So hi, everyone. My name is Chandra Stevens, and I'm the global director for our solutions strategy for customer experience here at Microsoft. Today I have with me, and the pleasure to have with me, is Ray Velez from Kublis' Sapient. And our topic today is going to be getting identity right, an approach to cookie-less strategy. So Ray, I'm going to turn it over to you to introduce yourself.
Great. Thanks, Chandra, and great to be here today. Hi, I'm Ray Velez. I'm the chief technology officer at Publis' Sapient. And what that means is helping to create the frameworks and the solutions that map from what our customers and clients need to the technology infrastructures to support it. And so when I talk about identity and getting identity right today, it's about modernizing the way you structure your customer data, but staying compliant with the changes that are happening from the platform players and from legal and regulatory privacy changes.
Great. Thanks for joining us today. We're excited to talk on this topic because it is one that is very popular these days as a deprecation of cookies and new regulation come into play. Do you want to kick us off and share what insights you have around the topic?
Sure thing. So I thought it would be good to ground a bit on what these changes and challenges are. So what are the regulations? How are the major platforms that our consumers are interacting with changing? And then turn that into an opportunity. So a lot of the tactics that will be needed to be put in place to manage customer data better are actually going to improve the knowledge and understanding you have around your consumers in a consent, legal, and regulatory way, but also that will help you drive improved experiences. And then we'll wrap up a little bit with, well, how do we get there? What's the first step and how do we build a roadmap to evolving the way we manage customer data that can stay consistent with these challenges?
So let's start with the challenge. I think it's interesting when you think about a lot of talk, and we'll talk a little bit about the changes themselves, everything from GDPR to CCPA and all the other changes in between. A lot of this got started back in 2014 in this case around the right to be forgotten. So a Spanish citizen raised the concern around his record or that individual's record showing up in the Google search index. And there was a lot of debate across the community and across the platforms around, well, that record that was showing up within a search response was really just showing public information. The information was already public. And so then the question became, well, what does a consumer have in terms of their rights and ownership around their personal data? And that really started this conversation, which eventually led to some of the early cookie laws and then led to the GDPR regulations mostly in the EU markets. And what it led to was this concept of what can I delete and what would be some of the drivers? And some of the early thinking around that was you're able to delete a record if it's wrong or if it's inaccurate, excessive, or irrelevant, but also as a consumer, you have that availability to delete records because you own that and you could start to see many of the major platforms instituted lots and lots of changes around how you can control your own data all the way through to whether you can delete it, update it, or protect different attributes that can be shown.
So coming out of that right to be forgotten early on, I think it was back in 2018, GDPR went into place. And GDPR in the EU markets is interesting because the penalty to a global enterprise not complying with GDPR at one point, it was 4% of your earnings, and not just your earnings in those markets, it was 4% of your global earnings. So the penalty is pretty steep to be able to operate and stay in a regulatory compliant way in GDPR markets. And then you started to see other markets employ similar regulatory constraints. And so CCPA, the California Consumer Privacy Act, lots of other states in the US have employed similar regulatory restrictions, and then there's also proposals at the federal level. And then other markets around the world are following suit. But what really starts to get interesting is, well, here's the reaction from a legal and regulatory perspective and to some degree how consumers are feeling. Well, then how do the platforms start to interpret that? And so that's some of the changes which we'll talk about next in iOS and Android platforms from Apple and Google, and then what that led to in terms of cookie deprecation. And to some extent, the cookie-less future is already here on some platforms. And what we mean by that is if you go back to 2017, iOS and the Safari browser in particular deprecated third-party cookies, and that was part of their intelligent tracking prevention changes. So for many of the third-party cookie functionality that depends on, or functionality that depends on a third-party cookie, that doesn't work on some of these platforms already. And so Firefox, Safari, and others have already implemented this. Now that was within a browser. Then last year, and you may have seen some of the back and forth between Apple and Facebook on this particular change, but last year within native applications, Apple limited the use of what is called the ID for advertisers. So the ability for advertisers to target within native apps needs to be turned on. And what I mean by that, there's an interesting change in the way this was enacted, which was it's turned off by default. So even if you want a native application to ask you for whether or not the tracking can be turned on, you have to actually go into the settings within your iOS device and turn those settings on. And then the app will ask you. And so there's some significant changes and a lot of the tracking within iOS on a native application hasn't come back a year later, and Facebook has talked about a pretty large number in terms of lost revenues to not being able to use targeting and personalization and advertising within their native apps. And then last fall was another change in the fall of 2021. iOS 15 created a construct to hide your email. So the best way to think about this is something like you see in spy movies, right? You can use a burner email address, so a one-time use email address that is not identifiable back to you, and you could use what's called hide my email feature. And alongside that hide my email feature is hide your IP address. So with that now, it's even more difficult to track back to who is interacting over email. And then these changes and the reason why the circles get larger, you're starting to reach the rest of the browser share penetration. Chrome has projected Google and Chrome will make this change for around third-party cookies next January. They were going to make the change in 2022, but pushed it off to January, and we'll talk about why. And then there's also likely a change in 2024 that Google has announced, which will be similar to the change Apple made within native application. So this is where it starts to get more and more difficult even for a marketing or a commerce experience to be able to recognize a repeat visitor, for example, and some of those challenges are much broader than just native apps and third-party cookies. Actually, first-party cookies, so back in 2017 when the change was made, a first-party cookie is deleted after seven days. And so that's why you'll notice when you return to a site you've already been logged into, it may not recognize you again after seven days if you haven't been back to that site because that cookie gets deleted. So a lot of changes, and I think that the regulatory changes requires a change in the way your organization interprets and always work with your legal and regulatory teams to understand how they apply to your business, but the way you manage consent and the way you manage a consumer's data as a person collecting that data or an organization collecting that data. But then these platform changes in the name of privacy and consent also are making it more and more difficult to get to that single customer record.
