Navigating the New Norm: Balancing Personalization, Privacy and Data Security

Transcript

Good morning, everyone. Welcome to the Skills Exchange. We’re going to talk about balancing personalization, privacy and data security. We’re going to talk about the key components of personalization and privacy. We’re going to look at how we evolve Adobe Bespoke architecture. We’re going to look at how we looked at privacy as a privacy first approach. And then how did we secure the data as part of the implementation? And then how did we implement cross platform personalization use cases? And what kind of governance and controls we put in place? And we’re going to bring all of this together to see how this enables us to elevate the customer experience. My name is Ketan Manushali. I lead the Prudential’s marketing function. And as a head of marketing technology, my objective is to provide marketers with the right set of tools that can be used to optimize customer experience across all the touch points, using data as a primary decision making tool. In ever-evolving digital landscape, my role is to position Prudential as an industry leader, leveraging technology to create impactful marketing campaigns and to foster strong customer relationships. Hi, everyone. I’m Lalita Kavthirappu, Technology Lead in the Marketing Technologies at Prudential. I drive technology vision and strategy for our marketing teams, collaborate with product management, marketing security and architecture teams. I’m basically a technologist to design, develop, deliver omnichannel experiences and responsible for end-to-end implementation of frictionless customer experience solutions. As we started our journey, our objective was to help unlock a deeper understanding of our customers and prospect to craft personalized experiences that evolve with their need, all while putting privacy at the forefront. Here are the key components of personalization and privacy we’re going to look at. Data architecture. Data architecture is the core foundation of implementation of AEP. You have to look at all the different data sources through which you’re going to bring the data, look at the relationship between data and how that’s going to come together to give you a full view of the customer.

Personalization without content is not a successful strategy. So trying to figure out a way to have a content at scale so we can actually personalize the experiences for the customer to provide the right content to the right user at the right channel. All of this cannot be done without privacy in mind. So having the robust strategy and implementation with knowledge of regulation is key to achieving privacy compliant system. And to get all of this information into the platform, you should be able to see the 360-degree view of the customer and get meaningful insights to drive the outcomes. So we’re going to talk about Prudential’s Beavespoke architecture using Adobe Experience Platform.

So as we started our journey, we wanted this architecture to provide us with the implementation of AEP.

So as we started our initial journey, we opted for a point-to-point architecture, which worked initially. However, as the data sources increase and the adoption grew, the complexity of the platform increased significantly. And this approach led to numerous challenges like data synchronization, data duplication, making it difficult for us to maintain a unified customer view. To address these challenges, we evolved and adopted Adobe Experience Platform as a bespoke hub-and-spoke model to centralize the data across the enterprise. This allowed us to simplify the data integration and provide a single unified customer profile while capturing the complex dependencies across the data for customers and prospects. If you look at this diagram, you can distill this into key components and data flow. Data ingestion. AEP ingests data from multiple data sources, including multiple CRM systems like Salesforce across B2B and B2B2C businesses. Web sources such as prudential.com powered by AEM via Web SDK. Multiple market instances, our internal lead management system, consent system, enterprise data warehouse, and many more. And this is achieved through a combination of out-of-the-box connectors, API, and customer connectors for more complex use cases.

Data prep and cleansing. Data prep and cleansing is done using combination of AEP data prep functions. We also look at what we can do at the source. And then build custom external system for complex data prep needs.

Data processing and storage. The data ingested is stored in data lake, processed and transformed using XDM, schema and dataset. And this results in creating individual profile and experience events.

Unified customer profile. So AEP creates the unified customer profile by stitching together identities through identity graph. This profile is enriched using data from various sources enabling 360 degree view of the customer. Segmentation and activation. AEP performs both batch and real-time segmentation, allowing for activation of audiences across various channels through RDCDP.

