Category Privacy Tech

Prestige Consumer Healthcare Selects Ketch As Its Programmatic Privacy Vendor of Choice

FOR IMMEDIATE RELEASE

Prestige Consumer Healthcare will leverage Ketch to deliver on global data privacy compliance

SAN FRANCISCO, CA, August 11, 2021 – Prestige Consumer Healthcare (PCH) chooses Ketch to empower their privacy initiatives. Ketch nimbly implements global privacy requirements in real-time.

PCH is a US company that markets and distributes over-the-counter health and personal care products, including Dramamine® and Clear Eyes®. For generations, PCH’s trusted brands have helped consumers care for themselves and their loved ones. It is the company’s mission to preserve consumer trust by continuing to provide products stewarded with consumers’ needs in mind. To this point, trust is one of PCH’s core business values.

PCH wanted to strike the balance of leveraging data for growth while protecting and preserving the ‘data dignity’ of its consumers. To best serve this purpose, PCH chose to leverage Ketch to help deliver the right privacy experience at the right time, while ensuring a stringent standard of consumer trust and data protection. With Ketch’s first-to-market purpose-driven approach, Ketch will deliver on continued global data privacy compliance, allowing PCH to scale its brands for growth that is not sacrificed at the expense of robust global data privacy compliance.

PCH also selected Ketch for its groundbreaking orchestration capabilities. With Ketch, PCH can honor consumer consent and data requests no matter what channel or device its consumers use to interact with PCH brands. Ketch can also tether the firing of tags of services like LinkedIn or Facebook to PCH’s consumers’ consent options, for a seamless and continual consumer opt-out compliance. PCH’s leverage of Ketch’s consent and rights orchestration allows for real-time privacy legal and regulatory compliance while ensuring seamless enforcement of consumer privacy choices across the company’s global internal and external third-party systems, fostering the PCH core business value of trust.

"We're excited to partner with leading, innovative companies like PCH, who embrace people's data privacy, while maintaining the opportunity for data-driven growth – building value while honoring values,” commented Jonathan Joseph, Head of Solutions, Ketch.

About Prestige Consumer Healthcare Inc.

Prestige Consumer Healthcare is a leading consumer healthcare products company with sales throughout the U.S. and Canada, Australia, and in certain other international markets. The Company’s diverse portfolio of brands include Monistat® and Summer’s Eve® women's health products, BC® and Goody's® pain relievers, Clear Eyes® and TheraTears® eye care products, DenTek® specialty oral care products, Dramamine® motion sickness treatments, Fleet® enemas and glycerin suppositories, Chloraseptic® and Luden's® sore throat treatments and drops, Compound W® wart treatments, Little Remedies® pediatric over-the-counter products, Boudreaux’s Butt Paste® diaper rash ointments, Nix® lice treatment, Debrox® earwax remover, Gaviscon® antacid in Canada, and Hydralyte® rehydration products and the Fess® line of nasal and sinus care products in Australia. Visit the Company's website at www.prestigebrands.com.

 

About Ketch

Ketch is the leading data control company for programmatic privacy and governance. The company was founded in 2020 by data management veterans and serial entrepreneurs who successfully built and scaled enterprise systems for world-leaders like Salesforce and Microsoft. Ketch’s ‘Deploy Once, Comply and Secure Everywhere’™ architecture delivers comprehensive data privacy, governance, and security to organizations seeking to protect data, build trust with consumers, and successfully compete in data-driven markets. Thanks to Ketch’s ability to dynamically adapt to the ever-changing legal landscape, customers can future-proof their businesses while cutting operational and privacy engineering costs by 80%. More information is available at www.ketch.com.

Interact with Ketch

The Privacy Opportunity Blog Post Series: Part 1

Right about now brands are panicking that digital advertising as they know it will come to a screeching halt. Consumers want the big tech companies to stop monitoring their every move and selling their behavioral data to advertisers, and the regulators seem to be on their side.

But we, at Ketch, don’t see the rise of privacy as an existential threat to digital advertising. Rather, we see privacy as an opportunity to demonstrate responsible stewardship of personal data in every interaction across every jurisdiction. This is big. To understand just how important that is, we need to understand the extent to which the consumer’s data dignity has been violated.

Many in the ad-tech industry participated in this violation without realizing the harm inflicted. In the heady days of data-driven marketing, our collective goal was to present relevant ads to consumers, to the benefit of consumers, advertisers and publishers alike.

In hindsight, the ensuing consumer rebellion was inevitable. This blog post series, based on Ketch’s Privacy Primer, looks at:

  • The conditions that led to the privacy rebellion
  • Government, Activists & Litigants: The Web of Players That Shaped Modern Data Privacy 
  • The Gorillas and Privacy
  • The implications of privacy for business, including the core complexities that must be overcome to make data compliance and growth compatible
  • A plan of action to begin solving for those challenges. 

Part 1: Surveillance Capitalism and the Consumer Rebellion

The Internet has always been based on a grand bargain: Advertisers will foot the bill for low-cost content and apps, but they want something valuable in turn, specifically new leads that turn into profitable customers. To deliver on that promise, an entire industry rose up to monitor consumer behavior on an epic scale, segment them on perceived interests and intent, and offer those insights to marketers for a price.

To Shoshana Zuboff, Harvard Business Professor and author of a groundbreaking book, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, this digital ad-tech ecosystem represented a grave threat to privacy and democracy itself. Her book shed light on the extent to which we everyday citizens are serveilled as we engage in activities for strictly social and personal reasons.

