Sunday, September 13, 2020

Software Review: Osano Manages Cookie Consent and Access Requests

The next stop on our privacy software tour is Osano, which bills itself as “the only privacy platform you’ll ever need”.  That's a bit of an overstatement: Osano is largely limited to data subject interactions, which is only one of the four primary privacy system functions I defined in my first post on this topic. . (The other three are: discovering personal data in company systems, defining policies for data use, and enforcing those policies.) But Osano handles the interactions quite well and adds several other functions that are unique. So it’s certainly worth knowing.

The two main types of data subject interactions are consent management and data subject access requests (DSARs). Osano offers structured, forms-based solutions to both of these, available in a Software-as-a-Service (Saas) model that lets users deploy them on Web sites with a single line of javascript or on Android and iOS mobile apps with an SDK.

The consent management solution provides a prebuilt interface that automatically adapts its dialog to local laws, using the geolocation to determine the site visitor's location.  There are versions for 40+ countries and 30+ languages, which Osano updates as local laws change. Because it is delivered as a SaaS platform, the changes made by Osano are automatically applied to its clients. This is a major time-saver for organizations that would otherwise need their own resources to monitor local laws and update their system to conform to changes.

Details will vary, but Osano generally lets Web visitors consent to or reject different cookie uses including essential, analytics, marketing, and personalization. Where required by laws like the California Consumer Protection Act (CCPA), it will also collect permission for data sharing. Osano stores these consents in a blockchain, which prevents anyone from tampering with them and provides legally-acceptable proof that consent was obtained. Osano retains only a hashed version of the visitor’s personal identifiers, thus avoiding the risk of a PII leak while still enabling users to search for consent on a known individual.

Osano’s use of blockchain to store consent records is unusual. Also unusual: Osano will search its client’s Website to check for first- and third-party cookies and scripts. The system will tentatively categorize these, let users confirm or change the classifications, and then let site visitors decide which cookies and scripts to allow or block. There’s an option to show visitors details about each cookie or script.

Osano also provides customer-facing forms to accept Data Subject Access Requests. The system backs these with an inventory of customer data, built by users who manually define systems, data elements, and system owners. Put another way: there’s no automated data discovery. The DSAR form collects the user’s information and then sends an authentication email to confirm they are who they claim.  Once the request is accepted, Osano sends notices to the owners of the related systems, specifying the data elements included and the action requested (review, change, delete, redact), and tracks the owners’ reports on completion of the required action. Osano doesn’t collect the data itself or make any changes in the source systems.

The one place where Osano does connect directly with source systems is through an API that tracks sharing of personal data with outside entities. This requires system users to embed an API call within each application or workflow that shares such data: again, there’s no automated discovery of such flows. Osano receives notification of data sharing as its happens, encrypts the personal identifiers, and stores it in a blockchain alone with event details. Users can search the blockchain for the encrypted identifiers to build a history of when each customer’s data was shared.

Perhaps the most unusual feature of Osano is the company’s database of privacy policies and related information for more than 11,000 companies. Osano gathers this data from public Web sites and has privacy attorneys review the contents and score each company on 163 data points.  This lets Osano rate firms based on the quality of their privacy processes. It runs Web spiders continuously check for changes and will adjust privacy ratings when appropriate. Osano also keeps watch on other information, such as data breach reports and lawsuits, which might also affect ratings. This lets Osano alert its clients if they are sharing data with a risky partner.

Osano is offered in a variety of configurations, ranging from free (cookie blocking only) to $199/month (cookie blocking and consent management for up to 50,000 monthly unique Web site visitors) to enterprise (all features, negotiated prices). The company was started in 2018 and says its free version is installed on more than 750,000 Web sites.

Sunday, September 06, 2020

When CDPs Fail: Insights from the CDP Institute Survey

We released a new member survey last week at the CDP Institute. You can (and should) download the full report, so I won’t go through all the details. You can also view a discussion of this on Scott Brinker's Chief Martech Show.  But here are three major findings. 

Martech Best Practices Matter 

We identified the top 20% of respondents as leaders, based on outcomes including over-all martech satisfaction, customer data unification, advanced privacy practices, and CDP deployment. We then compared martech practices of leaders vs. others. This is a slightly different approach from our previous surveys but the result was the same: the most successful companies deploy structured management methods, put a dedicated team within marketing inside of martech, and select their systems based on features and integration, not cost or familiarity. No surprise but still good to reaffirm. 




Martech Architectures are More Unified 

For years, our own and other surveys showed a frustratingly static 15%-20% of companies reporting access to unified customer data. This report finally showed a substantial increase, to 26% or 52% depending on whether you think feeding data into a marketing automation or CRM system qualifies as true unification. (Lots of data in the survey suggests not, incidentally.)


 

CDPs Are Making Good Progress 

The survey showed a sharp growth in CDP deployment, up from 19% in 2017 to 29% in 2020. Bear in mind that we’re surveying members of the CDP Institute, so this is not a representative industry sample. But it’s progress nevertheless. 


