Category Identity

Make Sense of Privacy-Language with a Common Privacy Protocol

Today, there is no lingua franca for privacy. Yet, your customers’ privacy preferences must be respected in the systems of partners, service providers and other third parties that speak a different privacy language than your own, or that lack any language for privacy at all. Many businesses are constantly struggling to send and interpret signals related to privacy, calling to mind the Biblical story of the Tower of Babel, with all of its scattered groups speaking languages unrecognizable to the others.

When senders and receivers of privacy instructions (or, in the parlance of GDPR, controllers and processors) speak different privacy languages, miscommunication and failure to enforce privacy rights can result. Clear cross-system communication and coordination requires a common privacy protocol that translates privacy signals to and from third parties, whatever privacy language they speak. This protocol needs to be programmatic and automated, and should not demand IT’s time and labor for bespoke, manual fixes to ever-arising privacy mapping problems.

Tower of Babel

Most companies today demonstrate a level of privacy maturity or fluency placing them in one of three categories:

  • Privacy Infants: They don’t speak privacy. At Ketch, we’ve observed that over 90 percent of service providers cannot support privacy within their own systems. They lack any privacy language, let alone standards for cross-system coordination. It’s imperative that companies establish a way to translate privacy rules to those at this level in a way that ensures they are respected.
  • Colloquial Teens: They have a privacy language but speak a different dialect from the system sending or receiving the privacy instruction: privacy instructions must be translated

  • Eloquent Poets: They speak the same language as the system sending/receiving privacy signals, and as a result privacy communication flows unhindered between them. The processor can easily ‘catch’ what the controller pitched. Real-time privacy desires and prescriptions on data use are tightly coordinated and enforced across the data ecosystem.
Digital identifiers -- one major example of the different languages companies speak -- can vary from one company to another: an email address at one; a visitor ID at another; a proprietary identifier at a third. This is getting all the more confusing as the number of digital identifiers proliferates, and the Gorillas, like Apple and Facebook, build ever higher walled gardens.

A consumer’s privacy preferences have to map back to the same living breathing person, not an isolated digital identifier. With businesses speaking different dialects, it’s necessary to parse fragmented digital identifiers and send the one recognized by the partner or service provider for them to honor the request. However, dispatching engineers to develop bespoke mappings every time a new system or regulation comes online wastes time, misapplies IT manpower and is unsustainably costly.

Rosetta Stone

Businesses must re-tool to meet partners’ and service providers’ systems wherever they are on the maturity curve. A common privacy protocol enables businesses to communicate and coordinate with those speaking a different privacy language without the need for manual, bespoke mappings. This is a “Rosetta Stone” for privacy -- a programmatic rulebook for accurately translating signals, enabling the fulfillment of privacy requests across a company’s whole ecosystem.

There are three main elements of the Rosetta Stone, or common privacy protocol for clear communication and coordination with all types on the privacy-maturity curve.
  • Overlay: Businesses and service providers will agree on a protocol, akin to what HTTP3 is for the web, a foundation for the exchange of data privacy signals, enabling tightly coordinated communication between entities and applications.
  • Translate: For the few service providers that have privacy APIs but use a different protocol (for example, one system calls it “Behavioral Advertising,” another calls it “Personalization”), privacy terms and identities must be translated to bridge that communication barrier.
  • Materialize: To communicate with service providers without privacy specific interfaces, i.e. no privacy language, the software interfaces that already exist (e.g. Targeted Advertising or Analytics interfaces, known as APIs), must be repurposed to send and receive data privacy related signals and identities.

The result is seamless communication of privacy instructions for real-time fulfillment across every touchpoint, every consumer interaction and every jurisdiction. This builds and maintains customer trust and fuels value-driven initiatives by getting complete, up-to-date, responsibly-sourced data to sales and marketing, analytics, data science, HR and finance.

We’ve seen how new privacy legislation, like GDPR and CCPA, can raise tricky compliance challenges, and there will surely be additional new laws to come. One of the best ways for a company to respond is to cut complexity and simplify privacy orchestration and coordination so that its system is not overwhelmed by every new policy change. This can be achieved with the help of a common privacy protocol based on next-generation technology that enables granular data control and allows businesses to build programmatic and scalable privacy programs that compliance costs, respect data dignity, and responsibly leverage consumer data for growth.

To learn more about Ketch's innovative approach to privacy and how we can help your business navigate the ever evolving privacy landscape, check out our Privacy Orchestration white-paper here.

Treat People as People with Privacy-centric Identity Resolution

Privacy regulations address ‘Natural Persons’ but online, we’re a collection of fragmented digital identifiers

Businesses must be empowered to overcome the identity problem, that is, to see people for who they are, recognize them when their privacy wishes need to be honored, and do so across every touchpoint and system.

The challenge is that for most people, their online activity is fragmented across a number of digital identifiers, such as email addresses, mobile advertising IDs and browser IDs. 

Privacy regulations address personal data across digital and ‘pseudonymous’ identifiers, but the legal rights belong to citizens, individuals and ‘natural persons’. 

For example, GDPR applies to data on a ‘natural person’, but online, that data is associated with digital IDs – a natural person has the legal rights, but it could be a cookie or other digital ID with the personal data. It greatly benefits businesses to understand the connection between real people, and digital IDs, to know when they are dealing with Jane, and when they are not.  

Harmonizing all the online activity to a ‘natural person’ requires a privacy-positive approach to identity resolution. 

It’s about treating people as people

When Jane expresses a preference in an email form, a mobile app, a website, or a phone, those expressions must be reflected against the person, not an isolated digital identifier. To solve for this, consent provided by Jane on your mobile website or app, could be associated with the responsibly gathered IDs and devices connected to her, ensuring an efficient and optimized privacy experience.

Privacy-first identity resolution is an alternative to the God’s-eye view that utilizes third-party identity assets to reconcile every user -- which, of course, would be terrifying for privacy -- the objective must be to make it as easy as possible for people to express their privacy priorities and then leverage all the identity assets a company has responsibly gathered, without unduly burdening people with too many requests and extra hops and go-do’s.