marketing communications from PossibleNOW
• through the email channel
• can revoke your consent
• can go to the privacy policy to learn more

What do I do next?

In an effort to consolidate multiple requests and present related disclaimers and benefits, companies create complex, multi-layered consent collection forms. A confused consumer is unlikely to proceed. Simplified forms with clear, intuitive interfaces work best.

How can I limit permission to the topics I’m interested in?

Consider the possibilities of “keeping in touch” with a major global media conglomerate. Without boundaries, that could mean you are subscribed to everything – news about sports, politics, entertainment, financial markets and more. Empower consumers with drop-downs and checklists to select topics of interest and avoid abandonment from fear of too much outreach and engagement.

A preference or trust center can be accessed anytime on the company’s website
or via the email footer. It:

• lists the various communications that you can subscribe to or unsubscribe from
• allows you to provide or revoke consent by communication channel
• provides the ability to advertise high-value content

Can I revoke my consent later?

Knowing that permission can be conveniently revoked is a reassuring signal of good intentions –
it means we intend to earn your interest with valuable and relevant content. Include a clearly
visible option to revoke consent in emails, in “my account,” and in preference or trust center
screens where consent is collected.

How to Maintain Consent

Maintain data in a central repository

One of the primary challenges to maintaining GDPR-compliant consent is the ability to locate and
verify it. With the introduction of each new technology into the ever-growing marketing technology
stack comes a separate ability to capture and store customer data. Disparate data in siloed systems is one of the greatest risks to running an effective and compliant marketing infrastructure.

The correct approach is one where data is stored and maintained in a centralized manner. Only through a neutral, centralized, fully auditable system, that is built with privacy by design – not a bolted-on afterthought – can organizations ensure compliance to GDPR and future changes in compliance. GDPR and ePrivacy firmly place the responsibility on the party collecting customer data to understand and disclose how data will be used and provide an easy way to respond to customer inquiries. Not only that, the regulation requires alleged violators to deliver proof of consent within 30 days of the inquiry – a significant challenge for companies without a system of record to maintain enterprise-wide consent.

Provide easy access for the consumer

In addition to centralization, modification of consent must be possible. That means easy access for consumers to change prior consent, preferences, and profile information, a valuable service that aids customer experience while demonstrating continuity of consent.

Anticipate customer needs

The proactive management of customer data is key to adhering to GDPR/ePrivacy requirements and ensures customers feel they are receiving an ideal experience. Anticipating that a customer may unsubscribe by paying attention to the number of times they open (or don’t open) a certain correspondence and proactively offering a digest or decrease in frequency is an effective approach, as an example. Pausing all customer engagement or outreach based on an event (visit to an unsubscribe page, completion of a purchase) is also an effective way to preserve the customer relationship and stem customer complaints.

Only through a neutral, centralized, fully-auditable system, that is built with privacy by design – not a bolted-on afterthought – can organizations ensure compliance to GDPR and future changes in compliance.

Conclusion

Consumers view companies as a single entity, not as a myriad of business units or discrete functional groups (e.g. sales, customer support, and so forth). In order to maintain compliance and support customers’ expectations, consent collection must take place across the full spectrum of prospect and customer interactions. It’s essential to collect and react to information from all touchpoints such as call centers, social media, and mobile devices, not just the easy or inexpensive ones (e.g. email or websites.) It is also imperative that once consent is collected at a given touchpoint that data is passed seamlessly across the organization. A customer dialing in to a call center expects to have the ability to change their consent or preference information for all communication channels as part of that transaction.

Enterprises should take advantage of every customer interaction to learn more about the customer and to establish a deeper relationship, understanding and ultimately better service their customers’ needs. Only by embracing a culture of thoughtful, progressive relationship-building will enterprises be able to engage in meaningful dialogue that is in alignment with GDPR and ePrivacy. The mere installation of consent collection without commensurate internal process and policy will result in exposure to regulatory risk as consent expires, preferences and insights change, and new rules are implemented.

About PossibleNOW

PossibleNOW is the pioneer and leader in customer consent, preference, and regulatory compliance solutions. We leverage our MyPreferences technology, processes, and services to enable relevant, trusted, and compliant customer interactions. Our platform empowers the collection, centralization, and distribution of customer communication consent and preferences across the
enterprise. DNCSolution addresses Do Not Contact regulations such as TCPA, CAN-SPAM and CASL, allowing companies to adhere to DNC requirements, backed by our 100% compliance guarantee.

PossibleNOW’s strategic consultants take a holistic approach, leveraging years of experience when creating strategic roadmaps, planning technology deployments, and designing customer interfaces. PossibleNOW is purpose-built to help large, complex organizations improve customer experiences and loyalty while mitigating compliance risk.