Customer data and security: how to mitigate risk and cash in
Published: June 23, 2016
Author: Mike Stetzer
If your current digital marketing efforts do not incorporate customer (1st-party) data, you’re doing it wrong (and we’ve got a whole whitepaper about how to use it). Add in another sub-set of customer data – 2nd-party data, which is essentially 1st-party data that belongs to someone else but can help your campaigns (think NFL/Nike exchanging data on ticket and jersey sales), and you can see that customer data is invaluable to your marketing campaigns.
But that data comes with a big concern that we address at various levels with almost all of our clients: how secure is it? The good news is that there’s a way to achieve lock-tight security for the data; the bad news is that it’s not an easy one. But let me start by reminding you of the ways you can use customer data, then launch into the security part.
Here we go…
Ways to use customer data
In many cases, clients are focused on New User Acquisition. It’s not a very efficient use of advertising dollars to, for example, serve ads to users who may already have a membership with you or own the product you are selling. For example, if you are a bank and you’re trying to drive users to open a Checking Account, you should exclude customers who already have a Checking Account with your bank. Or, if you are a ride-sharing service, and you’re trying to find new drivers, you should exclude existing drivers from your targeting.
This is commonly used for Retention. For example, if you have customers who haven’t used your service in quite some time, you could create custom copy variations (We miss you!) and serve ads to this audience. For retail, you could decide to target high-LTV customers directly.
From Facebook – “Lookalike Audiences are a way to reach new people who are likely to be interested in your business because they’re similar to customers you care about.” Options also exist with Google (Similar Audiences) and Twitter, though they’re less mature.
Especially for smaller (or new) businesses that may not know much about existing customers, uploading a customer list and asking Facebook or other plaforms to find similar users can be a great option. On Facebook, we’ve seen better success with this approach vs. trying to manually create a target audience using interests, behaviors, and demographics. For larger businesses that have a ton of 1st-party data, uploading a list of high-LTV customer emails for lookalike creation can be a fantastic option.
Pretty alluring, right? And that’s the tip of the iceberg, believe me. The upshot: you want to be able to use your customer data. Which brings us to…
How to secure your customer data
The topic of security is understandably an important one when it comes to Customer Data. The magnitude of how in-depth our conversations with clients about security can vary by vertical, but we’re typically having these conversations to some extent with all clients.
The good news is there are ways to utilize this data in a secure fashion. The “bad” news is that you may need someone with technical expertise involved in this process. The solution we’re talking about is called “Hashing,” and we’re going to pull some quotes from a recent Facebook release (which you can read in full here) to help you learn more about it.
What is hashing?
Buckle up this gets technical fast. Again, from Facebook: “A ‘hashing algorithm’ is a one-way mathematical function that creates a non-reversible fingerprint of a fixed length for a piece of text. If the same hashing algorithm is used against a piece of text, it will always produce the same “message digest” – basically a fingerprint of the original data. No mathematical function or “key” exists to reverse this fingerprint back to the original value.
“So, for example, if two computers both hash ‘firstname.lastname@example.org’, both will end up with a fingerprint like ‘7f759cccof73ocbdb4e297010b8ec5e5’. However, given the fingerprint ‘7f759cccof73ocbdb4e297010b8ec5e5’, there is no mathematical function to reverse that back to ‘email@example.com’.
“Facebook uses an industry standard secure hashing algorithm called ‘SHA-256’.
“(The) advertiser’s browser hashes all of the uploaded email addresses/phone numbers locally on their computer.
“On the Facebook side, we have pre-computed the hashed values for every Facebook user. We take the customer’s list of hashed values and compare it with our own list of hashed values.
“Once the matching process completes, we delete all of the hashes – both matching and non-matching.”
Have I lost you yet? Maybe?
For some clients, providing this explanation and documentation to their legal/compliance team is all we’ll need. For other clients, however, the notion of uploading raw Customer Data to Facebook is a deal- breaker.
Here’s how we approached things with a client who fell into the deal breaker category: our IT Team established a Secure FTP with the client for secure data-transfers. Here’s how that works:
- Client sends Customer Data (emails) to our team using Secure FTP.
- Using Java, our Team is able to Hash these emails in a format that Facebook understands (SHA-256).
- Data is sent to Account Team in hashed form.
- Emails are uploaded to Facebook in hashed form.
- When that data leaves the Secure FTP and is uploaded to Facebook, it has already been hashed.
- Client doesn’t need to send raw customer data in potentially “unsecure” environment.
- If data were somehow intercepted on our Account Team’s machines, it would be hashed.
The biggest takeaway that I want to share with is that the situation isn’t black and white; it’s usually not a “can” or “can’t” situation. If you’ve got a great in-house team or work with a full-service agency, you may have other team members that can assist with these types of projects. And if I haven’t made this clear yet, let me repeat: customer data is vital to unlocking growth, so even if you have to go to great lengths to make sure it’s okay to use, it’ll be worth it.