tag:econsultancy.com,2008:/topics/privacy-data-protection Latest Privacy & data protection content from Econsultancy 2017-08-17T10:00:00+01:00 tag:econsultancy.com,2008:BlogPost/69338 2017-08-17T10:00:00+01:00 2017-08-17T10:00:00+01:00 Five companies using robots and AI to make a difference Nikki Gilliland <p>This is naturally a big concern - but there <em>is</em> a flip side. We’re all aware of how AI technology is changing the ways consumers interact with companies, by making processes faster, easier, and more streamlined than ever before. But more than this, artificial intelligence is starting to have a greater and positive impact on society as a whole.</p> <p>So, putting the aforementioned matters aside for a moment, here are five companies using AI intelligence to make a difference in consumers lives.</p> <h3>Noisolation</h3> <p>For children with a chronic or long-term illness, being unable to attend school doesn’t only mean missing out on vital education. It also means missing out on crucial social interaction, often leading to high levels of isolation and loneliness. </p> <p>A new startup company called Noisolation is aiming to transform the lives of children struggling with this issue with the world’s first ‘telepresence robot’.</p> <p>Essentially, the robot takes the place of the person in the classroom when they cannot attend. It allows them to listen as well as participate by controlling the system through an app while at home. If the child is feeling too poorly or sad to contribute – they can also turn on a blue light on the head of the robot to signify passive learning.</p> <p>While the technology itself is not revolutionary, it is revolutionising the lives of the children using it. By taking away feelings of social isolation, and helping to ease worries about going back to school after prolonged periods, it’s having a direct and positive impact on its target consumer. Noisolation is also working on a product to help senior citizens dealing with loneliness.</p> <p><iframe src="https://www.youtube.com/embed/GfHBsmswe8s?wmode=transparent" width="854" height="480"></iframe></p> <h3>Microsoft</h3> <p>From a startup to one of the world’s biggest brands – Microsoft has invested heavily in AI in the past few years. ‘Seeing AI’ is one of the first examples to come to fruition – an app that uses artificial intelligence to help visually impaired people.</p> <p>The app uses an iPhone camera to tell people what’s happening around them, using neural networks to identify people, objects, and even the emotions of others via facial recognition.</p> <p>One of the most functional aspects is its ability to recognise US currency, something that is usually impossible for visually impaired people due to the fact that all bills are the same size and shape. Similarly useful, it helps identify everyday household objects by scanning barcodes, and recites text as soon as it appears in front of the camera.</p> <p>With further research in speech recognition, as well as the agricultural and healthcare industries – it is clear that Microsoft is intent on harnessing the power of AI for positive change.</p> <p><iframe src="https://www.youtube.com/embed/bqeQByqf_f8?wmode=transparent" width="854" height="480"></iframe></p> <h3>Darktrace</h3> <p>Cybercrime <a href="http://fortune.com/2017/06/22/cybersecurity-business-fights-back/" target="_blank">reportedly cost</a> the global economy an estimated $450bn in 2016. Now, a new wave of companies is aiming to fight back, with many using AI to identify and prevent digital attacks. </p> <p>Darktrace is one of the most valuable, having recently raised $75m in funding. By using machine learning technology to analyse network traffic and track threats, Darktrace is able to quickly identify anomalies. Moreover, it is able to do so without slowing down or disrupting normal operations.</p> <p>With organisations taking an average of 99 days in 2016 to realise they had been breached, this kind of AI technology can rapidly alter the speed at which attacks are quashed. Meanwhile, as an increasing number of cyber-attacks are now said to involve altering data rather than merely stealing it – AI can help to prevent potentially catastrophic outcomes. For example, in healthcare industries, where altering medical records can lead to the possible misdiagnoses of patients. </p> <blockquote class="twitter-tweet"> <p lang="en" dir="ltr">Our <a href="https://twitter.com/hashtag/AI?src=hash">#AI</a> tech caught a malicious <a href="https://twitter.com/hashtag/insider?src=hash">#insider</a> trying to harvest user credentials - learn how in our Global Threat Report <a href="https://t.co/ZDAQQwt7fw">https://t.co/ZDAQQwt7fw</a> <a href="https://t.co/t1B8vQoeIn">pic.twitter.com/t1B8vQoeIn</a></p> — Darktrace (@Darktrace) <a href="https://twitter.com/Darktrace/status/892680454138187777">August 2, 2017</a> </blockquote> <h3>Leka</h3> <p>New <a href="http://stm.sciencemag.org/content/9/393/eaag2882" target="_blank">research</a> from the University of North Carolina and Washington University has found that an AI can identify autistic children before they display overt behavioural symptoms. By training a machine learning algorithm on the behaviour and earlier MRI data of children with autism, scientists then built a model that predicted a number of other autism cases.</p> <p>The potential for early diagnosis is not the only way AI is having an impact. A new motion-sensitive robot named Leka has been developed to help children with autism spectrum disorder, Down’s syndrome and other disabilities develop motor, cognitive and emotional skills.</p> <p>As children with autism struggle with interacting and communicating with others, Leka acts as an intermediary. While it is designed to display some human characteristics, such as facial expressions, it can be customised to adapt to the child’s individual needs for engagement and interaction. Alongside the direct benefits to the children, Leka is also having a huge impact of the lives of therapists, parents and care-givers – helping to reduce anxiety in both learning and day-to-day life.</p> <p><iframe src="https://www.youtube.com/embed/luN84iqllIA?wmode=transparent" width="854" height="480"></iframe></p> <h3>Babylon Health</h3> <p>Machine learning is changing the way the healthcare industry diagnoses and treats serious diseases like cancer and diabetes, with the technology being used to read CT scans and X-rays.</p> <p>In the UK, start up digital healthcare company Babylon Health is aiming to revolutionise the diagnoses of routine conditions, creating an AI doctor that takes the place of a GP.</p> <p>The app, which is currently being used by 800,000 people, allows patients to text their symptoms and receive advice from the AI. Babylon then advises whether or not medical care is needed, also providing the option of a video-consultation with a real doctor.</p> <p>Interestingly, the NHS is currently trialling the service in areas of London as an alternative to the 111 number, which offers free medical advice on the telephone. With the potential to offer cost savings, as well as free up time for busy GP’s – Babylon is being touted as a positive step for healthcare professionals. Meanwhile, with Babylon claiming that its technology can help cut diagnosis time by 50% - it’s also aiming to make the experience more positive and convenient for patients.</p> <p><iframe src="https://www.youtube.com/embed/CMD6B8h6Pzg?wmode=transparent" width="854" height="480"></iframe></p> <p><strong><em>Related reading:</em></strong></p> <ul> <li><em><a href="https://econsultancy.com/blog/68722-how-ai-will-impact-marketing-and-the-customer-experience">How AI will impact marketing and the customer experience</a></em></li> <li><em><a href="https://econsultancy.com/blog/69098-could-ai-revolutionize-high-street-retail-as-well-as-ecommerce/">Could AI revolutionize high street retail as well as ecommerce?</a></em></li> <li><em><a href="https://econsultancy.com/blog/67745-15-examples-of-artificial-intelligence-in-marketing">15 examples of artificial intelligence in marketing</a></em></li> </ul> tag:econsultancy.com,2008:BlogPost/69342 2017-08-16T10:03:28+01:00 2017-08-16T10:03:28+01:00 Focus on GDPR, but ignore e-Privacy at your peril Tim Roe <h3>Let’s get started with what the e-Privacy regulation is </h3> <p>The e-Privacy Regulation is a complementary piece of European legislation to the <a href="https://econsultancy.com/blog/67540-what-is-the-eu-general-data-protection-regulation-gdpr-why-should-you-care/">GDPR</a>. It is designed to address specific scenarios that exist in the electronic communications world and at the same time ensure that the principles of the GDPR are still valid. </p> <h3>Why is this regulation important for marketers like me?         </h3> <p>Much of the regulation is focused on securing the privacy of electronic data and communications that travel across the internet and other electronic services. However, the regulation also covers direct marketing activity via electronic means. This activity is currently regulated in the UK by the Privacy and Electronic Communications Regulation (PECR), which sets the familiar requirements for opt in, opt out and unsubscribe rights of the individual among other things. </p> <p>What is set out in this regulation will have a fundamental impact on how marketers can communicate to their customers after May 2018.</p> <h3>Another law! Why do we need it?</h3> <p>When PECR was passed as a law in the UK it needed to complement the Data Protection Act 1998 which is the current privacy law that came before the GDPR. However, the GDPR has raised the bar on privacy rights and has meant that the current laws that specialise in electronic communications do not meet the needs of the wider use of electronic communications today.    </p> <h3>Do we know what this law will say?</h3> <p>In a word, no. The current proposal is under negotiation in Europe and it is possible that some of the text may change. However, the GDPR is law, so any changes made should not contradict the GDPR or its principles. The proposal is all that we have at the moment and as the target to get it approved is May 2018, it is important to understand the possible implications and make plans accordingly.</p> <h3>What could be the implication to marketers?    </h3> <p>One of the main changes that this regulation will bring, is likely to be the impact on business-to-business marketing (B2B). In line with the GDPR’s wider scope of personal data, data relating to someone at their place of business is that person’s personal data. This is reflected in the new directive, where there is no distinction between B2B and B2C personal data. </p> <p>If we put that in the context of B2B email marketing, whereas before you could email someone as long as you gave them the opportunity to opt out, now the rules are the same as B2C.</p> <p>This means that you need to use either consent, or the so-called ‘soft opt in’ principle. Both the Article 29 working party and the European Data Protection Supervisor have asked that the regulation makes this treatment of B2B personal data clear. The idea that a right can be given to you by one hand with the GDPR and taken away with the other under the e-Privacy regulation is counter intuitive.  </p> <h3>What exactly is a ‘soft opt in’ approach? </h3> <p>The GDPR concept of <a href="https://www.econsultancy.com/blog/69303-gdpr-for-marketers-five-examples-of-legitimate-interests">legitimate interest</a> is reflected in the e-Privacy regulation by allowing the soft opt in process for both B2B and B2C marketing, so long as the following conditions apply;</p> <ul> <li>The business obtains the electronic contact details during the sale of goods or services</li> <li>The business only promotes its own similar goods or services</li> <li>The business must give the customer the opportunity to object at the time and in an easy manner </li> <li>The business must present that opportunity to object with each communication (e.g. an unsubscribe link)</li> </ul> <p>This legal basis for sending direct marketing is valid for all electronic channels, namely email, SMS, social media and instant messaging apps. However, you must tell the customer which channels you intend to use at the point of collecting the information. </p> <h3>Consent is not just a tick box</h3> <p>The other legal basis for sending electronic marketing is <a href="https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent">consent</a>. Consent relating to the e-Privacy regulation is the same as in GDPR. Consent is therefore defined as;</p> <p>“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”</p> <h3>Let’s break that down into something we can all understand!</h3> <p>You will need to provide comprehensive information (specific, informed) about what the person is consenting to, as well as ensuring they wouldn’t be disadvantaged if they didn’t consent (freely given). There must also be no doubt as to what they are consenting to (unambiguous) and no doubt as to whether they have actually given consent (clear affirmative action).</p> <h4>Voice-to-voice marketing calls </h4> <p>Voice-to-voice marketing calls can still be undertaken as long as the end user has not objected to voice calls. Therefore, all marketing voice calls must be screened against TPS as well as CTPS first, to ensure the person has not opted out of marketing calls. You will need to provide caller line identification or a mandatory prefix (yet to be decided).</p> <h4>Tracking technology </h4> <p>The e-Privacy regulation not only covers transmission channels, but will also impact the tracking that goes on relating to many technologies. Cookies, web beacons, hidden identifiers, device fingerprinting and any other device that is developed to track the activity of the individual will need consent from the end user.</p> <p>Unlike the previous e-Privacy directive, the new regulation acknowledges the usefulness of browser based settings for obtaining consent for web based tracking. Although it would mean the default settings for browsers would be to restrict intrusive cookies.</p> <p>The use of beacons in store will now require that notices are placed in prominent places, informing the customer of the tracking that is going on and telling them how they can object to it. </p> <h4>Regulation versus directive</h4> <p>Finally, the fact that the new law will be a regulation will mean that it will be more or less written into UK law in its entirety. The previous EU e-Privacy law, was a directive, so the individual member states were able to create local laws based on their own interpretation of the directives. With the GDPR, there is not much wriggle room for local Governments to water down the legislation.</p> <p>You cannot make plans to change your processes and update your legacy customer data to be GDPR compliant without also taking the e-Privacy regulation into account. The fact that it is still not set in stone will make this hard to do, but those who start preparing with what we know now will be in a better place on May 24th 2018. </p> tag:econsultancy.com,2008:BlogPost/69303 2017-08-09T10:31:04+01:00 2017-08-09T10:31:04+01:00 GDPR for marketers: Five examples of 'Legitimate Interests' Ben Davis <p>One of the six lawful grounds for personal data processing is the 'legitimate interests of the controller or third party', and this is the area we'll be examining in this article, with plenty of help from the excellent Legitimate Interests Guidance produced by the Data Protection Network (<a>sign up to download it here</a>).</p> <p>We'll look at general examples of legitimate interests and more specific examples, too.</p> <h3>What are the six lawful grounds for data processing?</h3> <p>Article 6.1 of the GDPR defines the lawful grounds for data processing as follows:</p> <ul> <li> <strong>Consent</strong> of the data subject</li> <li>Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a <strong>contract</strong> </li> <li>Processing is necessary for compliance with a <strong>legal obligation</strong> </li> <li>Processing is necessary to protect the <strong>vital interests</strong> of a data subject or another person</li> <li>Processing is necessary for the performance of a task carried out in the <strong>public interest</strong> or in the exercise of official authority vested in the controller</li> <li>Necessary for the purposes of <strong>legitimate interests</strong> pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.) </li> </ul> <p>The marketer will chiefly be interested in the grounds of legitimate interests and consent. (For more on consent see our previous articles on <a href="https://econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent/">best practice UX for obtaining consent for marketing</a> and some <a href="https://econsultancy.com/blog/69267-gdpr-six-examples-of-privacy-notice-ux-that-may-need-improvement/">UX that may need improvement</a>.)</p> <h3>What does 'legitimate interests' mean and how might it apply?</h3> <p>Fairly obviously, the term refers to the stake that the company processing the personal data may have in that processing. This may imply a benefit inherent in processing for that company itself or perhaps for wider society.</p> <p>As the DPN points out, a legitimate interest 'must be real and not too vague'. For example, it may apply to an organisation's data processing as part of fraud protection, security measures or transferring that data between different parts of an organisational group. Some of this may already be part of legal compliance.</p> <p>These sorts of interests may seem pretty fair to the average reader, and indeed the expectations of users is one of the elements that the ICO guidance earmarks for consideration when a data controller is deciding whether to rely on legitimate interests.</p> <p>Would or should a user expect the processing to take place? If there is an expectation then the impact of the processing is arguably less than if no expectation was possessed. </p> <p>For the marketer, three of the six generic examples in the GDPR (in recitals 47 to 50) of where a Controller may have a legitimate interest are of particular note.</p> <p><strong>1. Direct marketing</strong></p> <p>The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’</p> <p>This may be where consent is not viable or not preferred, though the DPN rightly stresses the fact that organisations will still need to show that there is a balance of interests – their own and those of the person receiving the marketing.</p> <p>Of course, any individual can object to direct marketing and it is one of the examples of legitimate interests for which objection is already fairly well understood and easy to action (often by unsubscribe link or by contacting the company in question to request).</p> <p><strong>2. Relevant and appropriate relationship</strong></p> <p>This may be a direct appropriate relationship, such as where the individual is a client.</p> <p><strong>3. Reasonable expectations</strong></p> <p>As previously discussed, if a controller understands individuals have a reasonable expectation their data will be processed, this may help to make a case for legitimate interests.</p> <h3>How about some more specific examples?</h3> <p>Aside from some of the more obvious cases where legitimate interests may apply – risk assessment, checking children's age, processing data to afford individuals rights – here are five specific example that may be pertinent for marketers (again taken from the <a>excellent DPN advice</a>).</p> <h4>1. Suppression</h4> <p>If a user objects to direct marketing, for example, a company may need to hold some personal data, however limited, in order to ensure no more marketing is sent to this user. This could be regarded as a legal obligation.</p> <p>This example was alluded to in the comments of <a href="https://econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent/">a previous article</a> on the GDPR. The Guardian allows users to delete their account and states that "Deleting your account removes personal information from our database. Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account."</p> <p>Whilst one of our readers highlighted that this seems to jar with the the right to be forgotten, it's likely understood by most users that a record needs to be kept and that although comments on articles can be anonymised, the comments themselves are a matter of record and any new account must be on a novel email address.</p> <h4>2. Personalisation</h4> <p>Though a retailer or a travel company may rely on consent for marketing comms, personalising a website's content (e.g. recommendations) to improve the user's customer experience may rely on legitimate interests.</p> <h4>3. Direct marketing</h4> <p>As the DPN suggests, legitimate interest could include direct mail from a charity to existing supporters updating them on details of upcoming events.</p> <h4>4. Web analytics</h4> <p>The DPN gives the example of 'a social media platform [using] diagnostic analytics to assess the number of visitors, posts, page views, reviews and followers in order to optimise future marketing campaigns.'</p> <p>Web analytics is one area though where changes to the ePrivacy Directive of 2002 (to bring it in line with the GDPR) may complicate matters. Though this author is only a layman, reading <a href="http://privacylawblog.fieldfisher.com/2017/the-new-e-privacy-regulation-what-you-need-to-know/">a blog post</a> from law firm Fieldfisher, I was slightly confused as it seems to indicate that cookie consent is needed for third-party platforms such as Google Analytics:</p> <blockquote> <p>Exemption for analytics cookies: Like the leaked draft, the Commission’s [ePrivacy Directive] proposal retains an exemption from the cookie consent requirement for analytics. However, the exemption applies only for first-party analytics, not third-party analytics – so websites and apps using third-party analytics platforms like Google Analytics etc. will still need consent (even if, for the techies amongst you, the cookie is technically served from a first-party domain – third party here refers to the provider of the analytics service, not the domain from which the cookie is served).</p> </blockquote> <h4>5. Updating customer details and preferences</h4> <p>The DPN highlights the example of a retailer using an external service provider to verify the accuracy of customer data. The DPN also details that controllers have to be careful here as to how such activity is carried out.</p> <p>On this blog we have <a href="https://econsultancy.com/blog/69267-gdpr-six-examples-of-privacy-notice-ux-that-may-need-improvement/">already pointed to</a> the fines given out by the ICO to Flybe, Morrisons and Honda, which each broke the existing Privacy and Electronic Communications Regulations (PECR) flouting customers' marketing wishes, sending emails asking whether users want to change said marketing permissions (and even incentivising the behaviour).</p> <h3>How can marketers be sure legitimate interest applies?</h3> <p>Though the GDPR does not list all circumstances in which legitimate interests may apply, it does specify that any processing under this banner meets the balance of interests condition – are the interests of the controller overridden by the interests or rights of individuals?</p> <p>Individuals can object to data processing for legitimate interests (Article 21 of the GDPR) with the controller getting the opportunity to defend themselves, whereas where the controller uses consent, individuals have the right to withdraw that consent and the 'right to erasure'. The DPN observes that this may be a factor in whether companies rely on legitimate interests.</p> <p>If you are unsure about whether legitimate interests applies, your data protection officer will likely be undertaking a Legitimate Interests Assessment (LIA). There is a template for such an assessment in the <a>DPN's guidance document</a>.