And then now if we look at the key benefits of AEP and this architecture, you get is centralized data management. So with this hub and spoke architecture, you can customize centralized across various parts of the enterprise into a single system. And that makes it easier for managing and governing the data. 360 degree view of the customer. So by integrating all of these data sources and the relationship across these data sources, you get a 360 degree view of the customer and you can capture complex relationship across the customer and prospect it. Personalization and activation. The unified customer profile enables personalized experience across marketing channels and that allows us to do customer engagement. And we also have a better control of the profile. So having all of the data in AEP allows the activation to send only the profiles to the downstream system that are required to process that on that particular system. And we wouldn’t be complete if you don’t look at the feedback group. So all this collective information that is coming across multiple data sources gives us more intelligence in terms of relationship. And that relationship gives us additional insights. And those insights we send back into our data warehouse, which can then drive the marketing campaigns as well as the reporting from a business standpoint. So it was an incredible journey for us, but at the same time, we had to work through multiple hurdles. This is by no means complete, but this approach has provided us with a scalable path forward.

Here are the key takeaways that we talked about in previous slide. There are three key takeaways. Real-time customer profile for omnichannel personalization. So identifying and getting all of this data sources data into AEP allows us to get a view of the customers and agents and brokers. It allows us to capture multiple relationships across the enterprise that will drive the use cases for B2B2C and B2B. Data ingestion via out-of-the-box connector and custom connectors. So using the out-of-the-box connector wherever it’s available, and then trying to build custom connector where there is a need and not a support from the platform. And it all depends on what your use case is and what makes sense for you to proceed forward. And then leveraging Adobe Experience platform for query service to build a custom data set that you can drive for activation in the downstream system, so you can get the high value segments across multiple channels.

Now we’re going to look at how we went through the privacy first approach, what were the considerations.

So here we are going to look at key components of AEP and what was enabled through privacy mode. So we obviously looked at the overall architecture of AEP and how it integrates. But then now we’re going to look at how privacy management is enabled within the platform, and specifically how the consent management and OneTrust works together that can capture the data and build trust with customer through robust privacy controls. So now you’re going to ask, hey, what’s the privacy management and why is it important? So privacy management is crucial in today’s digital environment. Regulatory landscape is evolved over the years with regulations like TCPA, CCPA, CPRA, GDPR, and now multiple states working on similar privacy laws. It is all about building trust with the customer by being transparent and giving them control over that data while building platforms that is flexible to incorporate changes to the privacy law as it evolves.

Now let’s look at the key component and how it works. So obviously the fundamental component of this is AEP. So in AEP, you can manage data, you can delete data, you can manage the consents, you can manage the opt-out. All of this you can do through using privacy service.

Consent management system. So this is obviously our backbone to our privacy management framework. This is a homegrown system that was built for customers to manage opt-in and opt-out preferences seamlessly. This consent management system is used for capturing consent across all the touchpoints, ingest data from state and federal, do not contact list. Direct marketing association allows us to capture opt-out for physical and email addresses, and this integrates with multiple systems like Marketo, CRM, and our back-end system.

And OneTrust is the leading compliance and privacy management system and OneTrust for universal consent management, cookie management, PIA, DSR, and our internal system management integration, ensuring that we capture and honor customer preferences across all touchpoints. So now how does it work? So the consent management system that we have built integrates with all the different application and touchpoint. It allows us to manage the language of the consent. It allows us to capture the consent of the user, which means that they are explicitly providing opt-in for Prudential to call them or communicate with them. And then we also load the state and federal data, which is about 350, 400 million records, and then use this information to then integrate with OneTrust to only provide and push the data for the users who are active on our platform. So it’s a combination of a prospect and customer.

And then OneTrust is used for preference management. So all the opt-outs which customers can use their preference center on OneTrust and opt out of that, and that information then is propagated into the consent management system, which is responsible for synchronizing data across the ecosystem. And then OneTrust integrates with AEP to pass that information back into AEP. So AEP can use that information to determine what users can be activated as part of the audiences.

So now what are the benefits, right? So benefits of this is obviously enhance customer trust. By giving customers control over their data, we build a strong, more trustworthy relationship. And then regulatory compliance. Our approach ensures compliance with privacy regulation, reducing the risk for non-compliance and fines.

I’m going to hand off to Lalitha to talk through data management.