How We Got Here

According to Zuboff, surveillance capitalism started with Google and its goal to dominate the search engine market by serving up highly relevant results for every search query. Initially, Google’s intentions were honorable, or at least mutually beneficial. Google wanted its search engine to outperform all others, and to become, well, a verb. For their part, users wanted to see useful search results, meaning sites that offered the exact information they were after. By tracking the links its users clicked at scale, Google was able to predict user behavior (i.e. predict which site a user would visit) and optimize its search results based on those predictions.

But Google quickly realized it was sitting on an asset that could make it a lot of money, namely way more behavioral data than it needed to simply optimize its search results. That excess data, which Zuboff calls “behavioral surplus,” could be used to help advertisers improve their campaign returns for a hefty fee. That’s when the company began mining people data in earnest. It’s also when the egalitarian nature of the relationship ended. Google profited from consumers, but we got very little in return.

Zuboff describes how Google took pains to keep its surveillance empire away from public view, but those of us who worked in digital advertising were well aware of just how pervasive surveillance capitalism had become, even though we didn’t think of it in those terms. We called it data-driven marketing. 

Everybody sold people data. Companies like Experian, eXelate, BlueKai and many others vacuumed up great quantities of it -- financial, behavioral, purchase, demographic, psycho-demographic -- to create an endless array of audience segments for advertisers to purchase. The social media platforms joined in on the game, inviting advertisers to reach users based on hyper-specific criteria, such as interest, educational background, group affiliations and so much more, all while consumers assumed they were simply interacting with friends and family.

The reams of data the tech giants collected on us were mind-bogglingly large. By 2016, Facebook had 98 personal data points on each of its 2.2 billion users. Google collected enough data on an individual in one year that if printed and stacked, it would be taller than the Leaning Tower of Pisa (189 feet). 

For the most part, all of that data was collected without the consumer’s knowledge or consent, but that didn’t matter to the ad-tech industry. It was the age of data and data-driven marketing, and the ad-tech industry had a promise to keep: Enable brands to target the right user, at the right time, with the right message, in the right channel. But there was one “right” we didn’t consider: the consumer’s right to privacy.

Although consumers didn’t quite understand how their data was collected or by whom, the extent of the violation rankled, and they were angry. In 2007, Sean Lane purchased an engagement ring from Overstock, and planned to surprise his girlfriend with it, only Facebook’s Beacon feature jumped the gun, announcing his purchase in his news feed for all his connections to see. He, along with many others, hired attorneys and sued. In 2018, a federal judge approved a $9.5 million settlement against Facebook.

Soon a generation of activists and litigants rose up, and their efforts have literally transformed the privacy landscape, as we will discuss in our next blog series. Can’t wait to read about the web of players that shaped the privacy landscape? Download our free white paper, The Privacy Primer now.

 

Make Sense of Privacy-Language with a Common Privacy Protocol

Today, there is no lingua franca for privacy. Yet, your customers’ privacy preferences must be respected in the systems of partners, service providers and other third parties that speak a different privacy language than your own, or that lack any language for privacy at all. Many businesses are constantly struggling to send and interpret signals related to privacy, calling to mind the Biblical story of the Tower of Babel, with all of its scattered groups speaking languages unrecognizable to the others.

When senders and receivers of privacy instructions (or, in the parlance of GDPR, controllers and processors) speak different privacy languages, miscommunication and failure to enforce privacy rights can result. Clear cross-system communication and coordination requires a common privacy protocol that translates privacy signals to and from third parties, whatever privacy language they speak. This protocol needs to be programmatic and automated, and should not demand IT’s time and labor for bespoke, manual fixes to ever-arising privacy mapping problems.

Tower of Babel

Most companies today demonstrate a level of privacy maturity or fluency placing them in one of three categories:

  • Privacy Infants: They don’t speak privacy. At Ketch, we’ve observed that over 90 percent of service providers cannot support privacy within their own systems. They lack any privacy language, let alone standards for cross-system coordination. It’s imperative that companies establish a way to translate privacy rules to those at this level in a way that ensures they are respected.
  • Colloquial Teens: They have a privacy language but speak a different dialect from the system sending or receiving the privacy instruction: privacy instructions must be translated

  • Eloquent Poets: They speak the same language as the system sending/receiving privacy signals, and as a result privacy communication flows unhindered between them. The processor can easily ‘catch’ what the controller pitched. Real-time privacy desires and prescriptions on data use are tightly coordinated and enforced across the data ecosystem.
Digital identifiers -- one major example of the different languages companies speak -- can vary from one company to another: an email address at one; a visitor ID at another; a proprietary identifier at a third. This is getting all the more confusing as the number of digital identifiers proliferates, and the Gorillas, like Apple and Facebook, build ever higher walled gardens.

A consumer’s privacy preferences have to map back to the same living breathing person, not an isolated digital identifier. With businesses speaking different dialects, it’s necessary to parse fragmented digital identifiers and send the one recognized by the partner or service provider for them to honor the request. However, dispatching engineers to develop bespoke mappings every time a new system or regulation comes online wastes time, misapplies IT manpower and is unsustainably costly.

Rosetta Stone

Businesses must re-tool to meet partners’ and service providers’ systems wherever they are on the maturity curve. A common privacy protocol enables businesses to communicate and coordinate with those speaking a different privacy language without the need for manual, bespoke mappings. This is a “Rosetta Stone” for privacy -- a programmatic rulebook for accurately translating signals, enabling the fulfillment of privacy requests across a company’s whole ecosystem.