</p> <p>In short, an LIA is split into three steps: </p> <ol> <li>The assessment of whether a legitimate interest exists;</li> <li>The establishment of the necessity of processing; and</li> <li>The performance of the aforementioned balancing test</li> </ol> <p>Regarding step three, factors under consideration include:</p> <ul> <li>the nature of the interests (such as the reasonable expectations of the individual);</li> <li>the impact of processing;</li> <li>any safeguards which are or could be put in place.</li> </ul> <h3>Privacy notices must provide clarity to the user</h3> <p>One of the main threads of the GDPR is providing clear and transparent information to individuals about data collected, how it is processed, and the lawful basis for this processing.</p> <p>This is no different where legitimate interests applies – see the examples below from the DPN. It should also be made clear that individuals have the right to object to processing of personal data on these grounds.</p> <p><img src="https://assets.econsultancy.com/images/0008/8170/Screen_Shot_2017-08-09_at_08.23.30.jpg" alt="privacy notice" width="300"></p> <p><em>Example privacy notice from the DPN, including detail about 'legitimate business purposes'</em></p> <p><img src="https://assets.econsultancy.com/images/0008/8171/Screen_Shot_2017-08-09_at_08.23.40.png" alt="privacy notice" width="300"></p> <p><em>Example from the DPN of an alternative statement on data collection page</em></p> <p><strong><em>Note that this article is not intended to construe legal advice or offer comprehensive guidance.</em></strong></p> <p><em><strong>That's it for this summary. Let us know how you are preparing for the GDPR in the comments below.</strong></em></p> tag:econsultancy.com,2008:BlogPost/69282 2017-08-03T09:55:17+01:00 2017-08-03T09:55:17+01:00 How should non-EU businesses prepare for the GDPR? Paul Hewett <p>This ‘thing’ is the General Data Protection Regulation, or GDPR for short. The GDPR is a live European Regulation, but it has a borderless scope which is causing problems for both European and non-European businesses. Within the next year the GDPR will be an enforceable regulation, so the global compliance race is on. </p> <p>If you work for a business outside of the EU which holds or processes any form of customer data for any purpose, the next five minutes of reading may just help provide some clarity on why this matters and what action you should take. </p> <h3>GDPR: We have history</h3> <p>Despite being a new regulation passed in 2016, GDPR and I go way back as I was involved in lobbying and reshaping the regulation.  </p> <p>This all started in 2012 when the European Commission published the new General Data Protection Regulations. This event started the ball rolling on several years of fierce debate and lobbying by the European marketing and advertising associations. In my previous role as chair of an active and influential council of the UK DMA, I watched the iterative formation of the GDPR become the regulation which has now been served up by the European Commission for all marketers to enjoy... even the ones not in Europe.</p> <p>In the interest of clarity, if GDPR is completely new to you, let me provide a quick overview before getting to the ‘fun’ stuff. </p> <h3>What is GDPR?</h3> <p>If you’re asking “<a href="https://econsultancy.com/blog/67540-what-is-the-eu-general-data-protection-regulation-gdpr-why-should-you-care/">what’s the General Data Protection Regulation?</a>” you’re not alone. Here’s a rundown of the basics: </p> <ul> <li>The <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&amp;toc=OJ:L:2016:119:TOC">General Data Protection Regulation (EU2016/679)</a> is a European Regulation passed by the European Parliament on 12 April 2016, which will supersede the Data Protection Directive 95/46/EC. </li> <li>The regulation has been designed to standardise the data privacy laws across Europe, providing data empowerment and protection to all EU residents. </li> <li>While the regulation has been in place for some time already, organisations handling the data of EU residents have until 25 May 2018 to comply fully with the new regulations. </li> <li>With non-compliance fines of up to €20m or 4% of global annual turnover (whichever is greater), now is the right time for businesses to evaluate their exposure and plan for the global impact of GDPR. </li> <li>If you’re interested, you <a href="https://www.twobirds.com/en/practice-areas/privacy-and-data-protection/eu-framework-revision">can see the evolution of GDPR here</a>.</li> </ul> <h3>Why non-EU companies should care</h3> <p>If you’re reading this from outside the EU, you’re probably thinking 'big deal, this European red-tape won’t affect my organisation'. Think again, I have three words; increased territorial scope. </p> <p>The GDPR encompasses a number of game changing concepts but increased territorial scope is arguably the most significant change to the data privacy regulatory landscape. In essence, this concept means the regulation could impact any business regardless of geographic location.</p> <p>This is achieved by reframing the regulation around the location of the data subject (that’s a person), rather than the location of the data controller or processor. The result? Any business with European customers is affected by GDPR. </p> <p><img src="https://assets.econsultancy.com/images/0008/8024/eu_flag.png" alt="" width="500"></p> <p>On the impact of increased territorial scope, Chris Combemale, group CEO of the UK DMA, stated: “GDPR applies to every company who has even one customer in Europe and therefore has far reaching consequences for multi-nationals and ecommerce businesses that trade across borders.” The global impact is echoed here in Australia, with Irene Halforty of the Association for Data-driven Marketing and Advertising (ADMA) saying “the GDPR will have a significant impact on the ways in which Australian marketers obtain consent for the collection, use and disclosure of personal data.”</p> <h3>This time it’s personal</h3> <p>There has been a lot of debate around what constitutes personal data. The GDPR provides some clarity on this topic, defining personal data as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.”</p> <p>While not explicit, under this broad classification you could include name, email address, telephone number, photos, videos, social media posts, or a computer IP address just to name a few. For B2B marketers, work contact details or information are identifiable data relating to a natural person. </p> <h3>Power to the consumer</h3> <p>When compared to previous regulation, the GDPR is significantly more empowering for the individual consumer. Rights for consumers fall into five main categories;</p> <ul> <li>information notices.</li> <li>subject access.</li> <li>rectification and portability.</li> <li>rights to object.</li> <li>rights to erasure.</li> <li>rights to restriction of processing, profiling and automated decision taking.</li> </ul> <p>These rights are designed to transfer the ownership and control of personal data back to the consumer, providing greater ability to control how your personal data is used. However, it should be noted these rights are fraught with complexity and controversy, particularly data portability and only time will tell how practical they are in reality.  </p> <p>Under GDPR, obtaining data and the appropriate consent will be a big deal. The regulation is tackling head on the common tactic of consent-cloaking, this is where data processing consent is wrapped up in long illegible terms and conditions full of legalese. From 18 May, businesses will have to seek explicit consent to collect, hold and process personal data.</p> <p>Consent must be clear, easy-to-access and distinguishable as a request for consent and, importantly, withdrawing consent should be equally as simple as providing consent.</p> <p>Speaking on behalf of ADMA, Irene Halforty reinforced the significance of the changes to consent: “Currently, marketers are able to rely on various mechanisms for consent, for example referring to a Privacy Policy or providing notification statements... however, under the GDPR, consumers need to actively indicate that they fully understand and agree to it. The challenge for Australian marketers in preparing for the GDPR will be implementing mechanisms to ensure this higher standard of consent.”</p> <h3>Is GDPR an enforceable regulation?</h3> <p>With the regulation already in place and the deadline for compliance set (25 May 2018), the important question for many businesses is, how seriously should we take GDPR? For many, this comes down to one point – enforceability. The debate is gathering around this topic, with a number of arguments forming. </p> <p>In relation to data automation processes, Professor Merlin Stone of St Mary’s University has stated “GDPR is partly unenforceable. The more you automate your data management and profiling, the less enforceable it is.” This supports the view of many that data flow and processing is too complex to be monitored and enforced.  </p> <p>An alternative argument supporting non-enforcement is the European Commission's lack of enforcement of <a href="https://econsultancy.com/reports/the-eu-cookie-law-a-guide-to-compliance/">the EU cookie law</a>. However, unlike the cookie law, which was part of a directive (E-Privacy Directive 2011), GDPR is regulation on personal data and is therefore likely to be given a sharp set of teeth to demonstrate enforceability. I would suggest it’s only a matter of time before we find out which company is the first to be fined – my money's on one of the internet giants. </p> <h3>Is GDPR good for business?</h3> <p>Let’s put changes to complexities of the shifting privacy landscape and enforceability to one side for a moment and take an objective look at GDPR. Most people will agree the regulation is good for consumers, but is GDPR good for business? </p> <p>An effective roll out of the regulation will set in motion a more coherent cross-border standard for the collection and application of personal data, which comes with benefits.</p> <p>John J Wall, author, speaker and leading thinker in marketing, says “this is about streamlining – having one set of regulations around handling data, not 28 from all the countries in the EU. A big part of this is making it simpler to deploy tech in the EU.”  </p> <p>While acknowledging the scale of the task ahead, Chris Combemale of the DMA also acknowledges the opportunity presented by the regulation, saying “GDPR sets a high bar for data protection and introduces new ideas like giving customers control of their data. While this may seem daunting to many non-EU businesses, it is also an opportunity to raise standards overall and better serve your customers.”</p> <p>GDPR is good for consumers and it definitely has the potential to be good for businesses. Raising the bar and standardising procedures will ultimately lead to simpler deployment and scaling of technology and business, particularly for multi-national businesses. This is an opportunity to be embraced. </p> <h3>Should you take action?</h3> <p>So what action should you take if you’re a non-European business? This is the €20m question (or 4% of annual global turnover, whichever is greater). </p> <p>Frankly, whether your organisation is in Austria or Australia, Slovakia or Singapore, GDPR will affect the way your organisation handles personal data. However, GDPR is unlikely to significantly disrupt the value exchange or relationship between organisations and customers. </p> <p>Despite this, GDPR does set the precedent for the future data protection laws around the world, so you need to take action now to evaluate, streamline and standardise data processes and procedures. The companies meeting the standards set by GDPR will be achieving a gold standard of data protection and it is more than likely that these companies will easily comply with virtually all data protection laws around the world. </p> <p>If you require general advice to meet the  GDPR compliance deadline, it is likely the Information Commissioner for your country will be issuing recommendations (<a href="https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation">this is the Australian AOIC guidance</a>), however, it is more likely the <a href="https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/">UK ICO GDPR website</a> will be a more comprehensive overview.