(Bloomberg Businessweek) -- Nicholas Oliver gathers reams of personal information about users of his mobile app: age, sex, location, profession, relationship status, and more—and uses it to send them targeted advertising. It sounds like just the sort of business model that might be in jeopardy once the European Union’s sweeping General Data Protection Regulation (GDPR) takes effect on May 25.
But Oliver’s not worried. His London startup, People.io, which provides market research for companies and gives them a pool of potential recipients of targeted advertising, makes it clear to customers why they are handing over their information. It even pays them to do so.
Consumers accrue points for answering questionnaires and for viewing advertisements that brands push through the app. The points can be cashed in at merchants such as Amazon, Apple, and Netflix. “We don’t want to hide the monetary value of people’s data,” Oliver says. “We want to make it explicit.”
A growing number of companies are considering similar incentives as they seek to persuade consumers to let them collect and keep personal data once the GDPR comes into force. The law requires companies either to secure customer consent to process the data or to state a “legitimate interest” in keeping it. Under the new rules, aimed at giving consumers more control over their personal information, people can request a copy of the data from companies—and ask that it be erased. Companies that lose users' trust—see: Facebook in the wake of the Cambridge Analytica scandal—may find that aggrieved customers simply take their data away.
Gaining permission to collect data—and hold on to it—is a major concern for companies. Strategies include loyalty points programs, product discounts, and special services. Online shoe merchant Zappos.com, for instance, offers parcel tracking only for registered customers. And greeting card merchant Paperchase has a loyalty points program that requires customers to provide their e-mail and home address and consent to marketing messages.
There are pitfalls in trying to get more information out of people. One-third of customers will abandon an online purchase if asked to register first and hand over personal information, according to the Baymard Institute, a Danish e-commerce research firm.
“It’s about how you use GDPR compliance to also create things that people want,” says Laurence John, the founder of a London company called Ctrlio that helps price comparison websites create customized promotions for customers. John’s bet is that people will find sufficient value in personalized offers—timed, say, for when they’re shopping for a new phone contract or insurance policy—to let Ctrlio hold their data. “The more information you share with the marketplace, the more tailored offers you will receive,” he says.
For merchants, Ctrlio offers better insights into exactly what motivates customers: how price-sensitive they are and the product features they value most. And because GDPR allows almost unlimited processing of data that is fully anonymized—stripped of identifiers such as names, addresses, and phone numbers—Ctrlio also aggregates information for consumer-facing companies such as phone carriers, insurers, and energy suppliers.
Among Ctrlio’s customers is German price comparison site Verivox AG. “Ctrlio helps us better understand the price sensitivity of the market and to target individual customers,” says Klaus Hufnagel, Verivox’s managing director. He sees GDPR as a double-edged sword. While it makes it easier for people to delete their information, it also makes it easier for them to take data to a competitor. To keep customers from defecting—and perhaps woo some from rivals—Hufnagel is considering a loyalty points scheme similar to those offered by airlines.
Christian Huber, the data protection officer at German semiconductor manufacturer Infineon Technologies AG, says GDPR could be a big opportunity for companies that use it to build trustworthy reputations. “If you can show you’re compliant and act transparent on data protection, then that can lead to a competitive advantage,” he says. “Everyone wants the data they’re sharing to be safe.”
For companies that depend on personal information but aren’t consumer-facing—such as online ad brokers—figuring out how to deal with data in a post-GDPR world is more complicated. These businesses often rely on large databases containing information they themselves did not collect, so obtaining consent to use what they have is nearly impossible.
Read more: In Europe They’re Giving Users Control of Their Online Data
Instead, such businesses are relying on GDPR’s rules on aggregate information to establish entities called data trusts. By grouping together, they could potentially get access to wider market insights and they can share the expense and expertise needed to anonymize the data.
International Business Machines Corp. and Mastercard Inc. announced plans for such a trust in mid-March. The group, called Truata, will anonymize data and then analyze it for corporate clients—telling them, for instance, how price-sensitive their customers are or what products are most popular in areas they serve. This will enable businesses to extract insights from the data without having to hold on to the personal information long-term.
Says Barry Smyth, a computer science professor at University College Dublin and a Truata board member: “If we can’t, as technologists, enable businesses to continue to maximize the promise of data while protecting the rights of consumers, then we all stand to lose.”
--With assistance from Stefan Nicola
To contact the author of this story: Jeremy Kahn in London at jkahn21@bloomberg.net.
To contact the editors responsible for this story: David Rocks at drocks1@bloomberg.net, Dimitra Kessenides Giles Turner
©2018 Bloomberg L.P.