There are three main elements of the Rosetta Stone, or common privacy protocol for clear communication and coordination with all types on the privacy-maturity curve.
  • Overlay: Businesses and service providers will agree on a protocol, akin to what HTTP3 is for the web, a foundation for the exchange of data privacy signals, enabling tightly coordinated communication between entities and applications.
  • Translate: For the few service providers that have privacy APIs but use a different protocol (for example, one system calls it “Behavioral Advertising,” another calls it “Personalization”), privacy terms and identities must be translated to bridge that communication barrier.
  • Materialize: To communicate with service providers without privacy specific interfaces, i.e. no privacy language, the software interfaces that already exist (e.g. Targeted Advertising or Analytics interfaces, known as APIs), must be repurposed to send and receive data privacy related signals and identities.

The result is seamless communication of privacy instructions for real-time fulfillment across every touchpoint, every consumer interaction and every jurisdiction. This builds and maintains customer trust and fuels value-driven initiatives by getting complete, up-to-date, responsibly-sourced data to sales and marketing, analytics, data science, HR and finance.

We’ve seen how new privacy legislation, like GDPR and CCPA, can raise tricky compliance challenges, and there will surely be additional new laws to come. One of the best ways for a company to respond is to cut complexity and simplify privacy orchestration and coordination so that its system is not overwhelmed by every new policy change. This can be achieved with the help of a common privacy protocol based on next-generation technology that enables granular data control and allows businesses to build programmatic and scalable privacy programs that compliance costs, respect data dignity, and responsibly leverage consumer data for growth.

To learn more about Ketch's innovative approach to privacy and how we can help your business navigate the ever evolving privacy landscape, check out our Privacy Orchestration white-paper here.

Privacy is a Team Sport: Successful Privacy Initiatives Require Meaningful Cross-Functional Collaboration

Privacy is a team sport requiring all hands -- marketing, legal, IT and HR -- on deck. It is not hard to see why. Adapting to the new privacy landscape -- with its complex new (and ever-changing) laws and consumers’ conflicting desires for both increased privacy and personalization -- requires a company-wide push. But successful collaboration to support a comprehensive privacy compliance program requires stakeholders to coordinate as a team. 

It is not productive when stakeholders do not share a common understanding of purpose and the tools to achieve that purpose. This misalignment can result in endless meetings, with compliance achieved slowly, at great cost, and easily undone by legal or policy changes. Ensuring that stakeholders clearly understand the privacy objectives, and the business and technical support necessary to achieve those objectives, removes friction and fosters high-level collaboration resulting not only in legal compliance but a competitive advantage through greater insights derived from responsibly-leveraged data. In this article, we’ll explain how to form a collaborative, value-driven privacy program and best practices to avoid the frustrating technical challenges too many companies struggle with today. 

First, realize that while diligent and highly aware legal policy owners are vital, successful engagements involve multiple stakeholders across the organization. Each department brings particular knowledge power to support a proactive privacy posture. 

Responsibilities and contributions of each department include:

Legal

  • Defining regulatory positioning and legal bases; balancing compliance and growth objectives while mitigating risks
  • Tracking and responding to ever changing privacy regimes (which can feel like a game of whack-a-mole) 
  • Drafting disclosures and notices (while maintaining brand integrity/on-brand voice) 

Marketing

  • Influencing user experience 
  • Utilizing data from and for the consumer 
  • Expressing brand values; building trust and conveying transparency 

The marketing department is a translator between legal and the consumer. Privacy notices, disclosures and preference centers impact user experience and typically occur early in the buyer journey -- upon first visit to a website, for example. Their language, style and timing affect brand perception -- this is especially true where trust and transparency are core brand values. Marketing tunes these messages and builds them into a company’s branding to convey to consumers, with minimal interruption, that it respects their right to privacy. 

IT 

Privacy programs and policies aren’t documents that just sit on a shelf. Their purpose is to ensure consumer consent and rights are respected, and this requires orchestration across internal and external third-party data systems. Some of IT’s responsibilities include implementing technology that honors the promises made in privacy notices and consumer consent disclosures, as well as adapting website and mobile infrastructure to collect and process data in a compliant manner. Data monetization and data privacy are increasingly necessitating IT input as part of the overall collaborative effort with legal, marketing and business departments. The result: alignment between compliance and growth.

IT contributions typically include:

  • Handling systems complexity & managing consent across all systems 
  • Implementing changes based on new policies without breaking privacy architecture
  • Ensuring consumer privacy choices are respected across third-party systems
  • Managing cost; IT plays a significant role in reducing the cost of compliance by, for example, implementing programmatic versus manual approaches to rights fulfillment/consent orchestration, conserving time and labor resources

Human Resources

With the passage of the California Privacy Rights Act (CPRA), starting January 1, 2023, the CCPA employer exemption expires, granting employees in California the same rights that consumers have enjoyed since CCPA passed. This means businesses will need to have systems in place to:

  • Notify employees of their expanded rights
  • Fulfill employees’ access or deletion requests
  • Harmonize privacy rights with employment requirements

In addition, CPRA provides new rights to both consumers and employees, namely rights to correct personal information and to data minimization and retention limitations. California has been at the forefront of data privacy legislation in the US; others (Virginia, Colorado) have followed suit, and more will undoubtedly follow. 


