- Mobile updates could severely restrict advertizers’ access to consumer data
- Marketing campaigns using NFC and QR codes have been found to dramatically boost consumer engagement
- IoT laws are still developing and marketers need to know exactly where their data is coming from to ensure compliance
- While the law is well behind the curve for IoT technologies, marketers can get caught out by existing legislation being applied to the field
The Internet of Things (IoT) is transforming online marketing. IoT technologies allow higher levels of engagement with consumers than ever before, with companies receiving almost instant feedback and real-time insights into customer behavior over the long term from sensors, smart devices, and wearables.
Products can be targeted directly at the consumers most likely to buy them. Data from touchpoints also indicate where exactly the customer is on the purchasing timeline. And while IoT won’t replace traditional marketing, it does present marketers with multiple new opportunities.
The pandemic has created new behavioral trends that have had direct impacts on marketing: outdoor and display advertisements – cornerstones for the commuter market – have taken huge hits, as have free newspapers. A growing number of marketers have realized that IoT offers a direct channel with consumers that they would otherwise be unable to reach.
Key to the new direction marketing is headed and the potential with IoT is data. But it must be obtained and nurtured in the right way, and not all organizations are up to speed yet as to how to extract data to gain the most value. Or, indeed, with navigating the various national legal responsibilities required to be data compliant.
“One of the biggest issues you have is companies that may be experienced with manufacturing, but they’re not used to protecting data,” explains Stephen E. Reynolds, lawyer at US law firm Ice Miller, as well as a qualified computer programmer and IT analyst.
There is a belief that IoT devices collect excessive amounts of data and are also more vulnerable to cyberattacks. While artificial intelligence (AI) and machine learning (ML) are both widely used for making sense of large data volumes, edge computing has the potential to solve a number of data volume and security issues.
Instead of the smart device or sensors sending data centrally to the cloud, the edge sends it to smaller data centers much closer to the data source. The edge performs pre-processing on this data, filtering out the unnecessary and only sending the relevant information where it needs to go.
“We’re going into this accidental collection of too much information,” says Joseph Carson, an expert in cybersecurity and chief security scientist at Thycotic. “Organizations get into this. They want to collect everything and then try to figure out what the right questions are later. But that’s the wrong approach. What you want to do is make sure you have the right questions first, then determine basically how to obtain that data.
“When we have connectivity that’s so good, and we have the processing power that’s so good, we don’t need the data to come centrally. And this also de-risks it.”
The edge can also increase a local network’s bandwidth due to more concise data use, allowing more IoT devices to be integrated into the network. Whereas centralized masses of data on the cloud present an appealing target for hackers, the edge spreads it out across a much larger number of locations.
“It makes it more complicated. Rather than me having to hack into one large database, it means I have to hack in hundreds of places. The likelihood of achieving that possibility becomes more difficult,” says Carson.
Through the edge, online marketers can receive the precise information they’re after instead of having to sort through masses of unrelated data. Carson says that the EU’s GDPR has also helped to refine data collection processes.
“You don’t have this excess of data collection that you don’t necessarily need. That even raises the risk if you don’t know the information you’re collecting,” says Carson.
“The great thing is that GDPR put clear lines in the sand about what’s right and what’s not. It means that you can’t just collect data for the sake of collecting, you need to have a general business purpose or justification. You have to be very targeted.
“Marketers will need to have a legitimate reason. They will have specific questions, and they will be able to get exactly the data they need to make decisions – rather than excessive, accidental collections of data.”
Apple’s latest iOS 14.5 update could have big implications for online marketers and IoT. Its App Tracking Transparency (ATT) tool means that advertisers will need to ask users’ permission to access certain data. A pop-up will ask users to opt-in to share data instead of an opt-out.
This replaces the previous system, which permitted advertizers to use apps to track the user’s behavior and use this data to create targeted ads.
Apple’s update has attracted strong criticism from Facebook, which relies heavily on revenue from targeted advertising.
And in July 2020, after the iOS update was announced, online marketing and advertising association IAB Europe wrote a letter to Apple’s Tim Cook to express concerns. The letter criticized the ATT for not providing an option for advertisers to request data permissions at a later date, claiming this would restrict business revenue for smaller companies and increase Apple’s advantage. It also stated the update “cannot be used by [the] digital advertising sector to comply with GDPR requirements applicable to online advertising”.
But the iOS 14.5 update has also attracted praise.
“Apple’s making a lot of the right moves to protect users. Their business interest is for their users and not the advertisers, which is very different from a lot of other business models – their interest is they give you free stuff so they can sell [data] to other people,” suggests Joseph Carson.
“But Apple has an interest. You’re the customer of Apple, and they want to protect that as much as possible. So, Apple had legitimate interests to do the right thing when it comes to privacy. And I think Microsoft is starting to follow suit. I think this is setting the foundation of what’s to come.”