Where things got really interesting was a closer look at the relationship of customer data architectures to CDP status. You might think that pretty much everyone with a deployed CDP would have a unified customer database – after all, that’s the basic definition of a CDP and the numbers from the two questions are very close. But it turns out that just 43% of the respondents who said they had a deployed CDP also said they had a unified database (15% with the database alone and 28% with a database and shared orchestration engine). What’s going on here? 


 

The obvious answer is that people don’t understand what a CDP really is. Certainly we’ve heard that complaint many times. But these are CDP Institute members – a group that we know are generally smarter and better looking and, more to the point, should understand CDP accurately even if no one else does. Sure enough, when we look at the capabilities that people with a deployed CDP say they expect from a CDP, the rankings are virtually identical whether or not they report they have a unified database. 

(Do you like this chart format? It’s designed to highlight the differences in answers between the two groups while still showing the relative popularity of each item. It took many hours to get it to this stage. To clarify, the first number on each bar shows the percentage for the group that selected the answer less often and the second number shows the group that selected it more often. So, on the first bar above, 73% of people with a unified customer database said they felt a CDP should collect data from all sources and 76% of those without a unified database said the same. The color of the values and at the tip of the bar shows which group chose the item more often: green means it was more common among people with a unified database and red means it was more common among people without a unified database. Apologies if you’re colorblind.) 

Answers regarding CDP benefits were also pretty similar, although there begins to be an interesting divergence: respondents without a unified database were more likely to cite advanced applications including orchestration, message selection, and predictive models. Some CDPs offer those and some don’t, and it’s fair to think that people who prioritized them might consider themselves having a proper CDP deployment even if they haven’t unified all their data. 


But the differences in the benefits are still pretty minor. Where things really get interesting is when we look at obstacles to customer data use (not to CDP in particular). Here, there’s a huge divergence: people without a unified database were almost twice as likely to cite challenges assembling unified data and using that data. 


Combining this with previous answers, I read the results this way: people who say they have a deployed CDP but not a unified database know quite well that a CDP is supposed to create a unified database. They just haven’t been able to make that happen. 

This of course raises the question of Why? We see from the obstacle chart that the people without unified data are substantially more likely to cite IT resources as an issue, with smaller differences in senior management support and data extraction. It’s intriguing that they are actually less likely to cite organizational issues, marketing staff time, or budget. 

Going back to our martech practices, we also see that those without a unified database are more likely to employ “worst practices” of using outside consultants to compensate for internal weaknesses and letting each group within marketing select its own technology. They’re less likely to have a Center of Excellence, use agile techniques, or follow a long-term martech selection plan. (If the sequencing of this chart looks a bit odd, it's because they're arranged in order of total frequency, including respondents without a deployed CDP.  That items at the bottom of the chart have relatively high values shows that deployed CDP owners selected those items substantially more often than people without a CDP.)

 

So, whatever the problems with their IT staff, it seems at least some of their problems reflect martech management weaknesses as well. 

But There's More...

The survey report includes two other analyses that touch on this same theme of management maturity as a driver of success. The first focuses on cross-channel orchestration as a marker of CDP understanding.  It turns out that the closer people get to actually deploying a CDP, the less they see orchestration as a benefit. My interpretation is that orchestration is an appealing goal but, as people learn more about CDP, they realize a CDP alone can't deliver it.  They then give higher priority to less demanding benefits.   (To be clear: some CDPs do orchestration but there are other technical and organizational issues that must also be resolved.)  


We see a similar evolution in understanding of obstacles to customer data use. These also change across the CDP journey: organizational issues including management support, budget, and cooperation are most prominent at the start of the process. Once companies start deployment, technical challenges rise to the top.  Finally, after the CDP is deployed, the biggest problem is lack of marketing staff resources to take advantage of it. You may not be able to avoid this pattern, but it’s good to know what to expect. 


The other analysis looks at CDP results. In the current survey, 83% of respondents with a deployed CDP said it was delivering significant value while 17% said it was not. This figure has been stable: it was 16% in our 2017 survey and 18% in 2019. 

I compared the satisfied vs dissatisfied CDP owners and found they generally agreed on capabilities and benefits, with orchestration again popping out as an exception: 65% of dissatisfied CDP owners cited it as a CDP benefit compared with just 45% of the satisfied owners. By contrast, satisfied owners were more likely to cite the less demanding goals of improved segmentation, predictive modeling, and data management efficiency. Similarly, the satisfied CDP users were less likely to cite coordinated customer treatments as a CDP capability and more likely to cite data collection. (Data collection still topped the list for both groups, at 77% for the satisfied owners and 65% for the others.) 

When it came to obstacles, the dissatisfied owners were much more likely to cite IT and marketing staff limits and organizational cooperation. The divergence was even greater on measures of martech management, including selection, responsibility, and techniques. 


In short, the dissatisfied CDP owners were much less mature martech managers than their satisfied counterparts. As CDP adoption moves into the mainstream, it becomes even more important for managers to recognize that their success depends on more than the CDP technology itself. 

There’s more in the report, including information on privacy compliance, and breakouts by region, company size, and company type. Again, you can download it here for free.