Seers Offers Easy-to-Use Cookie Consent

The growth in global privacy regulation has created an immense headache for thousands of businesses – and, thus, an immense opportunity for systems that offer relief. Small businesses in particular need simple, low-cost solutions to comply with rules that require gathering consumer consent to data collection and giving consumers access to data that’s been collected. An ideal small-business solution leads users through the set-up process without requiring technical skills or expertise in privacy rules. (Come to think of it, so does an ideal large-business solution.)

Seers is one of many vendors addressing this market. Its core products are systems to collect cookie consent and data access requests. It supplements these with products for access request fulfillment, data privacy impact assessments, GDPR compliance assessment, data breach reporting, policy creation, data discovery, and on-demand privacy training. Several of the products are engineered to support mid-size and large enterprises as well as small business.

Set-up of the Seers consent manager follows step-by-step process.  It starts with the user specifying the domain to be supported. The system then automatically scans this domain to identify the cookies and scripts currently installed. It will later compare the results to a list of hundreds of cookies that Seers has evaluated and classified, and generate a list of the specific cookie consent requests the site must present to visitors. Before this step, users set preferences for the cookie banner appearance, cookie policy URL, treatment of unconsented visitors, and other options. The interface includes handy explanations of each item so that users can make informed choices. The system will detect site visitor location and can use this to present consents in 30 local languages and in different formats for GDPR, California’s CCDP, and Brazil’s LGPD.

Once settings are complete, Seers will generate code to insert in the user’s Web site to deploy the consent system. It will then keep track of consents as these are received, providing an audit trail should documentation be needed. The system will regularly rescan the user’s Web site to identify the cookies currently in use and adjust the cookie consent table accordingly. A limited free version is available and the full module starts at $9 per month for a single Web domain.

Seers’ other main customer-facing module is Subject Request Management, which offers a portal that lets customers ask to see, change, or delete data a company holds about them. This is similarly easy to configure, letting users control the appearance, identify verification requirements, and other options. It feeds requests into a queue which lets users manually assign them to departments and individuals for resolution, tracks their status, and stores notes and attachments. Again, a limited free version is available while a single-user full version costs just under $50 per year.

Seers also offers a large number of interactive templates, assessments, and policy generators. These lead users through processes including data privacy impact assessment (DPIA), privacy policy creation, and GDPR compliance assessment. The ones I saw were all easy to follow and included impressive amounts of information. The privacy impact assessment module is priced at $46.99 per year while most of the other tools are bundled into a package starting at $129.99 one-time fee.

So far so good. I really liked what I saw from Seers. But there are gaps in its product line that mean most companies would need additional products for a complete solution. The company is closing one gap with a data discovery tool, now in beta and set for July release, which will let users build an inventory of personal data is stored in its systems. The first release, at least, will be limited to having users review field names and mapping these to standard categories. One nice touch is that the inventory will connect with data subject requests, so the system will be able to automatically pull information about an individual. But field names are not an entirely reliable source of information and Seers does not have the data scanning capabilities of a system like BigID.

Other gaps include consent management beyond cookie consent; records of processing activity (ROPA) reports; ensuring that processing is legally justified; monitoring vendors who process company data; and automatic policy updates as rules change. Whether you need these depends on what other resources you have available. But they’re all required under current privacy regulations.

Software Review: Skypoint Cloud Combines CDP and Privacy Management

There are obvious similarities between Customer Data Platforms and privacy systems: both find customer data in all company systems; both assemble that data into unified profiles; and both govern access to those profiles. Indeed, some CDP vendors have expanded into privacy management by building consent modules to their systems or by integrating third-party consent managers.

Still, the line between CDP and privacy managers is usually clear: CDPs store customer data imported from other systems while privacy managers read the data in place. There might be a small gray area where the privacy system imports a little information to do identity matching or to build a map of what each source system contains. But it’s pretty easy to distinguish systems that build huge, detailed customer data sets from those that don’t. 

There’s an exception for every rule. Skypoint Cloud is a CDP that positions itself as a privacy system, including data mapping, consent management, and DSR (Data Subject Request) fulfillment. What makes it a CDP is that Skypoint ingests all customer data and builds its own profiles. Storing the data within the system actually makes fulfilling the privacy requirements easier, since Skypoint can provide customers with copies of their data by reading its own files and can ensure that data extracts contain only permitted information. Combining CDP and privacy in a single system also saves the duplicate effort of having two systems each map and read customer data in source systems.

