Balancing Personalization and Compliance 

Navigating the Privacy Landscape of Great Customer Experience in Highly Regulated Industries

Personalization is often discussed among commercial and especially retail organizations--to drive additional sales, or to get a customer to add another related product to the cart. It's table stakes in a marketer's world, and the ROI on investing in a personalized experience is proven and well-documented.

But what about their counterparts in highly regulated industries, like healthcare, manufacturing, government agencies, etc.? The density of their information and the need to efficiently deliver it to a diverse set of audiences is a tailor-made case for personalization. However, marketers in these industries often don't dare wade into these waters for fear of being smacked down by a conservative privacy team or required adherence to data privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA).

The reality is that users interacting with regulated information in one aspect are often the same users who enjoy the ease of personalization from Amazon, 1800-Contacts and other big brands. They have similar expectations of you too. So how can highly regulated industries deliver a better personalized experience without stepping out of bounds with privacy? Read on for my tips...

  • Give your privacy team and general counsel input early and often: Personalization is a team sport. It requires strategists, content creators, technical architects and yes, your privacy team (for some organizations, it may involve your general counsel too). Don't waste your efforts in designing and deploying a use case that you can't use. It also helps to avoid last minute delays and risks when you're ready to go live. In one of our recent projects, we discussed our ideas for intended metrics and use cases with the privacy team even before involving the majority of the project stakeholders. They explicitly said that geographic data could not be stored in Sitecore Personalize. We knew our boundaries from the start and were able to tailor our use cases accordingly. Allow your privacy team to be your partners in the process.  
  • Know what data you want, and are allowed, to track - no more, no less: We caution all of our customers that personalization is as much of a strategic exercise as it is a technical one--if not more so. Don't deploy personalization if you don't have at least an idea of a metric that you're looking to influence, as well as an organizational commitment to test, iterate and learn. Particularly when you're navigating evolving privacy regulations, it's important to specifically identify the metrics you care most about, and focus on those--without gathering additional data noise that you ultimately won't use.
  • Use a customer data platform (CDP) to facilitate GDPR and CCPA compliance: If your organization is like most enterprise companies, you have several systems in your MarTech stack--a digital experience platform (DXP), customer relationship management (CRM) tool, marketing automation platform, etc. Each of those systems gather valuable information about your users that you can not only use to orchestrate a personalized experience, but are now responsible for safeguarding. If your organization is subject to GDPR, CCPA or similar, there are some basic common principles that you are required to adhere to: the right for the user to know what data is being gathered about them, the right to correct any inaccurate information and the right to be forgotten (among others). If you have multiple systems in your tech stack, it's very difficult to comply with those regulations. CDPs centralize user data into one system, so that if a user does request a change or to be purged, it's far more efficient to do so.
  • Beware of HIPAA and personalization: As we all know, consumers have more choice than ever before when it comes to their health care. A seamless, personalized experience helps to build trust with a prospective patient, caregiver or referrer. However, it's easy to cross the line into personally identifiable information (PII) or personal health information (PHI) quickly. If a user is identifying a chief complaint or symptoms, you're venturing into PHI territory. HIPAA compliance for Sitecore's CDP and Personalize products is coming, but in the meantime, be sure to enlist an experienced partner who has taken HIPAA training before starting down a personalization journey as a healthcare provider / system.

The bottom line is that a seamless personalized experience that delivers powerful results is entirely possible within highly regulated industries, just as much as in commercial / retail enterprises. With proper upfront planning, requirements gathering and involvement from your privacy team, the return on investment can be just strong.

Visit Our Work to see recent work samples in healthcare, manufacturing, government and more. 

Meghan Fishburn Headshot 28

Meghan Fishburn

SVP, Client Strategy

Sitecore MVP Strategy logo

Industry Leading Insights 

Our latest thinking on personalization, digital transformation and experience design


Stay in the know.

Email is required.