Mastercard CMO on data privacy and the metaverse: ‘The next 3-5 years will be chaotic’

From the marketer’s perspective, we have to be more responsible for the consumer’s privacy – which means that the consumer is able to go through all the fine print and understand what they are giving up and what they’re actually allowing marketers to do. We have to make it very apparent what we are doing. That’s going to be a very important ethical principle that we have to follow.

I’m with the ANA on its board and also I’m the president of the World Federation of Advertisers (WFA), a global entity based out of Brussels. Their members spend close to $1.3tn of advertising across the world [every year] – every large company is a part of it. And one of the things that [we’ve discussed at WFA] is if you were to put yourself [in the shoes of] a consumer, do you want your privacy to be protected or not? Let’s forget about marketing and forget about advertising – what does the consumer want? Do you want to know if your data is being collected? Do you want to know what [parts of] your data are being used? What aspects of your data are residing where? And are people pulling different things from [this information] and constructing who you are? And do you like it, or do you not like it? Should you have a right to be forgotten or be deleted from the databases?

We went into it a lot. And [we found that] consumers want to make sure that the data is gathered with permission. They want to make sure that the data is protected. For example, there was some hospital I visited a few years back, and suddenly I got a notification saying, ‘Sorry, your data is compromised. And we’ll give you one year of credit monitoring [software as an apology].’ That doesn’t make me happy as a consumer. The question that I asked is, ‘Why does the hospital require so much information about me? And do they have any business collecting my information if they don’t know how to protect it?’ As a consumer, I felt very aggravated.

Now, let’s put on the marketer’s hat. How do we look at the whole aspect of consumer privacy? And how do we protect it and enable the protection of that?

It all begins with collecting data. We don’t need every single aspect about [a consumer] to be able to target the right communication to them. [But at the same time] if you just go and openly spray advertisements and pray that people will respond or that they will connect, that’s very inefficient for the marketers and annoying and irrelevant to the consumers. For example, if somebody is sending information to me like, ‘Here are some fantastic feminine hygiene products for you, Raja,’ I’ll say, ‘You idiots, you don’t even know that these are not relevant for me.’ So there is a relevance aspect. Number two: if you’re serving the same ad 100 times to me because I’m spending three or four hours on the net every day, I get extremely infuriated. The question is: how do you make my experience as a consumer good? How do you tell me things that I care about or that are relevant to me? And for that, how much of my information do you need?

So, the first principle that marketers need is to know the minimum amount of data that you require to be able to target, create relevance and measure the effectiveness of your campaigns.

What are some of the biggest challenges to establishing consistent and comprehensive consumer data privacy?

Now, for any national company in the US, you must think about following regulations.

When marketers were still [trying to pinpoint consumers’ demands], regulators started coming in and GDPR came out of Europe. It’s a very tough regulation, and I fully support it. Is it perfect? No. Is it evolving? Yes. But is it an important first step? Yes.

Now California has its requirements; New York has different requirements; Illinois has a different ecosystem. If you have 50 frameworks, it builds so much inefficiency into the whole process. And it’s extremely difficult, if not impossible, to actually [enforce] each one of those, because today, whether it is communication or commerce, [business] happens across state borders.

As a marketing community, what we want to do is to make sure that there is a regulatory framework that is standardized across [national] geography.

What’s your perspective on the future of targeted advertising and measurement post-cookie? What role will cookieless ID solutions or other approaches play? Is first-party the only way to go?

I’m supportive of [cookie deprecation] because there are better methods that we should have to be able to understand consumers. Not every element of data is required for me to be doing my job in a good way as a marketer. There has to be rationalization of data. There has to be protection of consumer privacy. There has to be protection of data ... that we have collected already.

But people are all scrambling to figure out what’s the right solution – and we are nowhere near the solution. That’s one reason why Google has said, ‘Okay, let’s give ourselves a good 24 [more] months before we come up with that solution for the marketers.’ We have got [some time] still left to figure out solutions.

In terms of a situation where consumers are being tracked using cookies, as a consumer, I say, ‘Why do you have to track me? And why should I allow you to track me?’ You as a consumer should be able to tell the app, ‘I don’t want these kinds of ads to ever be served to me. I don’t want to be tracked on this [app or site].’ You should have more control over your life. So I’m fully in favor of what Apple is doing [in rolling out new anti-tracking privacy policies]. It has to be consumer privacy first. When Tim Cook says that privacy is a fundamental human right, I’m 100% in favor of it. And whether anyone likes it or not, that train has left the station.