Thanks, Ketan. Now I’d like to discuss our secure data management. To help explain this, I’m going to take a small, simple, real-time example from one of our marketing campaigns on how we are handling the PII, personally identifiable information, and non-PII data collection, keeping in mind the data security and data regulations like CPRA and GDPR.

So this is one of our sites which is built on Adobe Experience Manager. On this site, we have a web campaign where we ask the user a series of questions. And at the end of the questions, we request the user to either log in as a registered user if they have an account already, or provide their email and phone number so that we can contact them and nurture them into future marketing campaigns. And also, we would like to understand the user’s behavior when they came into our site. What kind of articles did they read through? Were there any specific product pages they showed interest by spending more time on that? Or did they click on specific sections of that product page? Or did they spend on a particular section on various other product pages? So this way, we understand what the user’s interest is and what their behavior was on our site. And all this information we collect through Adobe Analytics. And remember, I mentioned about the email and phone number? Because of today’s regulations, we cannot capture this data using Adobe Analytics. So we had to think of decoupling this data collection of the PII data. So we relied on server-side API calls. So we used AEM-based APIs to capture the responses for this questionnaire, along with the email and phone number. And now, this information is passed through the edge network. And we all know the AP edge network is a multi-layered secure network architecture that takes care of not only the data security, but also encryption of data in transit and at rest, through their robust firewalls and access control lists. So we are rest assured that the most important information, which is PII, is collected securely.

And let’s say at this point, if a user through the WebCupkey consent on the page said, do not track my analytic cookies, then we will not capture this behavioral data. But still, we have the responses from the questionnaire along with the email or phone as the first-party data, which is still a great information we have to know about the customer’s interest in our products. And let’s say if the user simply closed the model and consented to the capturing the cookies, then through their behavioral data, we have more insights into the customer.

Now, we can marry these two different data collection streams in AP’s RTCDP with ECID, the Experience Cloud ID, so that we are able to enrich the customer profile real-time with better audience segmentation. And the second layer of honoring the privacy consents in AP is because of the integration we have with our Consistent Management System, OneTrust, which Kathan spoke about. So let’s say if a customer chose to opt out their email address from the marketing campaigns, we are able to honor that. And thanks to the dual framework in AP, we are able to categorize the data by creating data usage policies so that the marketing actions requiring data can immediately be evaluated based on the data usage policies applied to it, taking care of the data governance.

So let me summarize the key takeaways with respect to privacy and secure data collection. One, enable consent-driven experiences with centralized privacy governance by integrating with your consent systems to ensure regulatory compliance across multiple marketing channels. Two, activate data responsibly. Align your marketing and CRM activities with consented data only, ensuring all the campaigns and the journey personalizations respect the user’s privacy choices and the data regulation. And third, secure the collection of the consent-driven data so based on your business case, you can decouple the collection of the first party data or the PII data and behavioral data, eventually marry that data together in AEP using RT-CDP, and then you can enrich the profile in real time and govern the data usage across various systems with full consent compliance.

And now I’d like to cover cross-platform personalization. And to better explain that, I have one of the very interesting examples that we orchestrated through AEP.

In this example, we have integrations and interactions across multiple platforms. For example, Salesforce to bring the CRM data, Adobe Analytics to bring the behavioral data real time through Web SDK, and Adobe Target to drive web personalization on the web pages with respect to content and also with respect to their journey. And lastly, we use either Salesforce Marketing Cloud or Adobe Marketo to drive personalized email campaigns. So this is a multi-step marketing journey. And at every step, we look at the user’s engagement. Did they engage or they have not engaged? If they engaged, what were the various kind of activities we captured through Adobe Analytics or Target? So to better explain that, I have an example at the bottom of the screen where the journey starts by sending an email campaign to a targeted user. And there, we check constantly what the engagement was from the user. Did they click on the email? Did they subscribe or unsubscribe? Did they click on a particular CTA? If they clicked on that CTA, we take them to the web page where we are doing the Adobe, through Adobe Target, we are doing personalization. And we see, did they interact with any of the video content or articles? And based on their engagement, we determine what should be the next web page experience or what should be the next email that we have to send them. So let’s say they watched a particular video, then we send a follow-up email for them to register for a webinar. And let’s say they attended the webinar, then we send them a follow-up questionnaire or a few PDF forms for them to fill. And eventually, if they are interested in the product, we send a note to the sale for a conversion. So this is how we are using various platforms to drive a personalized marketing campaign, converting the lead to a prospective customer.