</p> <p>To support your preparation, I would also recommend asking any suppliers and partners accessing or processing data for confirmation of GDPR compliance by 25 May 2018. </p> <p><em>To learn more about how to comply with the new regulation, book a spot on our <a href="https://www.econsultancy.com/training/courses/gdpr-data-driven-marketing">GDPR training course</a> or check out these other posts:</em></p> <ul> <li><em><a href="https://www.econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent">GDPR: 10 examples of best practice UX for obtaining marketing consent</a></em></li> <li><em><a href="https://econsultancy.com/blog/69119-gdpr-needn-t-be-a-bombshell-for-customer-focused-marketers">GDPR needn't be a bombshell for customer-focused marketers</a></em></li> <li><em><a href="https://www.econsultancy.com/blog/69267-gdpr-six-examples-of-privacy-notice-ux-that-may-need-improvement">GDPR: Six examples of privacy notice UX that may need improvement</a></em></li> </ul> tag:econsultancy.com,2008:BlogPost/69267 2017-08-01T09:19:00+01:00 2017-08-01T09:19:00+01:00 GDPR: Six examples of privacy notice UX that may need improvement Ben Davis <p>I don't want to point the finger or scaremonger, merely to point out UX which is likely already earmarked for improvement ahead of the May 2018 deadline. In some cases, companies are straying into '<a href="https://econsultancy.com/blog/68973-13-examples-of-dark-patterns-in-ecommerce-checkouts/">dark patterns</a>' territory, but others are guilty only of ill-thought-through design.</p> <p>Remember that the key point of GDPR is lawfulness of data processing, which when it comes to user experience demands that the data subject gives their clear, affirmative consent (and then subsequently has rights such as the right to erasure or rectification).</p> <p>As the ICO advises in <a href="https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf">its guidance</a> for consultation: 'Consent means offering individuals genuine choice and control. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. Explicit consent requires a very clear and specific statement of consent.'</p> <p>There's much more to consider in the GDPR – see <a href="https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/">the ICO's overview</a> – notably storing consent profiles, notifying data subjects of breaches etc., but in this piece once again we'll be looking at website UX at the point of data collection.</p> <h3>1. We Buy Any Car: Opt-out below the fold</h3> <p>If you want to get a valuation for your car on the We Buy Any Car website, you simply have to enter your car registration number, mileage and check a box about service history and previous owners.</p> <p>That brings you to the screen below, where the company asks for some personal details in order to proceed with your valuation. At first glance, there's some good practice here – see how the email, postcode and mobile fields all include details of how this data will be used ('so we can send your valuation', 'so we can find your nearest branch' and 'so we can text your valuation').</p> <p><img src="https://assets.econsultancy.com/images/0008/7899/webuyanycar_abovefold.jpg" alt="webuyanycar above fold quote" width="800" height="422"></p> <p>But here's the deal – how many users will have hit the 'get my valuation' button shown above, without bothering to scroll down beneath the fold? I would wager quite a high proportion. And why is that a problem? Well, take a look at the next screenshot below. It shows everything at the bottom of the same page, all of which sits beneath the fold (on my Macbook Pro).</p> <p>And look at that! There's another 'get my valuation' button, this time with a checkbox above it that is <strong><em>pre-checked</em></strong> and says 'I am happy to receive this information'.</p> <p>What information? Well the blurb above the checkbox says (paraphrasing) your personal information may be provided to associated companies for research and analysis, but also to provide you with info concerning services or products which may be of interest to you. The same goes for services and products from third parties.</p> <p><img src="https://assets.econsultancy.com/images/0008/7900/webuyanycar_belowfold.jpg" alt="webuyanycar below fold quote" width="800" height="430"></p> <p>Though there is detail about being able to opt out of these comms in future (that's good), this is clearly an example of a UX where the user may not have given their explicit consent to be contacted or for their data to be shared. The user may have simply not noticed that they had to actively opt-out of these extra comms (something that goes against the ICO's GDPR guidance).</p> <p>From May 2018, arguably the first 'get my valuation' button above the fold should be removed, requiring the user to scroll past the further information and the privacy statement, before being offered the chance to <strong><em>opt in</em></strong> to further comms.</p> <h3>2. Manchester Airport WiFi: Compulsory consent</h3> <p>It seems users have to consent to marketing comms as a precondition of accessing Manchester Airport's free WiFi. See the image in the tweet below.</p> <blockquote class="twitter-tweet"> <p lang="en" dir="ltr">A <a href="https://twitter.com/hashtag/GDPR?src=hash">#GDPR</a> issue via LinkedIn post. Free airport wifi. Requires Mobile number. Mandatory to agree to marketing. <a href="https://twitter.com/hashtag/GDPR?src=hash">#GDPR</a> ready? <a href="https://t.co/CqcDA4i0aZ">pic.twitter.com/CqcDA4i0aZ</a></p> — Privacy Matters (@PrivacyMatters) <a href="https://twitter.com/PrivacyMatters/status/882982786478592000">6 July 2017</a> </blockquote> <p>The ICO's GDPR guidance on consent says:</p> <ul> <li>Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate.</li> <li>If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.</li> <li>If you make ‘consent’ a precondition of a service, consent is unlikely to be the most appropriate lawful basis.</li> </ul> <p>As I made clear in a previous article <a href="https://econsultancy.com/blog/69119-gdpr-needn-t-be-a-bombshell-for-customer-focused-marketers">linking GDPR with customer-centricity</a>, those companies that think from a user's point of view about transparency and appropriate processing will put their best foot forward.</p> <p>Though social media is well-known as a place to vent, rather disgruntled tweets from users who <a href="https://twitter.com/watson_works/status/811487927586979842">object to the above precondition</a> and are <a href="https://twitter.com/michaelachris20/status/818189226512683009">fed up with receiving marketing</a> from Manchester Airport perhaps hint at a lack of balance in this example. Something to think about ahead of the GDPR coming into play.</p> <h3>3. WhatsApp: 'Hidden' opt-out</h3> <p>Another example highlighted again by the excellent <a href="https://twitter.com/PrivacyMatters/">@PrivacyMatters</a> – when WhatsApp <a href="https://techcrunch.com/2016/08/25/whatsapp-to-share-user-data-with-facebook-for-ad-targeting-heres-how-to-opt-out/">updated its T&amp;Cs in 2016</a> (to share data with Facebook), it sought affirmative consent from users before changing privacy settings. The FTC had already <a href="https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-facebook-whatsapp-privacy-obligations-light-proposed">made clear</a> that users should have opportunity to opt out of any future changes to how newly-collected data is used:</p> <blockquote> <p>..the FTC has made clear that, absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time of data collection..</p> </blockquote> <p>The problem with the way WhatsApp did this was that all users <em>had</em> to tap to agree when asked to share their personal data with Facebook companies to improve infrastructure and understanding of how the services are used (amongst other things).</p> <p>One could debate whether this sort of data sharing is necessary for WhatsApp to function, but what was certainly less than desirable was the UX shown below.</p> <p>Most users will have tapped agree without noticing there was in fact a choice being offered, specifically about the sharing of their WhatsApp data to improve 'Facebook ad targeting and products experiences'. As you can see from the screenshots, this option is 'hidden' in a concertina, with no hint that it resides there.</p> <p>The default option on this slider button was opt-in, meaning most users will have shared their WhatsApp data with Facebook to improve Facebook advertising, but without giving explicit consent. Under the GDPR, one would expect this kind of UX to be dicey, and that's important because the regulation makes clear that all companies with data subjects in the EC must comply.</p> <p><img src="https://assets.econsultancy.com/images/0008/7906/Screen_Shot_2017-07-28_at_16.07.29.png" alt="whatsapp t&amp;cs" width="615" height="522"></p> <h3>4. Morrisons, Flybe, Honda: The 'are your details correct?' email</h3> <p>There are several companies that have been fined in recent months by the ICO for flouting customers' marketing wishes by sending emails asking if user details are correct and whether users want to change their marketing permissions.</p> <p>Though the introduction of the GDPR won't change anything here – these brands had already broken the Privacy and Electronic Communication Regulations (PECR) – the examples are pertinent as companies will increasingly be seeking re-permission from users ahead of the GDPR introduction date in 2018.</p> <p>The brands in questions were Morrisons, Flybe and Honda:</p> <ul> <li>Morrisons <a href="https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/06/morrisons-supermarket-chain-fined-for-flouting-customers-marketing-wishes/">sent more than 130,000 emails</a> in October and November 2016 to people who had opted out of marketing. The emails were titled ‘Your Account Details’ and invited customers to change their marketing preferences to start receiving money off coupons, extra More Points and the ‘latest news’ from Morrisons. The company was fined £10,500.</li> <li>Honda sent nearly 290,000 emails asking customers to clarify choices about receiving marketing, but could not provide evidence that these customers had ever given consent to receive this type of email. A fine of £13,000 was handed out by the ICO.</li> <li>Flybe sent 3.3m emails in August 2016, again to customers who had opted out of such communications. The email asked ‘Are your details correct?’ and offered entry into a prize draw for recipients who amended information or updated marketing preferences. Flybe was fined £70,000.  </li> </ul> <p>When <a href="https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/03/ico-warns-uk-firms-to-respect-customers-data-wishes-as-it-fines-flybe-and-honda/%20">commenting on the Honda and Flybe cases</a>, Steve Eckersley, the ICO's head of enforcement, gave some important advice for any company preparing for the GDPR:</p> <blockquote> <p>Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.</p> </blockquote> <p>In direct reference to the new regulation, Eckersley said “Businesses must understand they can’t break one law to get ready for another.” </p> <h3>5. Econsultancy: Combined T&amp;Cs and privacy policy consent</h3> <p>Writing an article about UX that needs to be improved, I'm aware that I'm open to the accusation of throwing stones in a glass house.