WHITE PAPER

Profile Stitching for Marketers & GDPR

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited

Introduction In today’s world, digital marketing occupies a significant chunk in the marketing domain. Every click, every browsing action of an individual, or even his Facebook posts in some cases, get captured and have an impact on how he is going to be segmented in a marketing analysis. Based on each such action, a marketer establishes contact with him accordingly. An individual would have just been browsing a website of helmet-makers and on one fine morning, he receives a direct marketing call from a sports equipment manufacturer to buy the latest helmet that they had brought to the market.

Everything was going fine for the marketers, till GDPR came into picture. Probably the most-affected department in any organization , Marketing departments had to change their way of doing business radically. Not only are the data subjects provided the rights to view, modify, delete, port their data, but any processing activity needs to be consented by them. The segmentation of any consumer based on his browsing behavior or pattern that the marketer would have had created, now needs to be approved by the consumer first.

The user is unknown, however information about his browsing habits, tags etc. is collected

The user is now known and all the information collected prior to registration are now stitched to him

AbstractMarketing department across industries is probably the most affected segment with the onset of GDPR. With the deadline for GDPR compliance just around the corner, it is time for them to have a final check on whether they have implemented the changes needed to make their marketing actions be GDPR compliant. A less talked about topic in that checklist is Profile Stitching. This whitepaper introduces the concept of Profile Stitching, or a Consumer Connected Journey and a general guideline to tackle the GDPR-related issues pertaining to this. Additionally, this whitepaper presents a set of representative relevant use cases with solution guideline for each of them. Thus, this can be a used as a readymade guide for marketers in different scenarios of Profile Stitching.

Profile Stitching

Concept of technically linking consumer

interactions is fundamental to many

marketing aspirations on creating a

connected consumer journey. Typically

profile stitching involves linking a subject’s

activities across a number of digital touch

points – on their PC, on their mobile or

tablet – or even on the same device in

some circumstances. To do this, there are

broadly 2 approaches:

• For identified consumers who are logged

into the organization’s services across

touch points

• Various methods, both probabilistic and

deterministic, to infer that the someone

interacting is the same person (fully

anonymous users or partially anonymous

users).

The concept of Profile Stitching can be

broadly classified into two parts. They are:

• Temporal Stitching: Temporal Stitching

comes into the picture when an

anonymous user logs into the company’s

website and performs search/browsing

activity. Later, when he registers with

the website, all the prior information

is stitched to this newly created profile

Following pictorial diagram illustrates

the same.

Unknown user starts journey from 3rd party websites

User Status: Unknown (anonymous)

Unknown user starts journey from the company’s website

User Status: Unknown (anonymous)User Status:

Known Unknown

User registers with the website

User Status: Known

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited

While a marketer would love to

continue stitch their consumers’

profiles using the processes mentioned

above, doing so without the consent

of the consumers obviously violates

with the basic rights of the consumers.

Hence, adequate measure needs

to be adopted by them to ensure

continuance of the stitching by being

compliant to GDPR.

• Household Stitching : – When different members of the household logs into the company’s website using the same device, all their

information might be stitched to a single master profile by virtue of the Device ID, IP Address etc. This is called Household Stitching, which

is illustrated in the following diagram..

A single device is used by multiple users (multiple user accounts) to log in

Single Device ID

• Activity of each is stored against the single IP address

» Mr. X searches for Men’s T-Shirt

» Mrs. X searches for Women’s Tracksuits

» Mr. X’s daughter searches for Dresses

• When another person logs in, recommendations to him or her will be affected by the

previous searches, tags and browsing behaviors

Mr. X’s father might be shown recommendation of women’s tracksuits or dresses

Mr. X logs in to ecommerce clothes website using his

account

Mr. X’s father logs in to the website using his

account

Mr. X’s wife logs in to the same website using her account

Mr. X’s daughter logs in to the same website

using her account

Tackling Profile StitchingAny successful project needs a proper roadmap to tackle. Nonetheless, if the project is as severe and as complex as compliance to GDPR. In order to ensure a seamless transformation, the first step should be to build an organization-wide awareness through an awareness program. This should be followed by unit-level understanding of the project plan and successful execution of the same.