So the success to a marketing personalization campaign, I would like to summarize with these two key takeaways. One, design and orchestrate the personalized journey across multiple channels and looking at what stage they are in this marketing funnel. Design the dynamic customer journeys that adapt based on the engagement behavior. In this example, we saw from the content views to webinar attendance to conversion. And second, deliver content based on the journey stage and improve the engagement and conversions.

Align all your content like articles, videos, webinar content, the follow-up emails, so all of them should align with what stage the user is in this marketing funnel. Use contextual content, create specific CTAs, for their interest, therefore nurturing these leads in a prompt, timely fashion.

Now coming to the data governance and control.

In our AEP platform, we have various instances. So sometimes multiple businesses are using one single instance, or a dedicated instance is given to a particular business unit. And in this particular use case, one business unit has a dedicated instance, but they have multiple affiliates. And there was a need to address unauthorized data exposure between these two affiliates, not even at tenant level, but at instant level isolation, so that we are complying to their internal data governance policies. So there is a need for data segregation of AEP entities, like schemas, datasets, audience, profile data, in fact, even query service. So how did we do that? We have implemented this through ABAC, the Attribute-based Access Control. It’s a permissions layer that can restrict access to schema attributes, profile data, and fields while you’re creating audiences.

So once you apply a label at the schema level, it inherits down to the profile attributes and audiences. So how did we do that? First, we segregate the data. To segregate the data, we created different schemas, different data flows, different datasets, by labeling them with proper naming conventions to identify which schema belongs to which affiliate.

And then we create labels and apply these labels on these schemas. And now tag these labels to the AEP fields and assign labels to the roles. Now we associate these roles to the user groups. Finally, we sync these users and user groups to the Active Directory groups, which in first place gives someone access into AEP. So if you look at the diagram in between, just to summarize how we did this, let’s say there is affiliate A and affiliate B. For all affiliate A schema fields, we assign a label, label A.

Now, because these labels apply to the schemas inherit down into the profile attributes and audiences, when any user or a marketer from affiliate A logs in and is trying to create an audience list, now from the audio while creating audience, the fields that they can see are only the ones labeled A. They will not be able to see any of the fields that were labeled as label B. So this is how we were able to do the data governance at the net level as well as in the same instance level.

And in this section, I would like to explore the innovative ways we have used the AEP features. We did not only use solutions out of box, but there are also solutions which we have used out of the out of box connectors.

So we had a journey where we were supposed to share the audience list with marketer. So there is already a native marketer connector with AEP. It is out of box connector. But strangely, we saw an issue where we were successfully able to send new leads to the marketer, but we were not able to update the same lead if new information came into AEP, and therefore we had to send that to marketer. So because we had a time crunch, so we tried to solve it through journey orchestration. Yes, we are not only using journey orchestration to orchestrate our marketing campaigns, but also using to share our audience list with marketer using the event-based journeys. I’ll get to that in the next slide.

So with using journey orchestration, using the custom actions, we were able to call marketer APIs conditionally and able to share different lists by calling different APIs with this custom actions. Now that was a successful campaign. And then we had to evolve our marketing journey to a more complex journey and to a larger group with 100,000 or more than that audience list. At that point, what we had noticed was journey orchestration was able to just forward 85 to 90% of the audience to marketer. For some reason, like 10 to 15% of the audience were not sent to marketer, even though they were a qualified marketing segment.