 

True operationalization of privacy, not just the Hollywood facade, requires buy-in from all departments. Stakeholder collaboration, however, can become stymied without a clear understanding of the necessary legal, compliance, and technical requirements to fulfill the desired objectives. 

Using first-generation technologies for privacy compliance, which rely largely on manual and process-driven efforts, and which lack interoperability, triggers a repetitive cycle of small tech fixes to broad enterprise needs with every small business or legal change. Sophisticated, productive collaboration depends on unified technology that adapts easily to change, and is easy to understand, use and deploy by all relevant stakeholders. Programmatic privacy compliance that accounts for these needs is vital to competing in today’s market.

5 Key Features Every Privacy Solution Needs

Don’t accept privacy tech that fails to deliver in these key areas.

Whether you’re reviewing your existing data-privacy toolkit or actively shopping for a new solution, it’s important to have a clear idea of the core features that you’ll need to meet current and future challenges. Many data privacy solutions only encompass a subset of these features, so it’s important to have a clear must-have feature list as you seek out a solution to keep your organization’s data safe and compliant. 

Let’s take a look at five key capabilities that should come fitted as standard when you adopt a new consent management and data rights solution.

1. Managing data flows. 

The ability to manage the way data flows through your organization, and ensure compliance with users’ wishes and regulatory requirements, is the most basic and most important role of any data privacy solution. Without this core functionality, there’s simply no way to ensure compliance or implement your team’s internal data policies. 

The key here is to seek out solutions that integrate seamlessly into your organization’s workflows and dataflows. A solution that ensures regulatory compliance but cripples your team’s ability to leverage data to deliver functionality is worse than no solution at all. You need a solution that allows you to extract value from data, in whatever way is most important to your organization, while still rigorously adhering to your customers’ expectations and your regulatory obligations.

2. Handling regulatory complexity. 

The regulatory landscape isn’t getting any simpler, and organizations need tools that can make sense of the patchwork of rules and statutes that affect their business. This requires the ability to navigate multiple regulatory regimes simultaneously, without conflict or redundancy, and to enforce data privacy effectively even as data flows between jurisdictions. If you’re doing business in the European Union, you’ll face very different challenges and requirements than if you’re operating in California — and you need a system that can seamlessly handle both situations.

You may also find your regulatory obligations change as your business model evolves, the rules get rewritten, or you move into new markets. You need a data privacy toolkit that’s flexible enough to adapt to your changing needs, granular enough to be localized depending on the markets you’re selling into, and comprehensive enough to apply the right regulations in the right way and at the right time, with zero margin for error.

3. Delivering on-brand experiences. 

When you’re poring over privacy statutes, it’s easy to forget that privacy isn’t just about keeping regulators happy — it’s also something your customers experience every time they use your product. That means you’ll need a solution that can deliver on-brand experiences for your customers as frictionlessly as possible. If a given solution can only spit out boilerplate privacy notifications delivered in a generic format, your customers will resent the intrusion into their experience of your website or product.

The solution? Demand software that empowers you to customize the user experience, and make more mindful decisions about the specific language that’s used, the way notifications are styled, and how they integrate into the end-user’s experience of your website or service. Your marketers will relish the ability to create messages in your  brand’s unique voice, and you’ll find it far easier to create a trusting and hassle-free experience for your customers or audiences.

4.Ensuring privacy everywhere. 

It isn’t enough to provide effective data privacy when users visit your main webpage. You also need to make sure their data is handled appropriately when they use mobile apps or other access-points — and also potentially when using internal data systems to manage employees’ information. You need a solution that can orchestrate consent and data subject requests across all those touchpoints, as seamlessly and automatically as possible. 

This is especially important when orchestrating data requests and consent signals beyond the confines of your own organization. External partners who access your data need to honor those signals, but many data-privacy tools require coordination to be handled manually, or fire off form emails to notify partners of their obligations. That creates room for human error, so seek out a solution that can rapidly propagate consent changes and data requests across your whole ecosystem, with built-in verification processes and little or no human involvement.

5. Keeping everyone happy. 

Data privacy is a perennial source of tension between legal and IT teams. It’s easy to see why: your legal experts need to be able to set policies for your whole organization, without fretting about technical implementation, and your IT teams need to be able to update code or make changes to data infrastructure without worrying about legal issues.

To smooth things out, it’s important to find a solution that lets you issue regulatory interpretations without rebuilding data tools, and also lets you rebuild data systems and overwrite blocks of code without impacting the flow of consent signals through your business. Many solutions are designed to serve either IT or legal teams, but to avoid expensive headaches down the road it’s worth seeking out a solution that can keep everyone happy. 


Different solutions will aim to address many of these capabilities in different ways and to different degrees, but the reality is that all five of these core capabilities for any data privacy solution. If you find yourself questioning whether a given technology can tick all these boxes, it’s a sign that you should move on and look for other options.

Once you’ve put together a shortlist of data privacy solutions that can succeed in these five key areas, you’ll need to give further thought to your own specific use-cases and needs, and start to assign weight to other factors. If you’re on a tight budget, then cost might be a critical differentiator for you. In other cases, you might feel that cost is less of an issue, but that best-in-breed data security and compliance are key priorities. By figuring out which features are must-haves, and ranking your remaining requirements by order of priority, you’ll begin to see which solutions are real contenders. 

At Ketch, we’re committed to delivering the must-have functionality our customers need to effectively manage data privacy. We’re confident that our solutions can hold their own against anything else that’s on the market. But don’t take our word for it. Think about your priorities, take a careful look at our rivals’ offerings — then give us a chance to show you why we’re the right solution for your organization.