James Denvil is counsel at US law firm Hogan Lovells and an expert in international privacy and cybersecurity laws. He thinks the update will help improve scrutiny for data collection.
“It doesn’t necessarily change the ways data will be gathered,” he says. “It just enhances the scrutiny on what’s happening and enhances the importance of having governance controls. And make sure that you understand what data you’re collecting, what you’re using it for, and who are you sharing it with.”
It is becoming increasingly important for online marketers to engage in a way that consumers get some benefit from the experience. This can also drive brand loyalty.
Near field communication (NFC) and QR codes aren’t new technologies, but have seen a resurgence in recent years, especially during the pandemic. People have become used to scanning a QR code when visiting certain places as part of Covid track and trace systems.
Interactive packaging technologies have been deployed in many campaigns by SharpEnd, a marketing agency that uses the IoT to connect brands with consumers for clients including Nestle, Levi’s, Nike, and PepsiCo.
Interactive packaging involves consumers using smartphones to scan or tap a product label and then make further engagements via an app, which also grants permission for companies to use the data. SharpEnd uses AI and ML to analyze data from consumer scans and interactions.
“We did some work with a brand called Lyft last year, which was focused on when someone tapped that product via an NFC. We understood the context. We understood their location, the time of day, whether they tapped before or not,” says Rob Hollands, SharpEnd managing director. “We’re doing a huge amount in retail and our platform is now powering thousands of stores across the world to deliver more seamless, contactless experiences.”
With web ads, the click-through rate can be as low as one percent. Whereas SharpEnd’s NFC-enabled packaging campaign with Lyft last year recorded an 18 percent scan rate. Almost half of the consumers that scanned also went on to register their details with the company.
Voice interactive assistants have been readily available for the better part of a decade, but it is another technology that has taken some time to be embraced by consumers. Yet platforms such as Amazon’s Alexa, Google Assistant, and Apple’s Siri have now become part of everyday life.
In fact, the prevalence of voice technologies has led to predictions that this could change the way that website copy is written. Instead of using traditional SEO-based copy to attract traffic, marketers will need to change the wording to move closer to how people speak and engage with voice assistants.
Playing catch up
The law is notoriously slow to catch up with technology. This has intensified in the past decade given the rapid speed that tech has evolved.
In the US, there is no single federal law that relates to IoT for consumers and data for marketing purposes. While the US IoT Cybersecurity Improvement Act was signed into law in late 2020, it is only applicable to government devices or those dealing with federal agencies and does not cover consumers.
The Federal Trade Commission (FTC) did issue guidance last year for businesses using IoT technologies, emphasizing the need for greater levels of data protection and encryption.
Instead, US legislation has been used to regulate IoT operators.
“Instead of having new laws passed, regulators are looking into this area, like state attorneys general and the FTC. And they’re basically using their broad regulatory abilities, which allow them to regulate unfair, deceptive business practices. And they’re using these abilities to regulate companies in the Internet of Things space,” says Reynolds.
Some US laws can also be decades behind the technology and no longer make sense in the modern context, which can catch out some marketers.
“A quick example is the Electronic Communications Privacy Act in the US, which protects communications. This would impact IoT or stored data if you’re storing certain data remotely like cloud storage, which would be implicated for IoT. That was drafted when we all had modems that screech at you when your dial-up,” explains Denvil.
“It didn’t contemplate the idea that you could have loads of backup storage available on the cloud for free and keep certain communications forever. The protections built into ECPA are based on what the technology was like back in the 80s, which was very different to what we have now.”
Despite a lack of federal laws relating to IoT, individual states have established strict data privacy rules – most notably the California Consumer Privacy Act (CCPA). This allows consumers to opt out of having their data sold and request that their data is deleted.
Given the globalized journey of a lot of the world’s data, the fact that different jurisdictions have different types of laws makes things difficult for marketers.
“There are challenges given how expansive these laws are, whether it’s GDPR, or in Brazil with the LGPD. Or even now in the US with the California laws and the growing state laws, whether it’s the new Virginia law and the others that are likely to follow,” says Denvil.
“It would be wonderful if we could say if you’re GDPR-compliant, you’re CCPA-compliant. But under GDPR there’s no such thing as the right to opt-out of the sale of personal information.
“The other challenge under California law is if you are collecting personal information regarding consumers with which you don’t have a direct relationship.”
In California, if an advertiser acquires IoT data and shares it with third parties, the advertizer could technically be classified as a data broker and would then need to register with the Attorney General’s office.
“That would not come to anyone’s mind who was just focused on a GDPR compliance program,” Denvil says.
“Our laws are still fixated in regulating activities in physical space. The regulation of cyberspace is an evolving concept,” says Denvil. “Until we can reach interoperability agreements and have the EU and the US and other large areas agree on basic rules of the road, I think it’s going to become more complicated. It requires cooperation in a way that in this environment is challenging – but I’m hopeful.”