When Selecting A CDP, Marketers Must Keep Privacy In Mind

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Jodi Daniels, founder and CEO at Red Clover Advisors.

Customer data platforms (CDPs) are the latest shiny new thing in marketing technology, helping companies create a single view of their customers by storing data such as web page views, email clicks and payment transactions.

In all that goodness, CDPs stockpile personal identifiers to help marketers connect that email message to a website click. That kind of personal data is a goldmine for content recommendations and personalized advertising.

Marketers can use CDPs with little IT department involvement and focus their energy on understanding the customer journey and create tailored marketing campaigns.

While the category continues to mature and marketers explore the CDP market, they must consider data privacy as a core criteria. CDPs are all about first-party data, which means companies are in full control of the data. This can help them better comply with privacy regulations, including the EU’s General Data Protection Regulation (GDPR), ePrivacy and the upcoming California Consumer Privacy Act (CCPA).

When evaluating a CDP, it is important that it allows a company to capture the legal basis for data collection, such as consent when applicable. A CDP also needs to easily support a company honoring individuals’ rights requests. Since the business initiates the collection of data stored in a CDP, it is also responsible for its security and determining the lawful basis for use under laws like GDPR.

Businesses, for example, must assess CDPs before selecting one to ensure that the CDP vendors under consideration are compliant with GDPR or CCPA as a processor, as required by these laws. The assessment should cover if the CDP is complying with privacy laws, identify how data is secured and that there are strong security controls. The assessment should also confirm data will not be used for any other purposes, analyze how the CDP will communicate if there is a data breach, and verify that the company has trained employees on privacy and security awareness.

When third-party data sources are relied upon to augment a data set within a CDP, a company will have to rely on that third-party vendor’s lawful basis for collection and use. In ad tech under GDPR, that’s getting harder to do. Many ad tech companies rely on consent but there is ongoing debate about the appropriate level of consent and whether the IAB framework will remain the standard.

The publisher with the most control of the data will be in a better position to serve its customers the most valuable content and advertising. Companies need to consider customers’ expectations on how to use their data. Customers may not fully comprehend how advanced marketing capabilities are, and there is a fine balance between valuable and too targeted – or, as it’s said in the industry, “too creepy.”

Marketers must treat CDPs as an opportunity to properly manage first-party data in a way that is privacy-safe, personalized and relevant. To make customer-centric decisions, companies must factor privacy considerations into the marketing strategy for leveraging the data in their CDPs. As marketers look to build a data advantage, first-party data has to be at the core. Whether it’s website visits or declared data from an app, a CDP is well suited to stitch and normalize.

The applications and potential are significant, but marketers must select and plan for privacy. Regulatory pressure is likely to increase, not lessen – as is consumer demand.

Follow Jodi Daniels (@redcloveradvsrs) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Jody,

    You’re right on the mark here (as always)! I’ve been pushing that a true CDP is not only built using Privacy by Design, but privacy has to be in its DNA. Column and source level privacy metadata effectivity, intelligent preference and regulatory enforcement rules, auditing tools, and preference-conflict resolution are all implicit requirements of recent data protection that few platforms are anticipating.


  2. Dan – Thanks for sharing your thoughts and I am hopeful we will see the trend towards privacy centric tools!