The conceptual advantages of having one system for both CDP and privacy are obvious. But whether you’d want to use a combined system depends on how good it is at the functions themselves. This is really just an example of the general “suite vs best-of-breed” debate that applies across all systems types. 

You won’t be surprised that a young, small vendor like Skypoint lacks many refinements of more mature CDP systems. Most obviously, its scope is limited to ingesting data and assembling customer profiles, with just basic segmentation capabilities and no advanced analytics or personalization.  That’s only a problem if you want your CDP to include those features; many companies would rather use other tools for them anyway. There’s that “suite vs best-of-breed” choice again.

When it comes to assembling the unified database, Skypoint has a bit of a secret weapon: it relies heavily on Microsoft Azure Data Lake and Microsoft’s Common Data Model. Azure lets it scale effortlessly, avoiding one set of problems that often limit new products. Common Data Model lets Skypoint tap into an existing ecosystem of data connectors and applications, again saving Skypoint from developing those from scratch. Skypoint says they’re the only CDP vendor other than Microsoft itself to use the Common Data Model: so far as I know, that’s correct. (Microsoft, Adobe, SAP, and others are working on the Open Data Initiative that will map to the Common Data Model but we haven’t heard much about that recently.) 

How it works is this: Skypoint can pull in any raw data, using its own Web tag or other sources, and store it in the data lake. Users set up a data flow to ingest each source, using either the existing or custom-built connectors. The 200+ existing connectors cover most of the usual suspects, include Web analytics, ecommerce, CRM, marketing automation, personalization, chat, Data Management Platforms, email, mobile apps, data stores, and the big cloud platforms.

Each data flow maps the source data into data entities and relations, as defined in the Common Data Model or adjusted by the user. This is usually done before the data is loaded into the data lake but can also be done later to extract additional information from the raw input.  Skypoint applies machine learning to identify likely PII within source data and lets users then flag PII entities in the data map.  Users can also define SQL queries to create calculated values. 

Each flow has a privacy tab that lets the user specify which entities are returned by Data Subject Requests, whether data subjects can order the data erased, and which data processes use each entity. The data processes, which are defined separately, can include multiple entities with details about which entities are included and what consents are required. Users can set up different data processes for customers who are subject to different privacy regulations due to location or other reasons.

Once the data is available to the system, Skypoint can link records related to the same person using either rule-based (deterministic) matches or machine learning. It’s up to the client define her own matching rules. The system maintains its own persistent ID for each individual. Matches can be either incremental – only matching new inputs to existing IDs – or can rebuild the entire matching universe from scratch. Skypoint also supports real-time identity resolution through API calls from a Web tag.

After the matching is complete, the system merges its data into unified customer profiles. Skypoint provides a basic audience builder that lets users define selection conditions. This also leverages Skypoint's privacy features by first having users define the purpose of the audience and then making available only data entities that are permitted for that purpose. Users can also apply consent flags as variables within selection rules. Audiences can be connected with actions, which export data to other systems manually or through connectors.

Users can supplement the audience builder by creating their own apps with Microsoft Azure tools or let external systems access the data directly by connecting through the Common Data Model.

Back to privacy. Skypoint creates an online Privacy Center that lets customers consent to different uses of their data, make data access requests, and review company policy statements. It creates an internal queue of access requests and tracks their progress towards fulfillment. Users can specify information to be used in the privacy center, such as the privacy contact email and URLs of the policy statements. They can also create personalized email templates for privacy-related messages such as responses to access requests or requests to verify a requestor’s email address.

This is a nicely organized set of features that includes what most companies will need to meet privacy regulations. But the real value here is the integration with data management: gathering data for subject access requests is largely automated when data is mapped into the system through the data flows, a major improvement over the manual data assembly required by most privacy solutions. Similarly, the connection between data flows, audiences, and data processing definitions makes it easier to ensure the company uses only properly consented information. There are certainly gaps – in particular, data processes must be manually defined by users, so an undocumented process would be missed by the system. But that’s a fairly common approach among privacy products.

Pricing for Skypoint starts with a free version limited mostly to the privacy center, consent manager, and data access requests. Published pricing ranges past $2,000 per month for more than ten data integrations. The company was founded in 2019 and is just selling to its first clients.