There are experiments that are being done for digital IDs – you have got companies like The Trade Desk and in Asia there are consortiums that are coming together [to develop solutions]. I think it’s a good idea.

But I would also be cautious of ... the concentration of power, with fewer entities [setting the ground rules]. If there is a big social media platform and they are the ones who have all the data, it’s not going to be pretty. We should make sure that there is a distribution of power across the entire ecosystem. Then, [some] people are saying, ‘Let’s have a coalition of a few companies [who collaborate] in a clean room where we come together and map the consumer IDs and anonymize the consumer.’ Say I need somebody who ... has these characteristics and this behavior. I want to target only those people. So that clean room-collated data is able to construct the [anonymized] identity of the individual – but being able to serve communication to that individual is a tough area.

First-party data, if it is used for first-party purposes, is not bad. If you are visiting my website, and I know which parts of my website are interesting to you, and which parts you are not even looking at or you think are annoying, then I can improve your experience on my own site. So that’s very important to me. If I want to cross-sell something to you, I understand you as my consumer. Say you have got this particular card – maybe you should upgrade to this card. I need to know [data on what] is important if you have a special offer to serve you.

Any predictions to share? What emergent trends will shape the future of privacy-safe advertising?

[I’m closely tracking] a couple of things. My prognosis, when you look into the future, is that consumers are going to demand a part of the revenues [generated by their data] for themselves, because everyone else is monetizing their attention. Why would they not want to get a cut, right? I think this is inevitable. Already, some companies [like the private browser] Brave ... actually give you rewards for watching ads, and you can define the kind of ads you want to watch. It’s gotten a little bit of scale – it’s not humongous, but this is the beginning of a complete change.

With the significant emergence of cryptocurrencies and blockchains, the ability for the industry to make things much more encrypted, much more distributed and much more protected is humongous. Blockchains will bring in transparency. We are making baby steps as an industry across all these aspects.

When blockchain comes and when decentralized finance comes into the picture, you will see the whole game changing. [We’re moving] from centralized authorities deciding how the industry and the ecosystem should work or not work to [a new paradigm in which] consumers will actually have a significant voice. The new technologies – the cryptos and crypto wallets, the blockchains – these are going to further enhancements to privacy and to the rights of consumers.

Speaking of decentralization, how do you think the metaverse will shape up? Will it look more like Meta’s vision for the metaverse – where ecosystems are still contained within a walled garden? Or can we expect to see a more radically decentralized internet? What might privacy look like in either case?

It’s a little bit of a wild west right now, so it’s impossible to say that it’s going to go one way or the other. But both the ecosystems [you describe] will exist. There are certain product categories – for example, lending, borrowing, investing and transaction – that I think are going to dominate. [On the other hand,] if I want to have virtual experiences of the Grammy Awards, or if I want to have some gaming that is happening in a particular context, those [applications] would be controlled by the platforms – there is no question about it.

There are two different realms. The centralized realm has got some significant advantages to my mind in the short-term, because ... a controlled environment has been created. My feeling is in the world of centralized platforms, you can at least hold somebody accountable. So therefore, I think it will be a relatively safer space [for the time being]. But that centralized control also can have other consequences – they are the only ones who know everything about you, and how are they monetizing the information that they’re gathering about you? And what happens if there is a very smart hacker who goes through their database and then hacks it and everybody’s [data is] compromised? Those issues are certainly there.

Decentralized [spaces] empower the participants in a different way altogether. I think finance-related stuff is going to be decentralized more than [applications such as] gaming. But in terms of the social experiences or workplace meetings, [metaverse spaces operated by centralized powers are better]. I just sat through a virtual work metaverse meeting, and it was so immersive and beautiful. If you look at blockchains, you’ve got open blockchains and you’ve got closed blockchains. This is exactly the same: [you have] the open metaverse and the decentralized metaverse. Both have got their utility.

[It’s also worth noting that there are new risks in the metaverse]. Will there be elements of the dark web when things are out of control? Absolutely. We have already seen accusations of bullying [and assault] – one lady has filed a case that she has been virtually raped in the metaverse in the UK. It sounds like she’s being sensationalist – but no, she’s actually very aggravated. Just take a look at that article. It’s amazing how horrible [interactions in the metaverse] can quickly become. There is going to be a period of turbulence as people are discovering new possibilities. There are bad people discovering bad possibilities. So [risks are] going to be there. Regulation has to come in – whether that is self-regulation by the platforms or government-imposed regulation. It is inevitable. For the next three to five years, it’s going to be pretty chaotic.

For more, sign up for The Drum’s daily US newsletter here.