So at this point, we also had another layer of additional business validations needed, which was way beyond we can handle on the orchestration side. So at this point, what we did was we shared all these as an audience list to a S3 bucket. From that S3 bucket, our Lambda functions would write these business logics, validate the data, and cleanse the data before any data is shared back to marketer. So this we were able to achieve through a very tailored AWS-led ETL layer, thereby satisfying our business cases. And to the right, we did the similar use case for another campaign where Salesforce, they wanted to do some business logics and validations before they ingested the data back into Salesforce. So we simply created a marketing qualified leads data set separately, which we scheduled through query service. With that scheduled data, we created a data set, and this was shared back to Salesforce through our AWS AppFlow. So this is how we were able to solve for business needs outside AP or along with AP.

And this is the example of the journey orchestration where the journey uses the events received via edge network and makes an API call to the marketer to create or update a lead. And this we have done conditionally, looking at what the values of a certain field is, and based on where the user was supposed to go, we would create a custom event and action to create that specific ad list to marketer. And this is how we were able to use the journey orchestration beyond the orchestration part.

So looking at these examples, I would like to suggest that go beyond standard connectors to activate data with custom ETLs and journey strategies that cater to your business needs. Build tailored, in this case, we have built tailored AWS powered ETL pipelines and orchestrated our customer journeys that align precisely with our business goals. And build purpose driven data activation with journey orchestration. I know a lot of us use journey orchestration flows and functions, but you can actually use these flows and functions to deliver real time triggers based on unique business demands, not just the standard campaign logic.

And finally, I would like to take a quick look at various components and various features we covered as part of this presentation. One, we discussed the strategy to implement a privacy first approach, why it’s important, including the content management system and global compliances. We also discussed best practices of how to securely handle your data based on what kind of data it is with Adobe Edge Networks and the robust governance framework we can bring in. And third, we also looked at various techniques to unify the customer profiles for consistent personalization across multiple marketing channels. And lastly, we looked at a few real world examples that we have a prudential marketing team showcasing how to maximize the personalization while minimizing the privacy risk through redefining the segmentation and journey orchestration. So this was our marketing journey along with Adobe Experience Platform. I hope you got some insights into this and we are happy to take any questions you have.

Thank you both. A lot to reflect on. It’s time to open the floor to all of you. Pop your burning questions into Q&A chat and we received a lot. We will go from out there. One of our stealth practitioners is asking, could you let us know how the consent information is integrated? Is it through OneTrust? Additionally, can you please outline the ID strategy you applied for creating unified profile? We could definitely learn from your experience.

Yeah, I can take that. So yes, integration with Adobe ecosystem is done through OneTrust. Although as part of my slide, architecture slide, I talked about how we have our own consent system. And the reason we actually have OneTrust is because it offers a lot of out-of-the-box integration. And that’s basically what is integrating with the marketing ecosystem, including Adobe.

For the ID strategy, Lalitha, you can chime in. Yeah, sure. And for the ID strategy, it completely depends on what your journey is. Typically, you can do it through emails and stitch your profiles using emails, but not necessarily every time you have to use or you can use. In some of our use cases, we couldn’t use email because of our audience being like B2B. So, like a lot of people have put in email addresses like norupply, norupply.com. In such cases, we cannot rely on email address. In that case, we’ve used a subscriber ID. It completely depends on what kind of user journey you have and what kind of integrating systems you have. Based on that, you can choose an appropriate ID.

Thank you, experts. We have a very good lineup of questions. So, here is the next one. Could you please elaborate how the consents are unified at profile level, which are coming from cross-device? Kithan? Yeah. So, consents, if you think about consents, there are two ways to think about consent. One is the cookie consent, which is what when customer comes to the website unauthenticated, they allow or don’t allow us to capture different cookies. Like, for example, there could be essential cookies that are required for your site to perform that customers do not have a choice to decline. But a lot of other preferences like preference, social media, analytics, advertising cookies, all of that customer has a complete control in terms of whether they want to allow us to capture or not. And then the other aspect is the universal consent, which is where, for example, if you’re asking a customer for a lead, so let’s say for our use case, we have a coding process and we want to have a code for life insurance policy. As part of that process, we capture their phone and email and they consent as part of that. And that consent is primarily for communicating via email and phone, especially for the marketing content. And that’s what controls whether we can market to them or not. So those are the two types of consent categories that customers allow to control what they want us to share or not share.

