“We’re very protective about sharing data; not only could it help our competitors, but what if there is a breach?” 

A Fortune 500 company CMO

Is there anything an advertiser might be more protective about than sharing its data?  Data is rightly considered one of the most valuable strategic assets. Companies want to maintain control over it to preserve competitive advantage, meet legal obligations, and minimize risks. By leveraging their rich data stores, they can achieve significant growth, as evidenced by research from Google and The Boston Consulting Group, which found that data-driven companies can double their revenue and reduce costs.  

On the other hand, advertisers don’t always have the right capabilities to capitalize on this earning potential, leading them to turn to third parties for support. The percentage of organizations that entrust critical and sensitive assets to third parties can be as high as 84%.  For some, it might be to process payments and order deliveries. For others, it’s the potential to use data to advertise more effectively, such as better ad targeting, personalization, and measurement & optimization. These activations are made possible with access to the right talent and advanced skill sets, e.g., such as statisticians, data scientists, and experts in specific activations. But it's not without its risks.

Worryingly, many third-party data breaches can go underreported. A survey from Ponemon Institute and Mastercard’s RiskRecon found that 59% of participants acknowledge that their organizations have encountered a data breach originating from one of their third parties. Notably, 54% of these incidents occurred within the last 12 months. The stakes couldn't be higher; a privacy beach can disrupt processes, share sensitive data with competitors, and result in reputational damage and significant GDPR fines, the most severe reaching up to €20 million or 4% of the firm's worldwide annual revenue.  

Therein lies the advertiser’s dilemma: leveraging data-driven strategies for revenue growth while safeguarding against potential breaches. The potential for a mutually beneficial relationship brings parties together, but the potential for harm drives them apart. The dilemma shows companies cannot be open without the risk of harm, leading to cautious and tentative partnerships.

To proceed with cautious pragmatism, then, is to scrutinize and reduce risk in search of something that works. A business must see a third-party risk assessment as an essential activity whose opportunity cost is far less than the potential cost or reputational damage. This article explores questions of how we should weigh the benefits and risks of sharing data with third parties and what are the essential criteria companies should evaluate when selecting third-party partners.

Customers are more likely to share their data with companies they trust and where there is a fair exchange of value, a principle which equally applies between companies. Here are five factors to consider when weighing the potential benefits and data security risks of sharing data with a third party. 

The advertiser must establish a clearly defined use case for sharing data to determine if it's worth the risk.  

Consider an advertiser grappling with optimizing ad spending to acquire high-value users on Meta. They need help finding the most relevant customers because they're getting too many low-value customers which are incredibly costly for the business. In short, they need a better, high-value signal to optimize ads. What steps can they take to do better?   

First, they could build a predictive model to learn the characteristics of their most profitable customers. Second, to use that signal in advertising, they would need to send the high-value predictive signal to an ad platform in a language the platform can understand (e.g., a PLTV threshold in a Custom Event) and within a short time frame (ideally within 24 hours). Third,  the platform needs optimization for that signal (e.g., Custom Event Optimisation).

Finally, you would need to play around between the prediction quality, delay, and how Meta uses the predictions. There's a high time, risk, and spending cost from the inevitable trial and error you must go through when finding the optimal setup. This is all to say that even if your company has incredible technical talent, it could benefit from the expertise and experience of a partner with a successful track record of going through this many times before.

In the case of our advertiser, they’ve identified a clear business use case and goal for sharing data: the effective use of advertising and analytics. Their business, like any other, is only as valuable as its future cash flows. However, here they've identified a skill gap where third-party expertise could play a substantial role in optimising for higher-value customers on crucial ad platforms thus securing these future cash flows.

By optimizing our campaign for the predicted lifetime value event, we could attract higher-value users, provide better signals to Meta’s algorithm, and increase our return on ad spend.

Cantug Sugun - Marketing team Lead, Codeway 

Once the need and use case is identified, the question will turn to the kind of data involved in the processing, its value, and how sensitive it is. 

A machine learning model, whether Regression, Buy Till You Die, Random Forest, Neural Networks, Markov Chains, or Gradient Boosting, will automatically learn and quantify the importance of inputs to make educated guesses on what to expect from new data.  It’s typical for a machine learning model involved in predicting lifetime value to include the following input data from a client’s data warehouse, information as advertiser sensitive and confidential as it gets:  

• Demographic, e.g., age, gender, country

• Purchase history,  e.g. 1st, 2nd purchase…Nth purchase

• Engagement behaviors, e.g., products browsed, email subscriptions, search keywords for eComm, time spent, levels achieved, friends invited for gaming. 