Understanding the changesThe changes mainly involve capturing proper consent and continuing stitching based on the subjects’ decision. For this, a three-step guideline can be followed.

Firstly, the base needs to be set up. In conjunction with the legal department/DPO, the organization need to review the current Privacy Policies, Terms &

Building AwarenessAt the very onset, an organization-wide awareness needs to be built on the profile stitching. This needs to be managed both at an organizational level where the legal department/DPO briefs each relevant department about the concepts and their importance, as well as at a departmental level set-up where each department/unit understands and creates a knowledge-base for future reference and guidelines.

Prepare a central document on Profile

Stitching

Conduct centrally managed session(s)

with each team/unit on building awareness

Internal workshop among individual teams/

units on implementing changes for Profile

Stitching

Document the changes for future reference and any

new joiners

Conditions. This needs to be followed by setting up an Accounts/Profile page of the consumers which has all the relevant information, including those pertaining to Profile Stitching. Following schematic diagram lays an overview of the same:

• Review current cookie,tracking terminology and methodology with the legal team and update the Privacy Policy, T&C based on the review feedback.

• Display in Profile Page what information is collected to connect the consumer journeys

• Provide an option to delete them from the Profile page in case the user chooses to do so

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited

Secondly, consumer consent needs to be sought in a proper way (to ensure better customer experience as well as compliance to GDPR). This includes understanding the scenarios in which consent needs to be sought and to display the relevant information to the consumer in each scenario. Following set of broad guidelines can be followed for this purpose:

Third step involves tying the consumer consent to the stitching activity and connecting consumer journey based on the consent. This can be achieved with the help of below mentioned guidelines.

User lands in the company webpage

Display a pop-up message in the home page (suitably placed so as not to disturb the customer experience much) on Profile Stitching• Provide the option to not provide consent and still proceed

Provide an option saying “Do not show this message again” and skip showing the message if this is clicked and the link is opened through the same account again

In case of an unknown user, the consumer will not be able to modify his/her preference via the Profile page since there is none. Consent can be sought only at the next fresh entry to the website domain.

As soon as a user who has provided consent to Profile Stitching logs in, retain the information about only that user id

In case the user does not provide consent for a session, do not capture data for only that session. E.g., if in 1st session, an un-known user has provided consent, in the 2nd, another unknown user did not, and in the 3rd, there was a consent, stitch the jour-ney details of the 1st session with that of the 3rd session.

a) Mention in the consent statement that consent of prior sessions, if provided and if available, will be stitched to the current session.

Continue stitching across devices if the consent has been provided:

a) Whether the login happens on a new device or not; since for a registered user, stitching is account-based and not device-based

b) Mention this in the Consent Statement

Stitching guidelines for anonymous user

Stitching guidelines for registered user

In case the unknown user ends up registering with the website, ask for his/her consent again and continue that always when the consumer logs in (till he/she revokes the consent)

a) Also ask whether to stitch the information collected from the browsing by unknown consumers using the same device (i.e., whether to stitch the “known unknown” information)

Based on the consent provided/withdrawn by the user at the beginning, capture/do not capture the information about the journey of the consumer

Always show the message. Mention that the consent provided in the previous sessions (if provided and if applicable) will be stitched to the current session

Is the user already logged in?

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited

ApproachIn order to ensure the above guidelines are adhered to, the whitepaper lists down an indicative approach that any organization needs to follow. It also indicates which department(s) need to own up a particular segment of activity.

Activity Description Deliverable Team

Define use cases pertain-ing to Profile Stitching

• Understand and prepare the use cases pertaining to Profile Stitching

• The list of use cases should be document-ed

Documentation on Use Case list Business

Identify the parameters used to stitch the profiles in all such use cases and if all the parameters are required, why are they required

• Identify the parameters used to stitch the profile

• Understand how they are collected• Understand why they are collected –

whether this information is at all needed, or if the information can be captured by another already existing parameter etc.

