How a Customer Data Platform helps you to comply with data protection legislation

6 minute read

Team BlueVenn

When it comes to data protection, a storm has long been brewing. First came worries about Alexa eavesdropping in people’s homes and recording conversations (in November 2018 a New Hampshire judge ruled that audio captured in the home of a murder victim could be used as evidence in court). Then the Cambridge Analytica-Facebook scandal broke, with data harvested off people’s Facebook accounts being used to drive political advertising, potentially affecting the U.S. election result. Consumers’ growing concern has led to harsh new data protection regulations – GDPR came into force in Europe on 25th May 2018, then the California Consumer Privacy Act became effective in the state on 1st January 2020.

Nonetheless, marketers are increasingly using data to improve their campaign audience segmentation and targeting. After all, a recent Gartner State of Personalization report found that 86% of consumers are fans of personalized communications, and that brands saw a 20% increase in commercial benefits when customers found these to be helpful. In fact, identified personalization as a Top 5 trend for 2019 due to its potential to increase ROI, while an eMarketer survey found that 70% of marketers considered a Single Customer View to be an important asset.

So, how can businesses navigate the fine line between gathering enough information about customers to engage them and risking a data breach or loss of reputation by collecting too much? A Customer Data Platform (CDP) can deliver the best of both worlds by helping marketers to create a ‘golden record’ that will allow them to monetize data, whilst respecting customer preferences and making it easier to adhere to current and future data regulations. The first step of compliance is understanding the laws.

What is GDPR?

The General Data Protection Regulation (GDPR) protects the data of European citizens, regardless of where it’s processed. The law requires companies to have regulations in place to safeguard customers’ private information and demands that they keep flawless records of how data is used and who it is shared with. Declaring data breaches is mandatory and when it comes to consent, the consumer must ‘opt in in’ to specified use, rather than unticking a box to ‘opt out’.

The six legal bases for possessing data are having consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement and a public interest. So, before you begin to stockpile any sort of Personally Identifiable Information (PII), consider whether you can justify it on these grounds. The other significant aspect of the law is that data subjects have the right to see what data is being held on them, ask for it to be transferred, object to its processing, or request that it be deleted altogether. Failure to abide by the law can lead to a hefty fine of up to €20m or 4% of global annual turnover.

What is the CCPA?

The California Consumer Privacy Act (CCPA) applies to companies doing business in the state of California that have an annual revenue over $25m, receive information on over 50k consumers, households or devices annually, or gain at least half their income from selling personal information. There is no obligation to gain consent before collecting data (except with children under 16), but consumers have a right to know what information is being collected and stored and how that data is being used or shared. They can also ask for it to be deleted or ban its sale.

Crucially, consumers can sue companies that fail to comply with the CCPA guidelines, even where no breach has occurred. This means that organizations who collect, store, analyze and use Californian data must do so with care, or risk being hit with a large penalty. If a breach occurs, not only will the company be fined $2,500 if it was accidental, or $7,500 if it was deliberate, but each affected consumer can claim damages of $100-$750 per instance, or actual financial damages, whichever is the greater. Similar laws are being considered in Washington, New York, North Dakota and Utah.

How can a CDP aid compliance?

Staying compliant in the evolving world of data privacy laws can feel like an overwhelming task, but this is where a CDP can pay dividends. By its very nature a CDP unifies first party data from multiple sources, including a brand’s website, CRM, apps, social media, POS and loyalty schemes. It then removes duplicates and structures the data in a way that is easily accessible and rigorously audited. It enables all preferences, interactions and behaviors from all online and offline marketing channels to be captured in one unified database.

This allows marketers to govern the data meticulously. The Single Customer View provides a single source of truth throughout the entire business and makes the use of data both accountable and visible. Furthermore, customer preferences across all different channels can be maintained within one holistic view, so that no mistakes will be made.

By unifying, cleansing and deduplicating all your first party customer data from disparate silos, you can ensure that the record you are seeing is the latest, most up-to-date version of the information held. For example, if a customer decides to unsubscribe from direct mail via an email preference center or form, your CDP will store this information and build them into a direct mail suppression list. This will guarantee that they won’t be bombarded with unwanted content, not only via email but any other channel.

Another compelling reason to invest in a unified, persistent database is the right to be forgotten and the obligation to fulfill Subject Access Requests, potentially for a large number of people at very little notice in the event of a breach. With both GDPR and the CCPA, just 30 days is allowed for companies to compile and produce all data held on an individual. The SCV means all information can be found in one location, and if the CDP has an inbuilt user interface, it may even be possible to print or delete the unified ‘golden record’ at the touch of a button, making a flood of SARs much easier to deal with. Non-essential information can also be removed easily, without the need to delete everything.


A Customer Data Platform like BlueVenn will help you to remain compliant to the laws of the regions in which you conduct business, making it less likely that you will face a hefty penalty. Although CDPs are purchased to help track customer data, they simultaneously have the capacity to offer invaluable assistance with protecting that data. They can also help marketing teams to optimize the use of first party data, making it less necessary to stray into the murky territory of third party data and cookie tracking. In an era where trusted companies are rewarded with repeat custom and Google has pledged to phase out cookies, this capability will see the use of CDPs becoming more widespread.

Reliable products. Real results.

Every day, thousands of companies rely on Upland to get their jobs done simply and effectively. See how brands are putting Upland to work.

View Success Stories