8 Awkward Questions to Ask your Privacy & Compliance Vendor

Demand clear answers to find a privacy solution that meets your needs

Every data-privacy vendor claims their software is the best on the market — but you can’t simply take a vendor’s claims at face value. Instead, you need to spend time talking to them, and digging through the details of their technology and their approach to data privacy.  

This process can feel a bit like speed-dating: the stakes are high, but you’ve got limited time in which to figure out whether a given vendor is a good match. To maximize your chance of success, it helps to formulate a short, incisive list of questions designed to elicit the information you need to make a smart decision. 

What questions should you ask, exactly? That depends on your specific needs. Still, there are a few key questions that every vendor should be able to answer to your satisfaction:

1. How do you handle web infrastructure like tags and cookies?

It’s all too common, especially in Europe: marketing service providers and other third parties gather data from your website before you’ve had a chance to confirm consent from visitors. Figuring out this kind of web infrastructure can be a real headache if your privacy management system doesn’t provide turnkey tools to ensure tags and cookies don’t fire until consent is captured.

The best data privacy solutions integrate with your tag manager to delay data collection until after consent is confirmed. Look for a simple, straightforward system that automates this process to ensure compliance, but still leaves you in control of your web infrastructure.

2. How do you manage consent orchestration and synchronization? 

Consent and data request signals aren’t worth much unless they rapidly propagate across your whole data ecosystem, including outside partners using your data. Make sure you understand exactly how a vendor synchronizes consent signals, and how they cope with complex scenarios such as internal cloud systems or service providers that lack privacy APIs. 

The best solutions offer robust, fully automated consent orchestration. At Ketch, for instance, we offer a drag-and-drop marketplace of service providers, workflow tools, and privacy materialization for service providers without privacy APIs.

3. Do you automate Data Subject Rights requests?

When you receive a rights request, you need to be able to honor it swiftly — even if it means changing permissions or deleting data in a service partner’s system. Few solutions genuinely automate this process: most supposedly automated systems merely supply workflow tools or send form emails, leaving you to manually verify compliance.

The best vendors go further by docking with service providers’ systems to deliver fully automated DSR execution. Such solutions guarantee not just that requests are passed on, but that they are acted upon, reducing costs and eliminating the potential for human error. 

4. What happens if the rulebook changes?

To cope with new regulations, you need a solution that lets you easily apply new policies and refine interpretations. Many data privacy platforms struggle with this, requiring users to pay extra for new jurisdictions or regulatory modules, or to enable full customization of policy interpretations.

At Ketch, we believe software should cover every privacy regulation on the planet by default, with no hidden costs or feature creep. Whether you’re moving into new markets, changing the legal basis for using data, or rethinking the way regulations apply to your business, you should be able to rely on your data privacy solution to give you the functionality you need.

5. Can you customize privacy experiences?

You wouldn’t let someone else dictate your marketing materials or website copy, and you shouldn’t surrender control of your privacy messaging either. Surprisingly, many platforms block you from changing the wording, styling, and timing of privacy notifications, or force you to jump through hoops and deal with support desks or tech teams to implement changes.

The best platforms keep you fully in control of your messaging, with built-in content management tools for creating and polishing privacy notifications. Look for solutions that also allow you to optimize delivery timing and share messages when they’re most needed, without interrupting the user experience. 

6. Is your system cookie-based?

It’s disheartening that you need to ask this question in 2021, but many vendors’ offerings focus more on keeping up appearances than on delivering rich consent management solutions. Far too many still rely on privacy banners and cookie-based consent choices designed for site functionality rather than regulatory compliance.

Cookie-based solutions can’t deliver the full-spectrum consent and privacy toolkit you need. Instead, seek out comprehensive solutions that enable fully compliant privacy experiences, and effectively manage data across your entire ecosystem.

7. Does your solution support identity management?

We’re all individuals, but most privacy solutions still manage privacy on a per-device basis. That subjects people to the same consent requests again and again as they switch from smartphone to iPad to laptop, leading to a choppy user experience and complicating orchestration with downstream service providers who use their own digital IDs. 

The best solutions use identity infrastructure to manage consent on a person-by-person basis. Done right, this approach delivers a seamless, personalized, and fully orchestrated approach no matter which device a person uses. 

8. Does your solution go beyond consent management?

Most data-privacy solutions focus on consent management, but consent is just one of the legal bases for collecting and processing data. It’s important to use solutions that are basis-agnostic, and give you the freedom to make the right decisions for your organization.

The best solutions also allow you to capture the specific purpose for which data can be used, allowing granular consent and privacy management. A user should be able to consent to having their data used for personalization but not for analytics, for instance, and your data privacy solution should be able to enforce their choice across your ecosystem.

Trust your instincts 

These questions aren’t easy to answer, and that’s deliberate — you can learn a lot from the way sales teams respond. Trust your instincts: if you sense that a vendor is dodging questions or refusing to give a straight answer, that’s a clear red flag.

The ideal vendor will show a deep understanding of the sector, and will be curious about the specific challenges you’re facing. They’ll also explain clearly how they can help deliver the functionality you need — and they’ll be frank and forthright in acknowledging any areas where their solution might not be right for you.

At Ketch, we take pride in our products, and we’re looking forward to finding out about your business. So get in touch — we’re ready to answer any questions you want to throw our way. For even more guidance while shopping for a CMP, check out our buyers guide here.