• Document the findings for ready availabil-ity

Documentation on parameter list with purpose of each

Business, Technology, Legal

Finalize and document the list of parameters

• Review whether all the parameters are absolutely needed

• Remove all the unnecessary fields• Document the final consolidated list for

ready availability

Document on finalized list of parameters and their purposes

Business, Legal

Prepare a Consent State-ment with the mention of types of parameters captured in Profile Stitch-ing and what is the intended purpose for each of these

• In consultation with the Legal team, final-ize what should be the content of the Con-sent Statement where consumer consent will be sought

• In consultation with the Legal team, dis-cuss whether consent is needed for all the parameters (since the purpose of process-ing is single – profile stitching)

• Document the final statement and format

Finalized consent statement Business, Technology, Legal

Finalize on whether to provide checkbox options against all the parameters or whether to seek consent for every field at one go using a single button or radio button of Yes/No

Finalized document on consent pop-up

Business, Technology, Legal

Design the solution • Based on the recommendations from previous step, prepare the BRDs

• Hand over the BRDs in form of user stories to the product teams for development of changes

BRDs Business, Technology

Implement the solution Implemented (un-tested) Solu-tion

Technology

Perform validation Implemented (tested) Solution Business, Testing

Go Live • Implement the changes post validation (if any) and be ready for Go Live

Live version Business

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited

Use Cases and GuidelinesThis section lists down some representative use cases pertaining to Profile Stitching from the industry and the proper guideline for marketing organizations to be GDPR compliant in each such scenario.

Use Case Scenario

An unknown user browses the company website from his computer at home. Sometime later, his daughter uses the same computer to browse the same website. She does not log in to do so, but browses anonymously just like her father. The information/browsing behavior about both of them are stitched and a master profile is created which has information about both these sessions.

• Seek consent of visitors to stitch the data, whenever any anonymous user enters the website, as men-tioned in “Understanding the changes”

• If consent is not provided for a particular session, do not stitch the information about the session. Stitch all the sessions for which consent is provided

A user logs in from his profile and browses the company website from his com-puter at home. Sometime later, his daughter logs in from her profile and uses the same computer to browse the same website. The information/browsing behavior about both of them are stitched and a master profile is created which has information about both these sessions.

• Whenever a known visitor logs in for the first time, display the consent statement.

• Provide an option to opt for “do not show the mes-sage again”.

• If the user selects “do not see the message again”:• Once the consent is provided, continue stitching

across devices as well until the consumer revokes the consent.

• If consent is not provided, continue NOT storing information till the consumer changes the consent.

• If the user does not select the checkbox for not seeing the message again, ask him/her the message every time he/she logs in. Store/Do not store information about the session based on his/her consent

A user access the website on his work computer during lunch, using the creden-tials of any social media account. Visitor profile "A" is assigned and a “Visitor ID” is associated. The same user later logs into the website from his mobile device, using the same social media account. Visitor profile "B" is created and captures the sec-ondary Visitor ID.Through a “look-up mechanism”, it is determined if the secondary Visitor ID from "B" exists in another visitor profile. When it is identified that profile "A" is the same Visitor ID, then visitor profiles "A" and "B" are stitched.

• Whenever a known user logs in for the first time, display the consent statement.

• Provide an option to “not show the message again”.• If the user selects to “not see the message again”:

• Once the consent is provided, continue stitching across devices as well until the consumer revokes the consent.

• If consent is not provided, continue NOT storing information till the consumer changes the consent.

• If the user does not select the checkbox for not see-ing the message again, ask him/her the message every time he/she logs in. Store/Do not store infor-mation about the session based on his/her consent

There are 2 visitor id attributes, one captures the 'email address' and the other captures the 'Twitter handle'. A consumer visits the company website on his "desktop" and signs up for a newsletter with ‘abc@email.com'. Then within the same session he browses a product and tweets about it using his Twitter handle. Then he later goes to his tablet and submits an order using email ‘def@email.com'. No match as yet.Then he decides to tweet about his order using the same Twitter handle. Now a match will occur on the twitter handle.The visitor profiles hence get stitched together. In future either 'email address' can be used to stitch to the visitor profile.When the master stitched profile is created, there will be secondary ids created for Twitter handle and email address. The secondary id for Twitter handle will be the same one. However, for email address, based on the policy, it can be decided that the first email address captured will be the value of the secondary id for the master stitched profile – in this case ‘abc@email.com'.

• Seek for subject’s consent. If consent is not provided, do not stitch information about him, even about the Twitter handle

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited

Use Case Scenario

An unknown visitor browses the company website. The website continues col-lecting information about him as he continues browsing. In the same session, he registers with the website. All the information prior to registering get stitched to his profile as soon as he registers.

