On persona graphs, privacy, and responsibility

By Guy Flechter
persona graphs privacy responsibility

Back in 2017, Cisco estimated that the average consumer in North America had 8 different connected devices.

This number may sound high at first, but just think about it for a minute: this includes mobile phones, tablets, laptops, smart watches, smart TVs, virtual home assistants, and the whole world of IoT. It is expected that this number will grow to 13 devices by 2022.

While consumers have been enjoying the benefits of hyper-connectivity, marketers have been struggling with this new reality. When a single user has multiple devices and uses multiple platforms, the user’s identities are fractioned and siloed throughout. Brands are faced with only partial transparency into the user and his journey, making it far more challenging to create precise, targeted brand messaging along the funnel. 

In an attempt to solve this, marketers are faced with two options: creating broad, repetitive messaging to cast as wide a net as possible; or employing a cross-device, cross-platform attribution solution that can connect the dots to reveal a single user behind them and their conversion journey. 

While there’s really no question that the second option – a people-based attribution solution – is the better one, this isn’t the end of the story. It’s not a beautiful golden-brick road all the way to personalized, well-timed messaging from here on out.

The reason for this is that the technology lying underneath some of these solutions can be a privacy nightmare.


The state of measurement, privacy, and compliance


I’ll show you mine if you show me yours

Cross-device, cross-platform, cross-channel attribution technology is not an easy puzzle to solve.

There’s a reason why there are very few providers on the market offering this. You might think that the biggest challenge is threading together the fragmented data pieces to create an accurate picture of the user behind them. Accuracy is crucial for people-based attribution, sure, but the true challenge here is reaching this accuracy without stomping all over user privacy.  

There’s an easy way out: pool the data. The more data at hand, the easier it is to connect the dots.

If Brand A has one piece of data about a user, Brand B has another piece of data about the same user, and Brand C can help complete the picture of the user identity, one can just grab all these data points from three different brands and connect them. In return for their data contribution, Brands A, B and C get full visibility into the completed puzzle, essentially giving them access to insights based on each other’s data. 

Some companies do exactly that: create a shared persona graph, where data is tied together across brands to create a clearer image of the people behind the devices.

By pooling the data together from their entire customer base, they can use John’s data to answer Mary’s questions. 

The temptation is clear and the benefits are obvious; this data crowdsourcing approach undoubtedly produces accurate identities and an accurate attribution funnel. The process of pooling and sharing data as described above, however, is invasive and presents significant privacy challenges especially in meeting the requirements of the GDPR and other global data protection regulations. 

If it walks like a duck, quacks like a duck…

In the GDPR realm of data privacy roles, there are two very different entities: data controllers and data processors.

In short, the data controller determines the purposes and the means by which personal data is processed. A company collecting and  processing personal data is considered a data controller. A data processor, on the other hand, processes data on behalf of the controller.

The CCPA has similar roles, where data controllers are referred to as “businesses” and data processors are “service providers”. In both cases, one party determines how data is collected and carries out the collection process, whereas the other party is only entitled to process or analyze the collected data.

In the realm of digital marketing, the brands are effectively data controllers (or businesses), in the sense that they are gathering data across their digital properties. Their attribution solution, a third-party data processing solution, should be just that — a data processor.

Brands paying an attribution provider to pool their data into a shared persona graph, that other brands are also paying into, are effectively selling end user data to third parties. This is where things get uncomfortably murky; the minute an attribution provider becomes a vendor of data, they’re shifting their data privacy role under GDPR and CCPA. And in most cases, they’re doing it under the radar, on the margins of legality, without being truthful to their customers about it.

So how does a company that defines itself as GDPR-compliant, as a processing third party that doesn’t sell data, suddenly make such a shift

You might note that the providers that offer customers pooled data services are sorely lacking on their company-level privacy efforts, such as privacy compliance programs, external audits and certification. A company that disregards privacy on such a fundamental level is not one you want to be in business with, and definitely not one you want to be giving data access to. 

There are other ways

Your data is your data. It shouldn’t be pooled, sold or otherwise shared outside of your brand. If you are choosing to work with a vendor who does this, make sure they’re not misrepresenting themselves and their data privacy practices.

Shared persona graphs are not the only way to tie together user identities, they’re the easy way out for attribution companies with limited technology or a blatant disregard to privacy. 

Private persona graphs achieve the same level of accuracy, without compromising the inherent need for privacy. With private persona graphs, data is not commingled among customers, but tied together within the brand’s marketing properties. By employing multiple methods for connecting pieces of the user identity, private persona graphs provide marketers the desired effect without selling or sharing data outside of the brand.

Of course, privacy isn’t just about the graph. As mentioned above, you need to dig deeper to research the company’s general approach to privacy. This is true for any vendor you work with, not just data management platforms.

When working with private graphs, you can rest assured that your attribution provider (and you, by extension) are respectful and proactive about protecting your users’ privacy. You can also sleep better at night, with your conscience and business integrity intact.

Guy Flechter

Guy is CISO & DPO of AppsFlyer, spearheading the company's security and privacy program. Guy brings 17 years of rich professional experience in information security and data privacy to the table, with an impressive track record at LivePerson and several other organizations.
Ready to start making good choices?