</p> <p>If you register with Econsultancy, you'll find there is an opt in (which is good) but that it is a combined T&amp;Cs and privacy policy opt in, which ultimately means that users must consent to marketing comms in order to register. Section 5 of our privacy policy says "...we may from time to time contact you by email, SMS, telephone or post about our products and services (including from all our brands) that may be of interest to you."</p> <p>Though some of the marketing through these channels by Econsultancy is undoutedly expected by the registrant and represents a legitimate interest under the GDPR (e.g. learning about our big annual event), other forms of communication arguably may not be (e.g. a telephone call to sell a ticket for said event).</p> <p>One of the (many) reasons users register with Econsultancy is to receive our Digital Pulse email, and our account settings let users opt out from a variety of different emails, including the Pulse and certain marketing emails, but nevertheless, our registration form (from May 2018) should arguably give users a granular opt in to being contacted through email, SMS, telephone or post.</p> <p>Having to contact a company after registration to request not to be contacted with marketing content via certain media may not be something that sits well with the GDPR.</p> <p>Econsultancy currently has a working group looking at GDPR compliance, and registration will undoubtedly be something we look at, to enable users to give their explicit consent to communication that may fall outside of 'legitimate interests' (for example, being asked to take part in a survey).</p> <p><img src="https://assets.econsultancy.com/images/resized/0008/7911/screen_shot_2017-07-28_at_18.03.36-blog-flyer.png" alt="econ registration" width="400"></p> <h3>6. Incisive Media: Combined consent and hidden opt-outs</h3> <p>Incisive Media also has a combined T&amp;Cs and privacy checkbox. Unlike Econsultancy, it offers granular control of marketing communications at point of user consent (split into first- and third-party preferences, each with checkboxes for mail, phone, email).</p> <p>However, as you can see below, this user consent is done on an opt-out basis. The user would have to click six boxes to opt-out of each form of marketing, from first and third parties. And what's more, these choices are hidden in a concertina.</p> <p>Again, there are obvious changes that would benefit the user here and help to bring things in line ahead of May 2018.</p> <p><img src="https://assets.econsultancy.com/images/0008/7913/incisive.jpg" alt="incisive media registration" width="300"> <img src="https://assets.econsultancy.com/images/0008/7912/incisive3.jpg" alt="incisive media registration" width="300"></p> <p><em>Incisive Media registration, via <a href="https://twitter.com/PrivacyMatters/">@PrivacyMatters</a></em></p> <p><em><strong>Note that this article represents the views of the author solely, and is not intended to constitute legal advice.</strong></em></p> <p><em><strong>If you are involved with preparations ahead of the GDPR, please let us know your thoughts in the comments below.</strong></em></p> tag:econsultancy.com,2008:BlogPost/69256 2017-07-25T11:00:00+01:00 2017-07-25T11:00:00+01:00 GDPR: How to create best practice privacy notices (with examples) Ben Davis <h3>We all know privacy policies are painful</h3> <p>Who has ever read a privacy policy? Truthfully?</p> <p>They are not quite as absurd as the iTunes terms and conditions (<a href="https://www.theguardian.com/books/2017/mar/08/terms-and-conditions-itunes-t-and-c-graphic-novel-robert-sikoryak-interview">now a graphic novel</a>), but <a href="http://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf">a paper</a> by McDonald and Cranor estimates that if the average person read every privacy policy for every website they visited in a year, that reading time would amount to some 244 hours.</p> <p>In 2010, Facebook's privacy policy was <a href="https://thenextweb.com/socialmedia/2010/05/13/facebooks-privacy-policy-is-longer-than-the-us-constitution/#.tnw_LY8UM64s">longer</a> than the US Constitution.</p> <p>It's this absurdity that the GDPR is attempting to tackle – privacy policies may still be long and unwieldy documents, but users must be made aware of the salient facts in an easy-to-read notice at the point of consent or data collection.</p> <h3>The GDPR demands clarity through a privacy notice</h3> <p>This is what the GDPR has to say about the information companies provide about personal data processing – it must be:</p> <ul> <li>concise, transparent, intelligible and easily accessible;</li> <li>written in clear and plain language, particularly if addressed to a child; and</li> <li>free of charge.  </li> </ul> <p>This means a simple link to your crazy-long privacy policy during registration will likely not do the trick.</p> <p>As the ICO <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/">puts it</a> when discussing the GDPR, "being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect."</p> <p>What's more, the information you should provide is changing, too. The lawful basis for your data processing, how long you'll keep the data for, the user's right to complain – these are all pointed to in the GDPR.</p> <p>The following questions should be considered when writing a privacy notice: </p> <ul> <li>What information is being collected?</li> <li>Who is collecting it?</li> <li>How is it collected?</li> <li>Why is it being collected?</li> <li>How will it be used?</li> <li>Who will it be shared with?</li> <li>What will be the effect of this on the individuals concerned?</li> <li>Is the intended use likely to cause individuals to object or complain? </li> </ul> <p><em>(Note, for the full detail on what information should be provided to the data subjects at point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICO <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-under-the-eu-general-data-protection-regulation/">here</a>.)</em> </p> <h3>What does a privacy notice look like?</h3> <p>All this seems pretty straightforward so far, but what then does a privacy notice actually look like?</p> <p>It's not as lengthy as the questions above may suggest, in fact it chiefly tackles what will be done with personal data, by whom, and who it will be shared with.</p> <p>Here's an example, again from the excellent ICO guidance:</p> <p><img src="https://assets.econsultancy.com/images/0008/7669/privacy_notice_ico.jpg" alt="privacy notice" width="615" height="476"></p> <p>As you can see, the privacy notice is part of obtaining consent from the user, and is presented at the point of data collection. (In a previous article on the Econsultancy blog we have looked at the <a href="https://econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent/">UX of obtaining opt-in</a> – essentially how checkboxes should be presented).</p> <p>When planning privacy notices, you should be aware that more information may be needed than shown in the example above. Such information depends on what the user reasonably expects to happen to their data, and whether a lack of honesty/fairness might be levelled if pertinent information is not provided (e.g. use of personal data for profiling).</p> <p>You can see a longer example of a privacy notice in a blog post from Scott Sammons, privacy expert – <a href="https://actnowtraining.wordpress.com/2016/09/06/privacy-notices-under-gdpr-have-you-noticed-my-notice/">read it here</a>.</p> <h3>Examples of good privacy policy UX</h3> <p>Back to the GDPR. What does best practice look like?</p> <p><strong>Layers</strong></p> <p>There are two concepts of privacy policy/notice UX that the ICO advocates. The first is layering – allowing users to access easy-to-understand information and then delve more deeply if required.</p> <p>The prototype from the ICO shown below uses three layers. The first is a headline question (how will we use the information about you?), the second is the collapsible information about processing and sharing, and the third is the hyperlink to the relevant section of a full privacy policy.</p> <p>This layering is a good way of saving space in a mobile UI.</p> <p><img src="https://assets.econsultancy.com/images/0008/7671/layers_privacy_notice.png" alt="layers privacy" width="615" height="299"></p> <p><strong>Just-in-time privacy notices</strong></p> <p>Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.</p> <p>As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.</p> <p><img src="https://assets.econsultancy.com/images/0008/7672/pn-cop-just-in-time-notice-animation.gif" alt="just in time privacy notice" width="600"></p> <h3>Who is adopting some of these practices?</h3> <p><strong>Microsoft</strong></p> <p>As with many companies out there, Microsoft is getting some things right and others arguably not so. When I investigated signing up for an Outlook email account, I was pleased to see that the form I had to fill in employed the just-in-time technique noted above. You can see it in the screenshot below.</p> <p><img src="https://assets.econsultancy.com/images/0008/7750/microsoft_just_in_time.jpg" alt="microsoft just in time privacy notice" width="615"></p> <p><em>Just-in-time privacy notice from Microsoft</em></p> <p>However, Microsoft doesn't include a privacy notice at the end of the form when I am ready to sign up. Arguably there should be some information at this level about what data of mine will be used and how. I am also required to opt-out of marketing, which will be a no-no under the GDPR.</p> <p>Microsoft should be given credit though for its use of layering when a user clicks through to the privacy policy. As you can see from the screenshot, there are clickable subtitles in the form of questions, top-line information given and then links to more detailed information.</p> <p><img src="https://assets.econsultancy.com/images/0008/7751/microsoft_privacy.jpg" alt="microsoft privacy policy" width="615"></p> <p><strong>Age UK</strong></p> <p>Age UK was included in <a href="https://econsultancy.com/blog/69253-gdpr-10-examples-of-best-practice-ux-for-obtaining-marketing-consent/">my last article</a> about opting in to marketing consent. For a simple transaction (a donation), the privacy notice is clear, and sits next to the option to opt in to marketing.</p> <p>You can see the message below, it's not extensive, it focuses on the main area of doubt a user may have in consenting to marketing – will my data be passed on?</p> <p>Age UK assuages these doubts and also details the option of changing your mind. There is then a link to a more detailed privacy policy.</p> <p><img src="https://assets.econsultancy.com/images/0008/7539/Screen_Shot_2017-07-17_at_12.03.53.jpg" alt="age uk privacy notice" width="400"></p> <p>The charity's privacy policy is partly shown below and was updated in April 2017. I like the layout of information. It looks well prepared for next year's regulation and includes information about updating your details, security precautions, any transfer outside of Europe and any profiling that may take place. <a href="http://www.ageuk.org.uk/help/privacy-policy/">Check it out here.</a></p> <p><img src="https://assets.econsultancy.com/images/0008/7753/Screen_Shot_2017-07-24_at_16.49.34.jpg" alt="age uk privacy policy" width="615" height="479"></p> <p><em>The beginning of Age UK's privacy policy</em></p> <p><strong>USwitch</strong></p> <p>USwitch has a very simple UX for comparing energy prices, but it remembers to include some just-in-time information. See the screenshots below.</p> <p>Note the use of the word 'optional' in the phone number field, too.</p> <p><img src="https://assets.econsultancy.com/images/0008/7754/Screen_Shot_2017-07-24_at_17.13.47.png" alt="uswitch just-in-time privacy" width="450"></p> <p><img src="https://assets.econsultancy.com/images/0008/7755/Screen_Shot_2017-07-24_at_17.13.53.png" alt="uswitch just-in-time privacy" width="450"></p> <p>However, when I went further through the process of applying for quotes, I could not see an obvious privacy notice. It may be argued that all the information I input (energy consumption etc.) is necessary to provide a quote, but I would still have been reassured with another notice about what happens to my data.