How to Shop for a Data Privacy Solution

Look for simplicity and elegance, not jargon and needless complexity. 

Data privacy doesn’t come cheap. Spending on data-privacy solutions at both small and large enterprises doubled in 2020, according to Cisco’s latest Benchmark Study, with organizations spending an average of $2.4 million to manage data-privacy issues.

The good news is that many organizations get excellent value for money: more than two-thirds of businesses say they get significant benefits from their data-privacy tools, and 35% of the 4,700 industry leaders polled by Cisco said their data-privacy solutions generated ROI equivalent to at least double their investment. 

On the other hand, not everyone’s happy: about a third of businesses didn’t get significant benefits from their tools, and 15% said they didn’t get enough ROI to justify the millions they’d spent building out their data-privacy infrastructure.

Clearly, when you’re spending serious money on data privacy, you need to do everything you can to maximize the return you get on your investment. So how can you optimize your procurement process to ensure you’re getting value for money?

1. Know what you’re using.

It’s always better to shop for software by weighing the product you’re eying against a specific alternative. If you’re already using a data-privacy solution, make sure you understand exactly how it works, and what its strengths and limitations are, so you can see where a new option succeeds or falls short.

Perhaps you’re using a cheap but inflexible cookie-based consent system, or perhaps you’ve adopted a third-party solution with its own strengths and limitations. Make sure you understand the way your current system addresses your specific use-case, and pay close attention to how well it copes with any new pain-points that may have emerged as your business has grown and regulations have evolved.

2. Know what you need.

The key to getting positive ROI from your data privacy solution is to keep its core functionality front-of-mind while you’re shopping. No matter how many bells and whistles a particular platform offers, its core task is to ensure you and your partners only use data in legal ways that align with your user’s expressed preferences. A tool that falls short on that basic metric won’t deliver positive ROI, no matter how many other features it has.

Once you’ve found a shortlist of solutions that meet your basic needs, start thinking about additional features that add value for your specific use-case. If a feature sounds cool but you can’t immediately see how you’d use it, it might not add much value for your team. That said, it’s also important to think about your future needs — a solution that offers flexible, futureproof functionality is likely to deliver ROI as your business grows.

3. Research the alternatives.

When doing due diligence, it’s important to look beyond the marketing materials provided by a software vendor, which are always going to show their product in the best possible light. User reviews on sites such as G2 offer unvarnished insights into how products perform in the real world, but bear in mind that while individual users know how their own solution works, they may not have experience using competing products. To get a broader perspective, it’s also useful to look for expert opinions, such as analysts’ briefings and market reports. 

Personal connections are also valuable as you’re shopping for software. Crack open your Rolodex and phone friends and colleagues who understand your company and your needs, or try quizzing your LinkedIn or Twitter followers to get product recommendations and warts-and-all stories about their company’s data-privacy solutions.

4. Avoid complexity.

When you’re trawling through jargon-filled corporate websites, it’s easy to start to feel overwhelmed. Many vendors serve up long laundry lists of features using highly technical language, and it’s tempting to simply assume that the companies with the longest and most complicated lists of features are offering a better product. That’s a mistake: instead of getting seduced by complexity, make sure you stay focused on the subset of features that add real value for your organization.

After all, while it’s true that ensuring data privacy can be a complex process, the solution you deploy needs to be elegant and effortless to use if it’s going to add lasting value for your organization. As with any other technology, the best data privacy tools are transparent and easy to understand, and don’t require you to dig through endless configuration tools and expensive optional add-ons in order to get the functionality you need. Simplicity, not complexity, is the key to generating real ROI.  

5. Remember who’s in charge.

Buying software can feel a bit like buying a car — the salesperson is going to do everything they can to get you to sign on the line, and it’s easy to forget that you’re the one who’s really in the driving seat. Don’t let your vendor obfuscate or hide behind jargon, and don’t let yourself get locked into an approach that isn’t right for you. Make sure you ask the questions you need to — and get answers to them! — in order to ensure you’re getting the right solution for your organization’s needs. 

The bottom line: you’re paying real money, and you deserve to get good value. If the vendor you’re working with can’t provide the solutions you need, then there are plenty of other options on the market that will deliver better value for your company.

It would be wonderful if you could buy enterprise software as easily and confidently as downloading a smartphone app. The reality, though, is that when it comes to data privacy the stakes are high, the problems are complex, and the solutions are both more expensive and more technologically advanced. That means there’s no alternative to doing careful due diligence, and putting in the time and effort required to ensure you’re picking a solution that will truly work for your organization.

At Ketch, we know just how much of a headache buying enterprise software can be — and we believe software buyers should never feel confused or out of their depth while making important decisions. That’s why we’ve got a team of dedicated specialists on hand who’ll discuss your needs, demo our data-privacy solutions, and make sure you’re able to make this important decision with absolute confidence. So get in touch today, and tell us about the problems you’re trying to solve. 

Systemic Embrace: The Coexistence of Data Dignity, Compliance and Growth

In the often dizzying and confusing arena of data privacy, a new normal is rapidly unfolding, a paradigm that elevates data rights and data dignity. Characterized by a wave of new regulations and competing imperatives, the complexity of this new paradigm can overwhelm and paralyze business leaders searching for the ideal and responsible path forward. 


Many believe they face an impossible Sophie’s Choice: Dismiss privacy requirements and use personal data to grow -- or comply and stagnate. 

They are wrong.