Right. Ray, a question as well. So what I've seen in some scenarios too is there's a customer of a brand or a multi-brand organization, they may consent to one brand, but in their mind they're not consenting across every brand. So what's your thought on that and how should consumers or the brands be aware of this as well?
Yeah, and so we'll talk a little bit about how do consumers feel, right? Because right now we're talking about how the platforms are reacting and how the legal and regulatory organizations are putting in place what they think. And so I think one of the things to remember for a large multi-brand enterprise is that consumers at this point know very little of what their enterprise or the brands they're interacting with are doing with their data, and that makes consumers uncomfortable. So being very communicative in how your data is being used without necessarily scaring the consumer or the prospect away. Because oftentimes it'll be, hey, check through our terms and conditions, and in some cases that's longer than the Constitution. These are really, really large, and are people really going to read those? So think about ways to help educate consumers that are not cumbersome. And we'll talk a little bit about this concept that we're starting to see being talked about at large enterprises, which is progressive consent. So what's the consent at the moment that a consumer can understand why you're collecting that data, and then it is obvious what you're going to do with it. And so I think that is going to be important. And if you are asking for that data across multiple brands, what's the best way to communicate that to a consumer? And then build that into, and this is where consent management technology is important, because when you build that construct into your technology and a customer asks to be deleted or asks to know how you're using the data, you can bring that back with confidence because you've done the work to match different records across enterprisesof cookie deprecation is the data availability, right? So now, what used to be available through a cookie in actually protecting people's privacy, that's no longer there too, right? So I can't depend on that cookie to match a publisher to an advertiser anymore or to recognize a repeat visitor and create a personalized experience. And oftentimes what that was used was activation, right? And activation could mean a couple of different things. It's creating an audience of customers who may be interested in a product and we want to tell them about an offer or creating an audience of which to personalize an offer when customers visit a website. So all of that activation broadly is struggling. And in the past, measurement relied heavily on a third-party cookie. And so a big impact there. So as all these signals go away, your ability to do all of these things is significantly impacted. And so what does that impact mean? Well, the way you're doing these things is broken. So these things around or these core activities that marketing and commerce organizations need to rely on, you're not confident that they're going to work. So audience activation all the way through core first-party site experience, orchestration, personalization, kind of the core constructs of the way you build relevant and timely experiences, it changes, right? And so now you're struggling to have that single customer record to be able to do these things well. But these were always a little bit unstable anyway, right? You know, number one, the legal and regulatory concerns came about because it wasn't transparent. So now this transparency is getting there and consumers are starting to get that control. There was a struggle to get to a single individual across multiple devices. So even if they were providing consent to use the data, organizations weren't able to connect your phone and your set-top box and your laptop, right? But now by solving for identity, you could do these things. You also didn't have ways to interact across publishers, advertisers, commerce experiences. So now we need to solve for these things as well. And that was a problem in the past too. And so you're starting to see things like topics and others come up as privacy-safe ways to interact, clean rooms and sandboxes, which we'll talk about as well. And there were different platforms too. So what if I'm walking into a store, I'm using a set-top box? That used to depend on a cookie, but cookies don't exist in those platforms in the same way they exist within a browser. So these problems are not necessarily new. But the good news is when you solve for these challenges, which we'll talk about in the how, you start to build a much more accurate foundation of your data, right? So now I'm bringing together multiple devices in a legal and regulatory consent-based way so that I can treat the customer the same, right? So it's a much more anticipatory experience as opposed to a potentially frustrating experience. You're improving your activation and that had a lot of positive benefits, right? So you're improving the way that you present offers or retarget offers or your audience, the number of emails you send are higher performing, so maybe there are fewer, right? And so it starts to reduce spam. So when you start to better track experiences and relationships, all of these benefits come out of what we often look at as improving identity. You're improving your interactions on your properties and off your properties and you're connecting those better. You're deleting duplicate rows. So maybe somebody's using multiple email addresses, but it's the same person. Well, how do I bring that together in a way that is more relevant and anticipatory of the way that individual wants to communicate with a brand? And lots of, I won't spend too much time here, but lots of benefits across the entire experience. And I think what's important here is it's improving advertising or marketing experiences, but solving for this is also critically improving your own experiences too. So when somebody visits your website or interacts with an email. So all of these are absolutely critical as we go through the journey. And so, well, how do I prepare for this future? And I think the