</p> <p>USwitch does have a good privacy policy, though, similar in style to Age UK, with clear headings and a range of information, also updated in April 2017 (<a href="https://www.uswitch.com/about-us/privacy-policy/">see it here</a>).</p> <h3>Remember....</h3> <p>There are likely better examples out there with whiter-than-white compliance. But remember, it's horses for courses.</p> <p>As <a href="https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/when-should-you-actively-communicate-privacy-information/">the ICO points out</a>, consumer expectations are key. You have to "Actively give privacy information if:</p> <ul> <li>you are collecting sensitive information;</li> <li>the intended use of the information is likely to be unexpected or objectionable;</li> <li>providing personal information, or failing to do so, will have a significant effect on the individual; or</li> <li>the information will be shared with another organisation in a way that individuals would not expect."</li> </ul> <h3>Ridding the internet of legalese and promoting transparency is not a new concept</h3> <p>As an addendum, it's worth noting that the challenge of keeping the user informed is one that many academics and developers have worked on before.</p> <p>One nice example is the open source code available from the Application Developers Alliance. It <a href="https://www.appdevelopersalliance.org/resources/privacy-notices">partnered</a> with Intuit in creating privacy notices for apps (see below) that would comply with the Mobile App Privacy Voluntary Code in the US. </p> <p><img src="https://assets.econsultancy.com/images/0008/7673/intuit_app_privacy_notice.png" alt="intuit and privacy alliance notice" width="400" height="400"></p> <p><em>Open source privacy notice from App Developers Alliance</em></p> <p>Another example of previous attempts to bring some saliency to the privacy notice is the use of iconography. There are no standard icons used to denote various levels of privacy or data use, but their appeal is obvious – they are language neutral. As GDPR applies to users based across the EC, we cannot assume all users understand one of the major languages of the region.</p> <p>Aza Raskin of Mozilla has developed privacy icons inspired by Creative Commons. Along with some standard short text, the icons simplify privacy policy, though it should be noted that most of this sort of work has been academic. There remains difficulty in the issue of jurisdiction.</p> <p><img src="https://assets.econsultancy.com/images/0008/7608/raskin_privacy_icons.jpg" alt="mozilla privacy icons" width="500" height="733"></p> <p><em>Image via CREATe - <a href="http://www.create.ac.uk/publications/the-use-of-privacy-icons-and-standard-contract-terms-for-generating-consumer-trust-and-confidence-in-digital-services/">The use of privacy icons and standard contract terms to build consumer trust</a></em> </p> <p><strong>Note that this article represents the views of the author solely, and are not intended to constitute legal advice.</strong></p> <p><em><strong>Are you a privacy expert? Let us know your thoughts in the comments below...</strong></em></p> tag:econsultancy.com,2008:BlogPost/69254 2017-07-20T09:44:00+01:00 2017-07-20T09:44:00+01:00 Four key digital challenges for IT leaders in 2017 Nikki Gilliland <p>Based on a sample of more than 500 IT leaders, here are a few key charts from the research, highlighting the biggest hurdles IT professionals currently face.  </p> <h3>1. Threat of security breaches</h3> <p>While technical skill is still a given, the role of senior executive within IT departments has evolved into something much broader, requiring a deeper understanding of business objectives. This also means creating a bridge between technology and other areas of the business such as HR, finance, and marketing. </p> <p>This focus on the wider customer experience has also led to the concept of the ‘chief integration officer’ – someone who is able to influence the overall strategic vision of a business. Following on from this, it is clear that the challenges faced by IT leaders are much more complex than they once were.</p> <p>Now, the threat of security breaches and cyber-attacks is cited as a key concern by 41% of respondents – higher than any other area.</p> <p>Perhaps unsurprisingly, executives at organisations with annual revenues exceeding £150m are more likely than their peers at smaller organisations to reference security as a major challenge.</p> <p><img src="https://assets.econsultancy.com/images/0008/7501/Security_attacks.JPG" alt="" width="780" height="535"></p> <h3>2. Finding the right mix of skills</h3> <p>Interestingly, it is larger organisations that cite lower levels of confidence in their digital skills mix, with just 58% agreeing that they are well-positioned in this area compared to 61% of smaller organisations. </p> <p>Similarly, European organisations seem less confident than their American and APAC counterparts. Talent availability is seen as more of a challenge than in other regions, with availability of individuals with the right mix of skills being cited as a top-three internal problem by more than 34% of European respondents.</p> <p>This is also the case when it comes to culture, with 61% of European respondents describing their company culture as "innovative, adaptable and undertaking a ‘fail fast’ approach". When compared with 68% of respondents saying the same for North America and 75% in APAC, it’s clear that Europe is still playing catch up.</p> <p><img src="https://assets.econsultancy.com/images/0008/7504/Skills_and_culture.JPG" alt="" width="739" height="618"></p> <h3>3. Escaping silos</h3> <p>In terms of internal barriers, it appears the age-old problem of organisational structure remains the biggest. 42% of executives cited frustration with departmental silos and bureaucratic processes, while 41% expressed frustration over integrating legacy systems with new tools and technologies.</p> <p>This is even more the case for larger organisations in Europe, with 52% of European respondents citing bureaucracy as a top internal barrier.</p> <p>Interestingly, while support from senior management is less of a concern, a lack of shared vision relating to the meaning of digital transformation appears to be sustaining conflict. Again, this challenge is slightly more evident in Europe, tying in with the aforementioned struggles of skills and culture.</p> <p><img src="https://assets.econsultancy.com/images/0008/7506/Silos.JPG" alt="" width="780" height="541"></p> <h3>4. Keeping abreast of innovation</h3> <p>With IT executives now expected to help drive marketing strategy, keeping ahead of major technologies connected to innovation is another growing challenge – especially for larger organisations.</p> <p>46% of executives at larger companies are more inclined to feel pressure regarding tracking technology and innovation trends compared to 36% of smaller company peers. Interestingly, IT executives appear to be looking outside of their organisations to keep abreast of technological innovation. More than half of respondents say they exploit technology content sites and webcasts and webinars.</p> <p>Lastly, the challenge to keep on top of innovation also extends to finding talent, with increasing importance in striking a balance between traditional technical knowledge and softer skills such as communication, co-operation and strategic thinking.</p> <p><img src="https://assets.econsultancy.com/images/0008/7508/Innovation.JPG" alt="" width="780" height="550"></p> <p><em><strong>Subscribers can download the full <a href="https://econsultancy.com/reports/2017-digital-trends-in-it/">2017 Digital Trends in IT Report</a>.</strong></em></p> tag:econsultancy.com,2008:BlogPost/69253 2017-07-18T10:21:00+01:00 2017-07-18T10:21:00+01:00 GDPR: 10 examples of best practice UX for obtaining marketing consent Ben Davis <p>In this instance, I'm concentrating on user consent, chiefly during online registration or checkout, but it should be noted that there are many other user experiences to consider. I was particularly impressed by some prototypes created by <a href="https://newdigitalrights.projectsbyif.com/">Projects by IF</a>. One example is the UI below, an example of allowing users the 'right to erasure'.</p> <p><img src="https://assets.econsultancy.com/images/0008/7524/Screen_Shot_2017-07-17_at_10.49.08.jpg" alt="prototype gdpr" width="320"></p> <p>The agency that created this prototype points out that the right to erasure isn't always an all or nothing decision, and that granular erasure of information may be desired, such as removing addresses from your recent trip history ("'Your trip to Brighton' makes more sense than 'Your trips to 7 Kensington Gardens, 52 Ship Street, and 11 Queens Road'".)</p> <h3>What are we looking for in this article?</h3> <p>I'm going to be examining company websites, looking for the following five aspects of consent in the GDPR which the ICO <a href="https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf">highlights</a> as key changes, and which are pertinent to marketers. </p> <ul> <li> <strong>Unbundled: </strong>Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.</li> <li> <strong>Active opt-in: </strong>Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).</li> <li> <strong>Granular: </strong>Give granular options to consent separately for different types of processing wherever appropriate.</li> <li> <strong>Named: </strong>Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.</li> <li> <strong>Easy to withdraw: </strong>Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.</li> </ul> <p>N.B. There is another important change that should be on the marketer's agenda and that's the need for brands to maintain records of the consents they have – i.e. what users were told and how they gave consent. Obviously this is more difficult for me to investigate, but it is an area that companies no doubt need to focus on.</p> <h3>Unbundled consent - Who is doing it right?</h3> <p><strong>Unbundled consent - Sainsbury's</strong></p> <p>Here's a great example from Sainsbury's, below, flagged up in an Econsultancy <a href="https://www.econsultancy.com/blog/69172-10-supermarkets-with-10-very-different-email-opt-in-opt-out-strategies">article</a> about supermarket account registration from Andy Favell.</p> <p>Look how the white content blocks separate the clearly-headlined 'Terms and conditions' and 'Contact permission' sections. The contact permission section requires that users select a radio, either 'yes please' or 'no thanks'. This is clear as day, and what the consumer likes to see when registering for an ecommerce account.</p> <p>Not everything is hunky dory here, as permission for email, post, SMS and telephone is all lumped together into the same checkbox, but as far as unbundled consent is concerned (separate from T&amp;Cs), Sainsbury's hits the mark.</p> <p><img src="https://assets.econsultancy.com/images/0008/7513/Screen_Shot_2017-07-14_at_16.40.03.jpg" alt="sainsbury's consent" width="615" height="532"></p> <p><strong>Unbundled consent - </strong><strong>Data Protection Network</strong></p> <p>One would expect the Data Protection Network to be on top of this sort of thing.</p> <p>I recently registered so I could download <a href="https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/">guidance on GDPR and 'legitimate interests'</a> – whilst joining I noted the unbundled consent and the very nifty red-to-green sliders. A great opt-in UX.</p> <p><img src="https://assets.econsultancy.com/images/0008/7514/dpn.jpg" alt="data protection network" width="615" height="419"></p> <h3>Granular consent - Who is doing it right?