There are leaders who understand the opportunity inherent in respecting data privacy and data dignity and they grasp that it’s possible to build value while honoring values.

Steve Jobs was leading the way in 2010:

“I believe people are smart and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you're going to do with their data.”

Effective solutions that respect and protect data privacy build trust with consumers. It veins with responsible stewardship of data and abides by Steve Jobs’ admonition to ask customers about data uses and to keep asking about their needs, wants, and priorities.

Most of all, it puts customer prescriptions and desires around the allowable use of data into action. Doing so builds trust, and building trust fuels privacy-compliant data stores -- the precondition for successful operations and AI.

Leaders like Microsoft CEO, Satya Nadella, are doubling down on the idea of data dignity as an extension to data privacy.

At the 2020 World Economic Forum, Nadella declared that data privacy at an individual level needs to be thought of as a human right and called for further work on the concept of “data dignity”:

“It’s not just ‘privacy’ and ‘oh, I give away my data’. I should be able to control in a much more fine-grained way how my data is being used to create utility for me and the world and the causes I care about”

When it comes to managing the interplay between the promise of data and the imperative for privacy, companies fall into four basic states: resigned surrender, wishful denial, ruinous inertia, or systemic embrace. 

Ruinous inertia: These companies don’t pursue data-driven initiatives or invest in their enabling tools and processes, yet also fail to comply with basic privacy regulations governing their interactions with employees, partners, and consumers.

Resigned surrender: These companies have resolved that the risks of non-compliance are existential and therefore too perilous to ignore, and on that basis have opted to suppress their collection and usage of data across multiple channels and platforms (particularly digital marketing initiatives that depend on consumer data). 

Wishful denial: These are companies who take liberties with data and blast full steam ahead with the quiet recognition that they’re non-compliant with regulations they know pertain to them. They are either in denial about the risks, or in denial that their non-compliance could ever be discovered or significantly damage their business. 

Systemic embrace: These companies recognize the risks of non-compliance, the opportunities that come from cultivating privacy and greater trust with stakeholders, and the strategic imperative to participate fully in the data AI revolution. They reject Sophie’s Choice and are committed to the systemic pursuit of compliance and growth.   

Systemic Embrace is the path to peaceful -- and profitable -- coexistence of data dignity, compliance and growth. It recognizes the rising urgency of data privacy and the enduring premise of data-driven growth.

To learn more about how businesses are responding to the complexity of privacy- check out the Ketch Privacy Primer Part 2 here.

Can Orchestrating Privacy Data Subject Requests be Automated?

The complex, time consuming, and downright annoying process of exporting, erasing, or rectifying personal data to respond to valid data subject requests sanctioned under privacy data regulations like GDPR and CCPA likely has you wondering if there’s a better way. You’re not alone if you’re considering a ticketing-based solution touting the ability to automate this process. But can orchestrating data requests from customers be automated?

Personal data exists in multiple formats across multiple in-house, cloud-based, and third-party systems. It can be an email in one system, a rewards number in another, or a cookie in yet another. Before a data subject request can even be fulfilled, much less automated, you need to find the data. Easier said than done. Consider a request based on email address. If that’s not the system identifier, you need to either gather more information from the now-frustrated customer or delve into the system to try and determine the data format. That’s not always possible with systems that hold only obscure device identifiers or cookies. And by law, you can’t claim you don’t have the data just because you don’t have the identifier. Without this information, compliance is at risk and automation is not possible.

Even when the data is located, fulfilling the request requires knowing all the steps within the workflow of each system. For external systems, this could be sending an email or going through the user interface to generate the request. For internal systems, it means identifying the responsible system owner and operator. This is all compounded by the fact that you still need to determine if the request was even received and fulfilled—for every system.

Since the definition of personal data is broad, and it can reside in several linked systems and subsystems, the question also often remains whether the scope of all the data was even dealt with. You might think a data subject request only requires you to delete the customer table containing names, email addresses and account information. But if that customer’s data exists in other locations and formats like purchasing or browser history, you’re only in compliance if ALL the appropriate data is deleted. That also means you need to know what data is exempt and must be maintained for contractual, legal, or auditing purposes.

Considering the complexity of it all, don’t be fooled by ticketing-based system that have you thinking the actual work of fulfilling data subject requests will be automated. Sure, these systems may automate the creation of a ticket, an email response to the customer acknowledging the request, or the due date required by a specific regulation. They may even help you manage HOW to fulfill requests—that is once you’ve determined and set up all systems, identifiers and workflow requirements. But ticketing-based systems are simply not capable of automating orchestration.

So the question remains—can orchestrating data subject requests even be automated or is that just pie in the sky? That’s where Ketch come in.

Using technology rather than process, Ketch is working to solve the barriers of automation by invoking tools like open-source APIs, syntax command templates, and system integration in conjunction with a central control system that lets you automatically record, track, and respond to data subject requests. When it comes to privacy data compliance, our goal is to make data systems work so you don’t have to.

Stop Worrying About Regulations

For global businesses, the data-privacy rulebook isn’t getting any shorter. The GDPR and the CCPA are just the tip of the iceberg; over 80 countries have passed or strengthened data privacy laws. Industry-specific regulations such as HIPAA and FERPA further complicate matters, while COVID-19 contact tracing will open a whole new Pandora’s box of regulatory complexities. With China and India also joining the party, the regulatory landscape will only grow more tangled in coming months.