takeaway here is to a lot of these changes are yet to come. A lot of these changes already happened. And so how do I deal with both what is known and what is ambiguous and build a roadmap to mitigate against these changes? And so we think there's a three-pronged approach. Number one is what are the core strategic recommendations and how do I build against that? And so looking at your business, understanding the different channels, the different business units and the legal and regulatory mandates that come from your organization, again, always comply with your legal and regulatory teams is critical to understanding how to move forward. Because there's a lot of moving pieces that go into solving this, and we'll talk about that. And I think what's also interesting about this particular area is the distance between the tactics and technologies you need to build into your infrastructure and an understanding of how that's impacting revenue is a short distance, right? It's pretty close. So you can do that financial analysis, understand, okay, here's what I can do to solve for consent and solve for cookie deprecation for this particular channel. Here's the traffic I'm seeing on this channel and this platform. What is the revenue impact for this change? So you can build that very, very tightly because this is the data and analytics portion of your infrastructure. Then that can be built into a roadmap to help you to build against that and navigate as more changes come out by the platform players and the different regulatory changes from your legal and regulatory boards. So oftentimes what I'll say, I'll talk about is, well, what are the changes that need to happen? And as a starting point, I pick on, Boulos and Sapien said here, you can look at all of these third-party tags you're using already, right? So there's, you can plug in a little utility like Ghostery into your browser and it'll see, and many times for larger brands and enterprises, you'll see lots and lots of 30, 40 different trackers. So those are all trackers that to some degree may be dependent on leveraging third-party cookies, right? And so, well, what functionality is not working today because it's trying to put a third-party cookie on a platform that doesn't leverage it? And what impact will it have when these third-party cookies go away? Fortunately, from a technology perspective, and we'll talk about some of the mitigation techniques, you're going to move those third-party cookies into a server-side interaction. And so now your page will load faster and you'll be able to build in more flexibility on how things are shared. But there's two core ways to solving this from a customer data perspective, right? Because the predominant shift is in the past, you had a couple of different types of platforms. You had first-party customer data platforms and then you had third-party cookie-dependent data management platforms. And so those data management platforms, the functionality within that, dependent on cookies, has migrated to customer data technologies. And so that's the big shift. And what you're doing is you're focusing on, clearly, number one, legal and regulatory consent, right? Staying aligned with what the legal and regulatory guidelines are saying and staying aligned with how your brand interprets what data that you want to collect. And that goes into your customer data technologies, right? And that's a core part of what's often looked at as consent management and lots of interesting platforms popping up to solve that. But then alongside that, you're driving better identity through better alignment and unification of that data around your customers. So this person is logged in on a phone, on a laptop, walked into a store. They want to be recognized as a single individual, right, if that's aligned with their consent and other guidelines. And so make sure those records are coming together. And so that's the collection and unification that is absolutely critical here. And fortunately, technologies like Microsoft Azure and others are providing a greater scale to be able to do that really, really well. And what I mean by that is in the past, it was hard to do this with streaming data or real-time data, but with modern cloud technologies, you can now bring that all in and have the right centralized governance around it. So that's that core data management. That's the anchor for this. And then it's enablement, right? And since you have to make sure anywhere you're using data, it's staying legal and regulatory compliant, you need to build a flexible centralized platform to enable that. And one of the key components in that is enabling segmentation, modeling, machine learning, because they're going to feed into everything else. That's going to feed into your measurement. It's going to feed into your activation, the way you drive personalization. And within that, one of the really critical things is solving for protected attributes. So one of our colleagues, Shrey Agarwal, has recently written a book called Responsible AI. And one of the biggest takeaways I had from reading that was this core construct of protected attributes. So commonly thought of in financial services and health, but a zip code is a protected attribute. So make sure when anyone is building a model that leverages a zip code, it's consistent with your legal and regulatory guidelines. And you're also protecting against proxies that might also indicate a zip code. So maybe I don't use a zip code in a machine learning model, but machine learning figures out, well, these 15 attributes are as good as a zip code. Well, that's still a protected attribute. So building those constructs, and that's just the tip of the iceberg, but leveraging responsible AI and responsible machine learning is very, very critical to moving forward and solving for these changes. And so, again, when we think about this, and this is just an example from the way we approach this and the artifacts we bring to this analysis, is without a cookie-less strategy, most brands are already losing at some revenue loss risk or incurring revenue loss. Going back to this change that iOS has made called ITP back in 2017. So that gives you a starting point. It's like, well, how