Turn data privacy into a competitive advantage with mParticle

For any company that leverages customer data, there is one objective that takes precedence over all other aspects of data strategy: maintaining compliance with privacy regulations. Not only is this required by law, it is integral to your brand’s reputation among consumers, as a perceived lapse in a brand’s data privacy practices can significantly diminish consumer trust. In a McKinsey & Co. study of 1,000 consumers, 87% of respondents stated that they would not engage with a brand if they had concerns about its privacy practices.  

This high degree of consumer scrutiny around privacy doesn’t have to be a threat to brands, however. Rather, it can be an opportunity. Since protecting your customer data is so important to building and maintaining your customers’ trust, investing in robust data privacy practices––like a dedicated data privacy team and flexible data infrastructure that allows you to adapt to evolving regulations––can ultimately pay dividends in the long run. Earning a high degree of confidence in your data practices among your customers can help you differentiate from your competition, encourage your customers to engage more with your brand, and increase your customers’ lifetime value. 

One of the biggest challenges involved in data privacy compliance––especially for companies with an international customer base––is the lack of uniformity between privacy laws in different regions and jurisdictions. Privacy legislation like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil LGPD have different definitions for when a company has a lawful basis to collect and leverage customer data. This chart from the International Association of Privacy Professionals (IAPP) shows how in the realm of data privacy, individual rights and business obligations vary around the world. 

Maintaining compliance with this patchwork of regulations can involve a great deal of time and effort. By investing in centralized, flexible data infrastructure tools, however, companies can be better positioned to comply with existing privacy regulations and adapt to future legislative changes. In the rest of this article, we’ll discuss how mParticle allows you to support regulatory compliance at multiple stages of your data’s lifecycle and easily fulfill data erasure requests from customers.

Collecting customer consent and using consent states to manage how data flows can be challenging, especially when companies are tracking customer behaviors across a variety of touchpoints. mParticle helps companies accomplish this by tying consent states collected from a Consent Management Platform, as well as engagement data from across channels, to a single unified user profile. 

However, tracking binary consent states for every user is not the end of a company’s obligation to process personal data lawfully. The GDPR, for example, defines a “lawful basis” when capturing customer data, and defines six situations that establish this basis, which include:

• When the subject (customer in this case) has given explicit consent
• When the controller (company in this case) must meet a contractual obligation 
• When the controller must comply with legal obligations
• When the controller is acting to protect the customer’s vital interest
• When the controller is carrying out tasks in the public interest
• When the controller is acting in its legitimate interest

Similar to the GDPR, the Brazil LGPD lays out a variety of lawful bases (10 in this case) for collecting and processing data. In the modern data privacy landscape, upholding compliance with the law and maintaining your customers’ trust requires a nuanced approach to data collection and orchestration. Capturing the specific bases on which individual data events were collected, and using this information to determine how and where this data will be leveraged, can be a complex process to manage and implement. 

Brands that leverage mParticle to collect, unify, and connect cross-channel customer data are well positioned to align their customer data strategy with nuanced privacy regulations and maintain compliance as these legal frameworks evolve. The mParticle platform allows customers to capture custom attributes along with any behavioral events that data subjects perform when interacting with your apps and websites. These custom attributes are key-value pairs that can be used to capture any information that matters to your business. In addition to demographic and behavioral characteristics, custom attributes can also be leveraged as a way to maintain compliance with data privacy regulations. Here, we’ll explore how we can use custom attributes to capture one or more lawful basis values on event-level data, and use these values to determine when and where to forward your customer data. 

Capture lawful basis with custom attributes

The first step to accomplishing this happens when you create your Data Plan with mParticle. As you define the attributes that will be collected along with individual events, define custom attributes for lawful basis in places where you want to maintain a record of your basis for collecting and leveraging user data. Here’s how that would look using the data planning feature in the mParticle user interface:

Note that you can specify a data type for each event attribute you create. In the example above we are using a string, however you can also set this attribute to an array if you would like to capture multiple lawful bases for a single event. 