• Whenever an unknown visitor enters the company website for the first time, display the consent state-ment.

• If consent is not provided, do not collect information. As soon as he registers, seek consent again. If consent is provided, start collecting information only from that point.

• If consent is provided in the 1st step as well as after the user registers, stitch the 2 information (prior to registration and post-registration)

An unknown visitor browses the company website. The website continues col-lecting information about him as he continues browsing. In the same session, he registers with the website. All the information prior to registering from the previous sessions get stitched to his profile as soon as he registers.

• Whenever an unknown visitor enters the website for the first time, display the consent statement. Mention clearly that information of the sessions prior to the current one, for which consent was provided, will be stitched to his profile.

• Proceed according to the decision of the visitor

A registered user who has provided his/her Facebook/Twitter ID, posts in Face-book/Twitter tagging the company’s Facebook Link or Twitter handle, or posts in the company’s Facebook page/Twitter handle. The organization uses informa-tion about the post by stitching it to his profile.

• Whenever the user provides his/her social media ID, provide a consent form which mentions that his posts in the company’s page of the social media or any post with the company being tagged, will be stitched to his profile.

• Provide an option to the user to Skip giving consent for this, while he is providing his social media ID

A registered user who has not provided his/her Facebook/Twitter ID posts in Facebook/Twitter, tagging the organization’s Facebook page or Twitter handle, or posts in the company’s Facebook page/Twitter handle, mentioning his email id/phone number registered with the organization. It uses information about the post by stitching it to his profile.

• Trigger an email/SMS mentioning that his information about the post will be stitched. Seek for his consent

• Do not stitch the information if the consent is not provided.

A user who has subscribed just to email newsletters or an unknown user posts in Facebook/Twitter, tagging the organization’s Facebook page or Twitter handle, or posts in its Facebook page/Twitter handle. It uses information about the post by stitching it to his profile.

• If the subscribed or unknown users do not have any profile or are unaware of such profiles, consent cannot be sought via Facebook (Separate controller). Hence, DO NOT STITCH INFORMATION OF SUCH USER.

Next StepsWhile “Data Subject’s Consent” as a whole is given prime importance, focus mainly seems to be on the

consent about the processing which is explicit to the data subject. For implicit processing activities like Profile Stitching, marketing organizations need to evaluate and assess their

stand without further delay and get up to the speed of providing a rich consumer experience to its customers while restoring ownership strictly to them

© 2018 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.

For more information, contact askus@infosys.com

Infosys.com | NYSE: INFY Stay Connected

About the Authors

Rohan Kanungo nce Practice, Financial Services Domain Consulting Group, InfosysLead Consultant at Infosys

Rohan Kanungo is a Data Analytics & Data Privacy & Protection Consultant with 13+ years experience in IT Consultancy & Advisory services, BI Blue Printing & Org Design, BI Assessment, Strategic Transformation initiatives & Program Management. He has extensive experience in working with leading organizations in the areas of Information Management, Data Governance, Data Architecture, Data Strategy. What’s been keeping him busy recently is enabling organizations to be General Data Protection Regulation (GDPR) ready by providing GDPR strategy & advisory services, crafting frameworks, solutions, service offerings, catalysts and accelerators, and authoring white papers and POV’s.

He can be reached at rohan.kanungo@Infosys.com

Anup Boseractice, Financial Services Domain Consulting Group, InfosysGDPR Capability Lead- Principal Consultant at Infosys

Anup Bose heads the GDPR Practice of Data & Analytics unit  in Infosys and has more than 14 years of experience in management and operational processes, statutory and management reporting, business intelligence and  Enterprise Performance Management. Anup spearheads Infosys’ GDPR service offering and has been instrumental in conceptualizing and crafting Infosys’ GDPR solution framework and methodology. Anup has significant experience in information governance, data management, business analytics and domain consulting. He has worked across various industries (High Tech, CPG, Retail, Pharma and Insurance) focusing in areas Data Governance, Analytics, Digital Marketing, Consumer Insights, Data Management and Product Management.

He can be reached at anup_bose@Infosys.com

For more information visit: Infosys.com/gdpr or contact GDPRcompliance@infosys.com