• Revenue

Given the hyper-sensitivity of this data and the risk it poses, so too should the level of scrutiny of third parties with access to it.  It begins with adhering to the principle of data minimization, which means collecting and processing the minimum amount of data required to deliver the service used for the purposes explicitly stated. Data minimization helps limit the scope of potential damage and protects all parties in the event of a data breach. 

Advertisers now operate in a privacy-centric environment with increasing legal and technical constraints on data, changing how identity is processed and used. 

Historically, the success of digital marketing is due to the ability to identify people across sites and apps. With consumers active on more media platforms, devices, and channels than ever, the ability to unify this data into a single holistic view of the customer could help determine marketing efforts including where and how to invest a limited budget. 

However, the ability to resolve identity is now increasingly restricted. New policies are giving people more options to limit how their data is shared with advertisers, people are choosing to opt out of receiving ads on websites and platforms, removing identity and grouping the data shared with advertisers. To put it into perspective, approximately 80% of nations worldwide now have either enacted protection laws or drafted legislation, e.g., Europe's General Data Protection Regulation (GDPR), Brazil's General Data Protection Law (LGPD), Canada’s Consumer Privacy Protection Act (CPPA), the US's Multi-State Privacy Agreement (MSPA), and obviously much more.

The tasks for your organization are to know how all parties interact with your data, establish regulatory compliance and safeguards, and honour customers' privacy choices. Only then will you be able to successfully manage the risk. 

Regulations require organizations to implement technical and organizational measures based on the user data's risk level to meet all requirements and assuage security concerns. The following rules are just the ante required to play the game:

• Hash or de-identify sensitive personal information.  Each party must follow data protection by design and ensure no personally identifiable information is sent un-hashed from the client's end to the third parties.

• Endpoint for user data deletion, aka ‘the right to be forgotten.’ If a sub-processor receives the request from their end, they should actively push the confirmation to the client's endpoint. 

The implications of these policies also require each party to understand their obligations, responsibilities and liabilities. For instance, working with a predicted lifetime value provider in the EU or UK will begin with a data sub-processor agreement.

Sub-processors are companies that have access to process personal data from a Data Controller, normally the advertiser.

The agreement codifies that if the third party is at fault, they will be liable for any damages caused by their data processing. This framework ensures a transparent and accountable relationship, while also emphasising the need for due diligence in data handling to safeguard the interests of all parties.

We recommend an isolated instance with your cloud service provider, e.g., Google Cloud Platform (GCP). A third party should manage each client in a separate data warehouse instance in an area of their choosing.

• Security: Isolating instances enhances data security by preventing unauthorized access from other clients.

• Customization: Clients have control over the configuration and settings of their isolated instances, allowing for customization based on their specific requirements.

• Compliance: Isolation aids in meeting data privacy and compliance standards, as each client can adhere to the regulations relevant to their industry or region.

• Limiting access: The client can fully configure who has access to the data and ensures only those directly working on the project may process it. 

Sharing information stored in web cookies with a third party, known as cookie exchange, used to be a widespread practice among Demand-Side Platforms (DSPs), advertisers, and publishers. While not illegal yet, this common practice is disappearing from the ad tech world. New initiatives starting from Apple and moving to Google have stripped cookie harvesting abilities even from the browser side. This upcoming omission makes the ability to summarize and share high-quality first-party data much more powerful in the long term. 

Regulations tell a company what to do but not always how to do it, which is why frameworks such as Service Organization Control 2 (SOC 2) exist. SOC 2 is a voluntary standard whose certification signals a company's adherence to strict standards for safeguarding their systems and data's security, confidentiality, integrity, privacy and availability. Particularly crucial for entities handling sensitive information like customer data or financial records.

SOC 2 certification is good for everyone involved:

• It signifies that the company is storing and processing customer data in a fully secure manner

• Third parties gain a competitive advantage in a privacy-centric environment and enhance their reputation as a security-conscious company

• It costs less than a data breach for both parties.

Overall, SOC 2 sets the gold standard for data security, compliance and advertisers’ peace of mind when working with third parties. 

More organizations than ever are sharing data with third parties for access to advanced capabilities. However, given the risk of a potential breach or misuse of customer data from third parties, it necessitates constantly weighing the benefits and risks of such partnerships and assessing whether a partner is a good steward of our customer’s data. Remember the following key questions to ask of any prospective partnership:

1. Do we have a clear advertiser use case and goal for sharing data?  

2. How do we ensure we only share the essential data assets for the task?

3. Does the third party meet regulatory compliance standards across the territories we operate in?

4. Do they guarantee access restrictions to ensure that only authorized individuals have permission to access the data?

5. Do they go the extra mile by obtaining certification from a strict industry standard?