Once you have added lawful basis event attributes to your data plan, the next step is for your engineers to capture values for these attributes along with the events they implement throughout your user journeys. For instance, capturing lawful basis on a view product event in a web application would look like this.

Establish privacy-based data forwarding by leveraging custom attribute values in Connections

In mParticle, a Connection is the combination of an input (or data source), an output (or data destination) and the configurations that determine how and when data flows between the two. Connections allow you to specify forwarding rules as a way to exercise granular control over what data can flow to your downstream tools. Combining custom attributes that capture lawful bases (or any other compliance- or consent-related data) with forwarding rules is a powerful yet simple way to ensure that the way you leverage customer data remains compliant with relevant regulations. 

Once you have lawful basis attributes associated with events, you can establish forwarding rules on your individual connections specifying that data should only be forwarded to specific tools if a particular lawful basis value is present.

Imagine this scenario. Under the terms and conditions of a retailer’s loyalty program, that company may collect data pertaining to the opted-in customers’ current loyalty status, and forward this data to partners for the purpose of engaging that customer with offers and messaging. This retailer’s customers are subject to the GDPR, so once customers agree to the program’s terms and conditions, the retailer has a contractual lawful basis to leverage this data. When the user signs up for the loyalty program, a loyalty status of true is captured on their user profile in mParticle. Now, when this user performs an action related to their loyalty status (like making a purchase that would earn them more points, for instance) the event forwarded to mParticle could contain both contractual_obligation and legitimate_interest values for a lawful_basis custom attribute. 

Aside from their loyalty program, this same retailer collects on-site behavioral data from users who visit their website for the purpose of optimizing site performance and improving user journeys. Collecting and leveraging this data does not require any specific consent or a contract to be agreed to––rather, the retailer can use this data on the lawful basis of legitimate interest, since on-site data will help the company improve the core asset that drives sales and grows the business. Therefore, this retailer can capture legitimate_interest as a lawful basis along with all standard behavioral events. 

Now that this retailer has lawful_basis attributes on all of their events data, they can easily use these values to establish rules on their data connections with activation tools to determine which events get forwarded where. For instance, if this brand works with a loyalty partner like Talon.One to handle all loyalty program-related customer engagements, they could check for the presence of lawful_basis: contractual_obligation before forwarding events to this vendor. Similarly, data connections to product analytics partners like Indicative can contain a similar rule checking for the presence of a legitimate_interest value on this attribute. This strategy of capturing lawful basis attributes and using them to direct the flow of data to downstream systems will help this brand maintain compliance with regulations like the GDPR. 

By using mParticle to capture custom attributes and using these to establish data forwarding rules, brands that work with mParticle can add a level of nuance to their data privacy strategy that is necessary to leveraging their customers’ data in a compliant manner. Additionally, with the flexibility to add new custom attributes as needed, this solution delivers the flexibility that companies need to ensure that their data practices maintain compliance with the ever-evolving global privacy landscape. The retail use case we discussed above is just one example of how a company might want to leverage this capability, however. Of course, the specific lawful basis attributes you capture, and the data forwarding rules you establish based on them, will depend on how each lawful basis category applies to the particular customer data that matters to your business. mParticle customers can work with their solutions engineers to determine the best and most scalable way to incorporate lawful basis attributes into their data plans. 

In addition to the use cases discussed above, another potentially challenging aspect of data governance is responding to data subject erasure requests from customers in a timely manner. The GDPR, CCPA, and LGPD all give customers the right to view, update, extract and delete data that businesses have saved on them. When a customer exercises this right, they create a data subject request (DSR). 

mParticle delivers a bespoke feature to allow customers to process data subject erasure requests within the timeframes stipulated by all major regulatory frameworks. Learn more about this feature and recent enhancements here.