There’s no way to avoid all those rules and regulations. Data, not oil, is the fuel powering our economy, and we’re using more of it than ever. New innovations such as AI and IoT constantly add to the torrents of data inundating businesses: a single smart-car produces 300 terabytes of data a year; by 2025 the world will generate a colossal 175 zettabytes of data a year. Companies can no more opt out of using data than a fish can opt out of the ocean.

But managing all that data while simultaneously complying with a constantly changing and growing body of regulations is a major challenge, one most companies aren’t equipped to handle. Firms typically respond to new regulations by patching their data management tools to ensure data is handled correctly, but taking an iterative, point-solution approach while navigating the expanding global regulatory morass is like playing Whac-A-Mole — except that the field is growing, the moles are proliferating, and you have only a single mallet. No matter how fast you hammer, you’ll never be able to keep up.

That’s the bad news. But there’s good news, too. While the challenges are real, there’s also a real and practical solution that can help businesses to stay compliant amidst a sprawling and ever-changing regulatory landscape. And paradoxically, the best way to stop the bleeding and stabilize the patient is to stop worrying so much about regulations.

Put Data First

Obviously, you can’t ensure compliance without paying attention to regulations. But that doesn’t mean everyone in your organization should be constantly fretting about how regulations affect them.

Under the current paradigm, when new regulation is enacted, businesses have to gather together everyone — business leaders, legal experts, developers, and so forth — to hammer out a fix. That’s fine when you’re dealing with modest amounts of data and a circumscribed body of regulations. But when you’re dealing with rapidly changing data and regulations on a global scale, it simply isn’t sustainable. All too soon, you’re left with a patchwork of point solutions — complex, brittle, failure-prone, and impossibly expensive to maintain.

This Rube Goldberg approach to regulatory compliance also takes up huge amounts of time and energy, driving up costs and distracting your legal, business, and technical teams from more important matters. It also stifles innovation and slows product development as engineers shelve other projects to bolt yet another set of unscalable compliance solutions onto an already struggling tech stack. And it forces legal and business stakeholders to second-guess what’s technologically possible, and engineers to parse the nuances of statutes and regulations as they struggle to ensure their code is compliant.

What’s really needed is a more efficient approach: not an all-hands effort to rebuild your data management system each time a new regulation comes along, but rather a mediating layer between legal and business experts, on the one hand, and developers and engineers on the other.

Instead of treating compliance as a regulatory problem, treat it as a data-processing problem — and build a data-tech stack that’s capable of natively support any new regulations, and applying changes seamlessly across your entire data-set without requiring legal folks to understand code, or developers to understand the fine points of privacy statutes.

A Scalable Solution

That’s where Ketch comes in. Our platform decouples your data handling and compliance processes by establishing a central control system that lets you update data governance protocols without ever touching the code driving your data-handling tools.

By separating these functions, we free legal and business teams to focus on articulating a data governance worldview that’s aligned to the latest regulatory requirements, and to consumer needs and rights, without worrying about execution. On the tech side, developers can integrate data-handling systems with the data governance module once and once only, and never worry about compliance again.

Sound too good to be true? Here’s how it works:

First, using our simple but feature-rich Regulatory Harmonization tools, legal and business folks develop policies setting out what’s allowed and what’s not. Imagine TurboTax, but for privacy regulations instead of the tax code: a simple, slick dashboard that requires no technical expertise, but lets you draw on Ketch’s experience and templates, plus your own industry knowledge, to create a customized rulebook that determines precisely how your company can handle data.

At this point, the legal and business team’s work is done, but Ketch is just getting started. Based on the policies you’ve defined, we automatically generate permits — a kind of smart contract that sets out the precise rights and obligations of every user or piece of data in your system. Enforced through high-end encryption, the permits make it literally impossible for data to be used incorrectly, much as DRM makes it impossible for IP assets to be improperly shared.

Finally, we assign each piece of data a unique identifier, a bit like the barcode that identifies every can on a supermarket shelf. That’s important because it’s the only piece of our system that developers need to worry about: using a simple API, developers can use that identifier to check whether a specific action is permissible for a given piece of data. They never have to interpret the rules themselves — they just ask the question, and get a straightforward answer.

The power of that approach should be obvious. If a new law is passed, or an old one changes, the only people who have to worry about it are your legal and business team. They can implement the new policies, and know that their changes will propagate instantly across the company’s entire data infrastructure. And because compliance is handled centrally, your codebase never changes or needs revising — while the permitted actions for any given user or bit of data might change, the infrastructure itself remains the same.

The result: a top-to-bottom governance system that ensures future-proof compliance without forcing you to rewire your data infrastructure. Policy changes propagate through your system automatically, even extending downstream into middleware, or to partners and consumers who access or use your data. And because you’re no longer working with a patchwork of point solutions and custom fixes, the entire network is more secure, more efficient, and easier to maintain.

Deploy Once, Secure & Comply Everywhere™

For too long, digital enterprises have been running to stand still when it comes to data compliance. It’s time to get off the treadmill, and find a new, genuinely scalable approach that treats data compliance first and foremost as a data-processing problem.

Ketch is that solution. Just as Stripe revolutionized online payments with an API approach, so we’re turning data compliance into a solvable problem. No matter how quickly regulations change or how fast your business grows, you’ll never have to waste time rewiring your data management tools — you’ll just update your data policies, and get back to serving your customers.

Global regulators aren’t about to stop passing privacy laws, but you don’t have to let your company get swept away by the deluge. If you’re ready to stop playing catch-up, get in touch today, and let Ketch change the way you think about compliance.