</h3> <p>Remember, granular consent means consenting to each contact method separately. </p> <p><strong>Granular consent - Woolworth's Australia</strong></p> <p>Here's a lovely example from Woolworth's Australia (hat-tip again to Andy Favell), taken from account registration. It uses three different checkboxes – SMS, email and post (samples). This means users can get comms where they want them, rather than an all-or-nothing approach.</p> <p>Although Woolworth's Australia doesn't sell to the EC, there are lots of international companies that do, and will therefore have to comply with the GDPR.</p> <p><img src="https://assets.econsultancy.com/images/0008/6760/t3.11_email_opt_in_woolworths.png" alt="woolworth au contact preferences" width="615" height="226"></p> <p><strong>Granular consent - Age UK</strong></p> <p>Age UK splits marketing consent (when filling in an online form to make a donation) into checkboxes for email, telephone, text message and post. What's also good is that each channel (apart from post) requires an active opt-in.</p> <p><img src="https://assets.econsultancy.com/images/0008/7538/Screen_Shot_2017-07-17_at_12.03.04.png" alt="age uk" width="400"></p> <p>Though arguably consent for direct mail should be opt-in, too, some other charities are less transparent, requiring a user consents to post and then asking them to get in touch to change this (e.g. Oxfam). There are also other charities which use an opt-out (instead of opt-in) for contact by telephone or simply take the user's input of a telephone number to imply consent. Age UK is doing a better job.</p> <p>Note that marketing via post may be considered a legitimate interest for charities. The GDPR states ‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest'. However, as the Data Protection Network points out, 'organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications'.</p> <p>That means post every week could be hard to justify, but quarterly mail to let users know about charity work may seem to be more balanced.</p> <h3>Named organisations - Who is doing it right? </h3> <p>Which companies are clearly naming the organisations that will have access to user data, where that user consents?</p> <p><strong>Named organisations - Waitrose</strong></p> <p>Here's a clear example from Waitrose, part of the John Lewis Partnership, when registering for an account. The user can consent to receiving updates from Waitrose, John Lewis or John Lewis Financial Services. Each organisation gets its own checkbox.</p> <p>However it's still technically an opt-out as the user has to click the buttons if they <strong>don't</strong> want to recieve further comms. A bit sneaky.</p> <p><img src="https://assets.econsultancy.com/images/0008/6758/t3.9_email_opt_out_waitrose.png" alt="waitrose consent" width="500"></p> <p><strong>Named organisations - Age UK</strong></p> <p>Here's a second example which I think is very much in line with the clarity that the GDPR is seeking to provide for users. Age UK sets out clearly in what circumstances users (making a donation) may be contacted, that their data will never be sold, and that users can change their mind about consent.</p> <p>Crucially, there's also a line that states clearly which organisations "we" refers to.</p> <p><img src="https://assets.econsultancy.com/images/0008/7539/Screen_Shot_2017-07-17_at_12.03.53.jpg" alt="age uk consent" width="350"> </p> <h3>Active opt-in - Who is doing it right? </h3> <p><strong>Active opt-in - Walmart Canada</strong></p> <p>Walmart Canada – where regulations are tight, including the CASL (Canadian anti-spam legislation) – is not only using an active opt-in, specifically for emails, but also has the word 'optional' in brackets, to let users know for certain they do not have to check this box.</p> <p>Additionally, it's good to see clear description of what content such emails may contain.</p> <p><img src="https://assets.econsultancy.com/images/0008/7530/walmart_ca.png" alt="walmart canada registration" width="500"></p> <h3>Easy to withdraw - Who is doing it right?</h3> <p><strong>Easy to withdraw - The Guardian </strong></p> <p>This sort of functionality is pretty standard in many sectors (e.g. in the media and ecommerce) but is still something that isn't offered by everyone yet as self-serve.</p> <p>The Guardian shows how those that have registered for an account can withdraw permission for marketing in their account settings, as well as withdraw permission for profiling that may impact things such as the adverts a user sees.</p> <p><img src="https://assets.econsultancy.com/images/0008/7548/Screen_Shot_2017-07-17_at_14.35.52.jpg" alt="guardian preferences" width="615" height="353"></p> <p>One functionality the Guardian affords (below) which many do not is the ability to fully delete your account (right to erasure). When you do this from within your account settings, there's lots of clear information about how it will affect everything from the comments you have made to any paid subscriptions you have in place.</p> <p>The pages also states: "Deleting your account removes personal information from our database. Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account."</p> <p><img src="https://assets.econsultancy.com/images/0008/7547/g_delete.jpg" alt="guardian delete account" width="615"></p> <h3>Other best practice</h3> <p><strong>Clarity from Channel 4</strong></p> <p>I wanted to include the Channel 4 example, featuring a video campaign from back in 2012, when the broadcaster sought to prepare users for compulsory registration.</p> <p>When registering for a Channel 4 account on the All 4 website, you can see Alan Carr featured on the right hand side and a link to the video ('Our viewers promise'). There's a clear heading – 'how we use your information' – and the text mentions tailored advertising, and sits underneath copy detailing 'reasons to register'.</p> <p><img src="https://assets.econsultancy.com/images/0008/7526/Screen_Shot_2017-07-17_at_11.15.11.jpg" alt="all 4 how we use your information" width="615" height="484"></p> <p>There's a fairly unique bit of UX further down the form with users able to click to see an example newsletter (see the linked text in the screenshot below). This is an innovative way of helping the user decide whether they want to opt-in to communications.</p> <p>The only gripe I have with this checkbox is that the accompanying explanation could be made clearer. Not everyone will know what FOMO means, for example.</p> <p><img src="https://assets.econsultancy.com/images/0008/7527/Screen_Shot_2017-07-17_at_11.17.25.png" alt="all 4 registration" width="400"></p> <p>These examples are not rocket science, I know. It's the back-of-house stuff that represents the real challenge – how to keep records of all processing, all consent granted by users, how to enable users to take their data to another provider, and so on.</p> <p>But, as companies should be looking to move towards compliance with the GDPR by 2018, the most visible part of this compliance – the UX of obtaining consent and letting the user know what they're in for – should be a priority soon.</p> <p><em>To learn more on this topic, book a place on our <a href="https://www.econsultancy.com/training/courses/gdpr-data-driven-marketing">GDPR and Data-Driven Marketing training course</a>.</em></p> <p><strong>Note that this article represents the views of the author solely, and are not intended to constitute legal advice.</strong></p> tag:econsultancy.com,2008:BlogPost/69252 2017-07-14T14:04:40+01:00 2017-07-14T14:04:40+01:00 10 dazzling digital marketing stats from this week Nikki Gilliland <h3>Three in four shoppers browse elsewhere before making Prime Day purchases</h3> <p>Research from <a href="http://blog.bazaarvoice.com/2017/07/10/brands-retailers-seize-amazon-prime-day/" target="_blank">BazaarVoice</a> suggests that Prime Day shopping extends beyond Amazon, with 76% of people visiting other online retailers before making a purchase. 46% of consumers are said to visit Walmart, while 40% check Target. </p> <p>BazaarVoice also found that consumers tend to browse other retailers depending on product categories. For example, more than half of shoppers researching electronics brands will also visit Best Buy, while 49% turn to Lowe’s for researching outdoor items like hammocks or barbeques.</p> <h3>33% of consumers say they will erase personal data as GDPR comes into effect</h3> <p>A new survey by SAS suggests that nearly half of consumers plan to utilise their new rights over personal data in May 2018.</p> <p>In a poll of over 2,000 UK adults, 33% said they plan to exercise their right to remove personal data from retailers, while 33% will also ask for their data to stop being used for marketing purposes.</p> <p>17% of people said they will challenge automated decisions, and 24% will access the data that retailers hold on them.</p> <p><img src="https://assets.econsultancy.com/images/0008/7477/SAS_GDPR.JPG" alt="" width="780" height="298"></p> <h3>Prime Day is the biggest sales day of the year for Amazon so far</h3> <p>New data from Hitwise has revealed that there were 9.5m transactions processed on Amazon.com during Prime Day 2017 – making it the biggest sales day of the year so far. The day generated even more sales than last year, when Amazon processed 6.7m transactions.</p> <p>Altogether, Amazon.com accounted for 87% of all online transactions processed by the top 50 retailers on Prime Day – a day when one in every 10 visits to the site resulted in a purchase.</p> <h3>Companies experience digital performance problems once every five days</h3> <p>Research by <a href="https://www.dynatrace.com/digital-transformation-audit/" target="_blank">Dynatrace</a> suggests that organisations are encountering digital performance problems on average once every five days, with individuals across business and IT functions losing a quarter of their working lives fighting to address these problems.</p> <p>In a survey of 1,200 global IT and business professionals, 75% of respondents said they have low levels of confidence in their ability to resolve digital performance problems. 48% also stated these issues were directly hindering the success of digital transformation strategies in their organisations.</p> <p>Marketing professionals are said to lose 470 hours per year or nearly two hours every business day to addressing performance problems, while IT operations professionals lose 522 hours per year or over two hours every business day.</p> <p><img src="https://assets.econsultancy.com/images/0008/7475/Dynatrace.JPG" alt="" width="582" height="293"></p> <h3>Debit cards overtake cash payments in the UK</h3> <p>The latest <a href="https://brc.org.uk/news/2017/debit-cards-overtake-cash-to-become-number-one-payment-method-in-the-uk" target="_blank">Payments Survey</a> has revealed that debit card purchases have overtaken cash for the first time in the UK, with nearly £190bn being spent via this channel in 2016.</p> <p>Meanwhile, the share of cash transactions shrank 4.5% to account for 42.3%, leaving credit and charge cards to make up the remaining 11.4%. </p> <p>The use of contactless technology has contributed to the rise in card payments, with consumers increasingly using contactless to pay for smaller purchases. The average transaction value on cards declined from £30.53 in 2013 to £25.40 in 2016.</p> <p><img src="https://assets.econsultancy.com/images/0008/7474/Cash.JPG" alt="" width="740" height="513"></p> <h3>37% of online spend goes through Amazon</h3> <p>The success of this year’s Amazon Prime Day might be indication enough, but new research from <a href="https://info.salmon.com/amazon-king-of-jungle-research" target="_blank">Salmon</a> has also highlighted just how much the retailer dominates the ecommerce industry.</p> <p>In a survey of over 6,000 consumers across Europe and the US, Salmon found that 37% of all consumer spending goes through Amazon. This could rise, too, as 73% of consumers say they will increase their use of digital shopping channels in future.