Companies providing online services have a rather simple equation.
Their customers use applications to access services that process sensitive data. At Cloudentity we define that as the customer journey which is composed of a myriad of customer experiences.
That journey takes a variety of steps from their first interaction of anonymously visiting the site, to subscribing, to consuming new applications and services that the company offers as the relationship prospers. Often that journey looks something like this:
A Typical Customer Journey
Any misstep during any of those customer experience (CX) steps and the journey may be lost forever, so the onus is on the business to make that journey as smooth and effortless as possible.
Issues that may cause that breach in experience include:
- Excessive data requests
- Privacy concerns
All of these create hurdles for the customer and increasingly contribute to what’s commonly known as “bounce rates”, where the user leaves before completing an action or registering.
Let’s peel back the onion a bit.
Latency impacts the customer’s time to value. If they’re looking for a service that takes too long to load, requires too many steps or simply has a bad application architecture, the customer experience drops and bounce rates increase astronomically. According to Amazon for every 100ms in latency customer retention decreases by 1% but at one second it falls off a veritable cliff spiking to 32-135%.
Businesses can address both application and network latency with distributed services and cloud-first strategies. It’s why cloud migration efforts continue to be on the top of every IT managers list. These applications and infrastructures seek to bring the service as close to the customer as possible, reducing the overall latency.
When applications rely on other centralized services like identity for authorization or a WAF for traffic inspection, the calls are forced to leave the local service and create additional network and processing latency. The impact of bringing the security infrastructure to the accessed service is dramatic, saving over 100ms on a relatively simple OAuth token creation flow.
How impactful to your business would it be if you were able to reduce bounce rates by 1 – 3%?
Excessive Data Requests
The second layer of the onion is comprised of excessive data requests. Think of this as “when and where” to collect data. Simple identity platforms are rigid on when and how they collect data, using blanket GDPR notifications and EULA acceptance during the customer journey and attempting to grab all of it up front during a one-time registration process.
While it’s possible to update the data collection experience, it usually requires an army of developers to recode that journey creating vendor lock-in, hacking up code in a monolithic IAM platform or sometimes—for those companies that value their customers—externalizing it from the identity platform entirely.
The experience is something like being on a blind date and asking the other person to marry you, within the first 10 minutes. You haven’t yet established any rapport, any history, or any reason to assume that they’re ready to make such a commitment.
This creates a painfully static registration event (not to mention barriers to adoption) and creates massive governance requirements that are both expensive and time-consuming to fix.
There are better options and better customer experiences. Creating no-code registration flows that any business analyst can easily define and modify, and that are enforced as registration policies and pushed in real time to the services.
These adaptable customer experiences are dynamically generated and fluid, reducing the burden and friction on the customer as much as possible, reducing latency on the overall experience, all while protecting customer trust and loyalty.
In this example, friction is removed for low value services—like say checking shipping status—by allowing the user to use a social login to authenticate whereas high value services—like transferring money to an outside account—can be protected by asking for additional validation and verification such as through Multi-factor Authentication (MFA). Encouraging the user to comply with MFA before making a questionable transfer could be difference between protecting against fraud and allowing it.
Security is paramount to both the customer and the business. Privacy as a “differentiator” is already being recognized as a way that companies are positioning themselves in the digital age by analysts and thought leaders.
Gartner considers privacy-first products as a “premium” feature that places it in alongside other conviction-based motivators like “organic” and “cruelty free”.
For companies offering online services, it naturally becomes the quintessential motivator in order to compete in the digital age. You may find yourself wondering “how can the customer journey and its related experiences meet the emerging customer and compliance requirements for privacy?
To start, it’s critical to rethink data collection and privacy. Once termed by The Economist as “the new oil”, data is increasingly treated as a commodity: bought, sold, refined and repackaged to third parties. Not to mention inadequately protected by companies as they extract and move it between different internal applications.
The Economist, May 2017
And just like crude oil, a leak (or breach) can have disastrous consequences resulting in both reputational harm and punitive damages.
So how can you be more responsible with the PII data that you collect and use?
The answer is surprisingly easy: think efficiently. Collect only the information that you absolutely require and collect it only when it’s absolutely necessary.
To accomplish this, it’s important to remodel the customer journey into two parts:
- Adaptive Registration: Collecting only what’s necessary, when it’s necessary.
- Progressive consent: Providing consent and control mechanisms throughout the customer journey.
In traditional on-boarding and registration workflows, up-front and excessive data collection is the norm, creating massive corporate liability under CCPA & GDPR. It’s akin to oil reserves being set on fire either accidentally or intentionally.
Progressive consent is about providing more transparency and control to the user at the time that data collection is necessary. Studies have repeatedly shown that users are willing to share personal data if they feel they’re receiving something of value. Progressive consent is about allowing the user to understand, throughout their journey, what value they’ll receive and why their data is needed to complete the value exchange.
There are two main approaches to accomplishing this.
The first is identifying what data attributes are provided throughout your onboarding experience through a consent dashboard that also outlines granular permission grants defining how it can be used, where it’s shared, # of usages, etc.
The next step includes privacy checkups that allow users to define how they want their data to be shared at a fine-grained level with the service.
This can vary from the traditional EULA acceptance to MFA setup, account details or even down to the transactions themselves.
Back to the oil analogy, this minimizes leakages and spillage of the oil while still allowing extraction and refinement. This limits data exposed by potential breaches and forms the basis of new levels of customer loyalty and trust.