Thank you, Gagan. It was insightful. Again, a question for you. First, great architecture, one of the Adobe users says, can you elaborate collecting first party PII data when the consent is declined from the customer? I think there is a violation unless a clear language is listed in the consent prompt. Can you share more details on it? Yeah, so I think just as I said in the previous point, right, if we are collecting first party data, that again, the universal consent is required for us to capture that. And as far as any anonymous web related activities, those are completely controlled via the cookie consent process. So if customers does not allow us to kind of collect analytics, then obviously, we would not collect analytics from the user. Either it’s authenticated or unauthenticated.

Thank you, Gagan. It was insightful. So Lalita, we have a question for you. Could you please let us know how the team achieve data separation so that marketers in specific regions can access only region specific data in AEP? Yeah, sure. So to achieve ABAC, first you have to identify what kind of roles you would want to create based on the separation and use these roles and create appropriate labels and assign these labels at the schema level, at the dataset level, or in fact, even at the audience level. So that way, you’re going to make sure when you tag that particular label to a particular role, it means only those fields which are labeled with that particular tag, they’ll have access. If they do not have the label attached to that role, then they will not be able to. So at the schema level, it’s good to understand like what kind of roles you want to assign to a particular role and assign them into that particular user group.

Awesome. So we have again, one quick question for you. If you are collecting data from third party resource includes PII data unencrypted, then how to ingest the data from AEP by maintaining the regional compliance? Yeah. So while ingesting the data, you can bring the data into AEP based on how the source is set up. If they have an out of box connected with AEP, we can bring the data. But where you will have to take care of this compliance is, after the data comes into AEP, you have to identify and apply the appropriate labels to those so that we are applying those roles and compliances with respect to the attached user groups and roles. So you don’t have to think about the compliance when bringing into the data, but after you bring the data or while you’re bringing the data, make sure that you apply appropriate labels and give provisioning according to those.

I think it’s one of the best practice and a good actionable tip. So here is one more question based on the data set and schema. If the business servers in different regions across the world and we have one set of data set and schema created for CCPA region and data governance setting has been selected as per CCPA guideline, then for GDPR, do I have to create a separate schema and data sets? That’s a great question. So considering your GDPR is applied for geo locations in Europe and for CPRA or CCPA in US, so location can be one of your criterias when you’re creating these labels, but you don’t have to create separate data sets or schemas, but you do have to create separate labels and assign them in the same, for the same schema, assign different labels for different CPA or GDPR.

Quite insightful. So we have another question on cookie-less tracking. So it would be our last question. So here it is. GA4 examples does cookie-less tracking when consent is declined, enabling us to track behavioral data anonymously. How are we solving in existing framework? And if not tracked, how are you managing the report? You, Ketan. Yeah, definitely, I can start. So I think especially cookie-less tracking has been kind of, especially with Chrome, has been kind of moving target.

So I think that’s where a lot of the ecosystem that we have with Adobe from server to server communication is kind of key in terms of capturing that information, especially when the consent or cookie is not allowed by the customer. But as far as circumventing or bypassing customer preferences, that I don’t think is allowed, because especially if you’re using cookies, but otherwise, if you’re collecting information directly from a server side, none of the cookie stuff applies.

And you can actually, that’s what people are kind of doing to collect more and more information about that and directly ingest into AAB.

Thank you, Ketan. So we had a very good session from Prudential about using Adobe Experience Platform to deliver real-time personalised experience without comprising the data privacy. I hope you are jotting down your golden nuggets and also learned a lot from these experts. Thank you both for being with us today. Yeah, thank you so much for having us, and it was great to share our experience with all of you. So thanks for your time, everyone. Yeah, thank you. It was a great session, and we are very happy to share our experience, our journey throughout the last year, year and a half, onboarding onto Adobe Platform, and then trying to iterate through and getting our use cases and business needs right.