</p> <p>53% of survey respondents also said they would be more likely to buy through Prime than a retailer’s online store, while the majority of consumers feel that Amazon is ‘leading the way in digital retail’.</p> <p><img src="https://assets.econsultancy.com/images/0008/7478/Salmon.JPG" alt="" width="550" height="435"></p> <h3>Fresh grocery searches on the rise</h3> <p>From analysis of over 100m online searches in Q2, Criteo has discovered that searches for online groceries increased by 108% during the period of April to June 2017.</p> <p>With consumers relying on faster and more flexible delivery options, buying fresh produce online is becoming all the more convenient. Consequently, searches for milk, eggs and cheese all increased in the second quarter. Online searches for milk increased by 92% from the first three months of the year.</p> <h3>More than 50% of travellers look for inspiration during the planning process</h3> <p>A <a href="https://info.advertising.expedia.com/multi-national-travel-trends-in-the-tourism-industry" target="_blank">new study</a> by Expedia Media Solutions has uncovered the motivations and behaviours of travel consumers across eight countries including China, Australia and the UK.</p> <p>In all eight countries, at least 50% of travellers say they are often undecided on a destination close to booking, with most looking for help and inspiration during the planning process. More than 65% say they are influenced by informative content from travel or tourism brands.</p> <p>That being said, the research also found differences in the kind of marketing people respond to. While ads featuring deals are most likely to influence Americans, Canadians and Australians, Chinese travellers are prompted by ads with appealing imagery and informative content. Both French and German travellers place equal value on appealing deals and imagery.</p> <p><img src="https://assets.econsultancy.com/images/0008/7476/Expedia_Media_Solutions.JPG" alt="" width="780" height="363"> </p> <h3>Marketers struggling to localise content</h3> <p>According to research from the <a href="https://www.cmocouncil.org/authority-leadership/reports/328" target="_blank">CMO Council</a>, marketers are finding it difficult to localise content and tailor their output for individual media platforms.</p> <p>In a poll of 150 marketers, just 36.2% agreed they were performing well when it comes to translating creative strategies across all the necessary physical and digital touchpoints. Furthermore, just 32% believed they are succeeding in adapting branded content for different markets, audiences, and locations served by their companies around the world.</p> <p>47.7% of respondents stated that ‘localisation demands’ – e.g. language, cultural values and religion – were putting pressure on teams to deliver creative at scale. 43.9% also cited new digital formats and device types as a big challenge.</p> <h3>Emojis lose momentum as a marketing tactic</h3> <p>Research from 2016 showed that 95% of Brits were more likely to open an email if they contained emojis that juxtaposed the subject line. However, a new study by Mailjet suggests that emojis might be losing their effect.</p> <p>In a series of tests, Mailjet found open rates in the UK and the US rise by just 5% and 6% respectively when emojis accompanied the subject line.</p> <p>While the crying-with-laughter emoji was previously the most popular, Brits are now 33% less likely to open a message using the crying emoji than an email without it. The current overall best performer is the simple red heart emoji, being one of the few to generate a positive net result across all test regions with a 6% increase in open rate. </p> <p><img src="https://assets.econsultancy.com/images/0008/7479/emojis.jpg" alt="" width="540" height="540"></p> tag:econsultancy.com,2008:BlogPost/69236 2017-07-07T12:40:12+01:00 2017-07-07T12:40:12+01:00 10 superior digital marketing stats from this week Nikki Gilliland <p>On we go...</p> <h3>Mobile shopping ads presents growth opportunity for retailers</h3> <p>According to a new report by <a href="http://www.foundit.com/blog/mobile-shopping-search-retailers-biggest-opportunity-improve/" target="_blank">Foundit</a>, mobile clicks on Google Shopping ads represent the largest single source of visitors for online retailers, accounting for nearly 25% of all sessions across direct, paid and shopping search traffic.</p> <p>However, the report – which reviewed over 60m shopping sessions across leading retailers – also states that search is the worst channel for bounce rate, with users typically viewing just two and half pages before quitting.</p> <p>In terms of the difference in bounce rates between Google shopping on mobile and desktop, just 27% of sessions browse past the first page, compared with 38% on desktop. </p> <p><img src="https://assets.econsultancy.com/images/0008/7342/foundit.JPG" alt="" width="706" height="318"></p> <h3>TV sponsorship increases positive brand associations</h3> <p>According to a study by Thinkbox, brands that sponsor TV shows are able to improve brand health metrics – mainly thanks to the strong affinities viewers have with their favourite programs.</p> <p>Research found that there was a 53% increase in ‘personality fit’ between viewers of a TV show and the sponsoring brand when compared to non-viewers. In turn, viewers were far more likely to recommend the brand than those that didn’t watch the TV show. </p> <p>Meanwhile, when the sponsorship creative was a natural fit with the program, key brand health metrics for viewers were 5% higher than for non-viewers. </p> <h3>UK shoppers buy from just three online stores</h3> <p>According to a YouGov poll commissioned by Apptus, online fashion retailers are struggling to attract new and loyal customers.</p> <p>In a survey of over 1,500 online shoppers, 62% of people were found to have a core group of favourite online retail stores – a figure that rises to 68% for women.</p> <p>Interestingly, younger shoppers appear more likely to stick to a narrow selection of sites, with 78% of 18-24 year olds and 70% of 25-34s staying loyal to a select few retailers.</p> <p>In order to tempt them away from their favourites, 66% of shoppers said that other retailers should offer greater value for money, while 48% said they should make it easy to find products they are looking for. In contrast, just 4% pointed to ‘lifestyle content’ as a means of grabbing their attention and building loyalty.</p> <p><img src="https://assets.econsultancy.com/images/0008/7346/online_payments.jpg" alt="" width="718" height="487"></p> <h3>North Dakota named the best US state to start a business</h3> <p><a href="https://wallethub.com/edu/best-states-to-start-a-business/36934/" target="_blank">WalletHub</a> has compared 50 US states across 20 key indicators to determine where startup businesses are most likely to succeed.</p> <p>It found New Jersey to be the worst, mainly due to high office space and labour costs as well as inaccessible financing.</p> <p>On the flip side, North Dakota was ranked the best, seeing the highest average growth in small businesses. The state also has the most startups per 100,000 residents – three times more than West Virginia, the state with the fewest.</p> <p><img src="https://assets.econsultancy.com/images/0008/7341/Start-ups_US.JPG" alt="" width="780" height="311"></p> <h3>75% of users are searching on mobile more often due to voice technology</h3> <p>New research from Google shows that voice search is influencing user behaviour, with 75% of consumers saying that they now search on their mobiles more often because of the technology.  </p> <p>People who started using voice search in the last six months are said to be the most frequent users, with 42% now using it daily. In comparison, just 25% of people who started using voice search over four years ago use it as frequently.</p> <p>The research also found that both visual and text search remain popular, with 51% of respondents using the two interchangeably.</p> <h3>Cyber-attacks on UK businesses increase 52% in Q2</h3> <p>A new report by Beaming suggests that the number of cyber-attacks aimed at UK-based businesses increased by more than half in Q2 2017. This means that businesses saw almost 65,000 attacks in just three months – an increase of 52% from the previous quarter.</p> <p>68% of attacks targeted connected devices such as networked security cameras and building control systems. However, there was also a marked increase in attacks on company databases, with businesses experiencing an average of 105 attempts per day compared to just 14 in the first quarter.</p> <p><img src="https://assets.econsultancy.com/images/0008/7340/Cyber_attacks_UK.JPG" alt="" width="780" height="192"></p> <h3>Mobile traffic at an all-time high across Europe</h3> <p>A new <a href="https://www.slideshare.net/adobe/adi-2016-europe-best-of-the-best" target="_blank">report from Adobe</a> – which includes analysis of the top 20% of companies using Adobe Experience Cloud and a survey of over 5,000 consumers across Europe – suggests mobile traffic is increasing across Europe.</p> <p>It states that smartphones accounted for 31% of all European web visits in 2016 – an increase from 22% in 2015. In comparison, desktop accounted for 58% of browser traffic - down from 65% in 2015. For the top-performing companies, 41% of web traffic came from a smartphone in 2016, up from just 31% the previous year. </p> <p>Meanwhile, the report found that consumer expectations are driving mobile usage, with 57% preferring to use a smartphone over another device when completing tasks in 2016 – up from 51% in 2015.</p> <h3>Shoppers’ dual-screening habits present big opportunities for retailers</h3> <p>Data from eBay has revealed there was a huge spike in consumer spending during last summer’s sporting events, indicating the potential for retailers to tap into dual screening behaviour.</p> <p>On the final day of the Tour de France last year, searches for ‘Pinarello’ – the bike that Chris Froome rode – rose by 62% on eBay.co.uk. Meanwhile, searches for ‘cycling shorts’ and ‘road bike’ increased by 46% and 71% respectively.</p> <p>Similarly, in the two weeks of the Rio Olympic Games, searches for ‘running shoes’ rose by 66%, and interest in running watches jumped by 113%.</p> <h3>Uber gains more customers than any other US company in the past year</h3> <p>Despite the series of scandals that have plagued the company in the past year or so, Uber has made the largest customer gains since the first half of 2016. </p> <p>26% of all US millennials are said to have recently used the service, which has increased its <a href="http://www.brandindex.com/article/ride-sharing-brands-top-biggest-millennial-customer-gains-over-last-year" target="_blank">Adobe BrandIndex</a> ‘current customer score’ by 8.2 points.</p> <p>Other companies in the sharing economy have also grown, with Lyft – Uber’s biggest US rival – becoming the third biggest gainer, and Airbnb coming 12th in this list.</p> <p><img src="https://assets.econsultancy.com/images/0008/7343/uber.jpg" alt="" width="724" height="483"></p> <h3>Online consumers desire security over transaction speed</h3> <p><a href="https://mypinpad.com/consumer-trust-report/" target="_blank">New research</a> suggests that retailers who favour speed and convenience over security measures could be losing customer trust. This is because 67% of consumers surveyed said they are concerned about their online banking and shopping security, with one in four respondents being ‘very concerned’.</p> <p>In order to improve levels of trust, retailers must implement greater transparency around security practices, as well as increased security steps. </p> <p>40% of respondents said they would like to use cardholder PIN to authenticate online transactions, while 50% would like to use a combination of both PIN and biometrics. Only 2% of consumers believe transaction speed is more important than security.</p>