What you need to know:

• CDP uptake is surging. Mi3 has already identified more than 70 CDP sites in Australia, with the majority either implemented or sold in the last year.
• That has lured a wide set of providers into the local market, while other key CDP providers are expanding in APAC and eyeing ANZ. But they are split almost evenly (see table) between those CDPs housed in Australia and those who are not - some big name providers fall in the latter camp. 
• A clutch of "composable CDP providers" are offering to help brands to  "build your own".
• It matters because where the CDP resides has some important direct impacts.
• In finance, for instance, companies need to follow APRA guidance about data residency.
• But across all sectors there are potential performance issues where CDPs are hosted overseas that can affect personalisation, Google search rankings and even shopping cart abandonment.
• With cybersecurity at the top of board risk agendas following high profile breaches over the past two years, focus on the issue of data residency is set to rise.

The Australian CDP market is running hot but some big name providers already operating locally, and a clutch of international CDP vendors eyeing the opportunity, might be about to hit some pot holes and speed bumps. For finance, data residency becomes a live issue while CDP operatives acknowledge performance issues are real when a CDP is hosted offshore. 

Data residency is a particular issue in the finance sector, where APRA has a set of guidelines that companies need to comply with. Data sovereignty, meanwhile, is an issue for everyone as Europe's GDPR regime established five years ago. Data residency refers to where the data is physically stored; data sovereignty is about the local market laws it is subject two, according to Sean Kopelke,  CTO ANZ VMware VMware A/NZ, a global technology infrastructure business and a pioneer in cloud computing.

Regulators have data security clearly in their sights after a series of high-profile breaches, while brands are looking to de-risk data supply chains. A key watchout for CX and digital leaders is their need to manage customer experience risks caused by latency when the data is housed on the other side of the world. It's an issue which often flies under the radar.

Piling on

Mi3 has identified more that 70 CDP projects and implementations in Australia, many of which began or were signed in the last year. Retailers - including Coles (Adobe), 7-Eleven (Tealium), Cotton On and Kathmandu (Lexer) have launched or are currently implementing those platforms.

Tealium, Adobe, Mparticle, Sitecore and homegrown CDP provider Lexer among others (see table below) have all made the investment in infrastructure necessary to meet data residency requirements.

Other CDP providers like Segment (owned by Twilio) and newcomer Amperity do not have the local technical infrastructure required for data residency although Amperity’s Area VP, Billy Loizou told Mi3 the company could do so quickly (it takes about eight weeks) were it required by a customer. Amperity has done as much in other markets such as Canada, he said.

Salesforce has a foot in both camps. On one hand, neither its marketing cloud nor Salesforce CDP are available locally via Hyperforce - it's the next-generation infrastructure architecture - and therefore would not meet data residency requirements although that hasn't hindered deals with Southern Cross Austereo, Mars Petcare and Casey's where data residency wasn’t a showstopper.

However, its Marketing Cloud Personalisation solution, which provides CDP capabilities (also known for a time as Salesforce Interaction Studio), is available on AWS Cloud Infrastructure in Australia and is currently used by companies such as North’s Collective, Target and Optus.

Oracle meanwhile has the infrastructure, but for now, apparently, no actual CDP clients locally despite a long history of selling marketing cloud solutions here.

Then there are a clutch of international CDP providers with no or only a nascent presence in Australia, including as Bloomreach, Treasure Data, Redpoint Global - some of whom are already active in APAC. Singapore-based Meiro has made an early foray into Australia where it has Chemist Warehouse as a client. The company does not have a sales presence in Australia, but instead operates through a local reseller

Meiro takes a different approach to hosting says head of product and co-founder  Pavel Bulowski. "We have slightly different set up.  We are one of the few vendors that can do private hosting - we essentially do single tenant instance and in AU we can be in any local cloud. We have running installations in AWS as well as Digital Ocean. - same for any other country where we have clients."

Beyond that line-up of vendors, a set of technology companies are offering 'composable CDPs' - effectively enabling brands to build their own and scale capability as they need. These include businesses like Snowflake, Infosum, Databricks and Hightouch. MI3 is yet to review the data centre arrangements of these providers but is aware of several current projects locally.

Building a data centre is a significant commitment. Building a local data centre can be done quickly but it will come with some potentially significant costs for CDP companies that want to follow the example of company's like Tealium says VP and general manager, APJ, Will Griffith.

"It's not just the cloud hosting costs - which are expensive in Australia relative to the rest of the world, but there's also new staff costs, admin and third party software costs." he said.

Still for Tealium, which has been wracking up a series of impressive wins, the investment looks to be paying off.

The rulebook

Retailers are less concerned about regulatory issues than finance companies. However regulatory concerns are likely to factor more heavily now that CDP vendors are pushing deeper into the financial services sector and trying not to run afoul of APRA’s guidance to their prospects.  And all of this in the context where cybersecurity and concerns over data breaches have raced back to the top of the corporate risk registry after high profile breaches at Optus and Medibank.

Boards are also alive to the brand risk which they believe is greater if the data is stolen when stored offshore, or that it’s at least more complicated to respond if data sits beyond the reach of Australian law. That puts data residency and data sovereignty into play irrespective of which industry a company operates in.

Indeed industry insiders - vendors and agencies - ascribed Tealium’s success with NAB, which Mi-3 reported on earlier this year, and Adobe’s deal with Hesta - partly to their ability to address residency. Lexer, which has the largest number of local customers that Mi3 could identify, appears to have more focus specifically on retail and entertainment.

For finance brands, APRA doesn’t technically require data residency but the guidance it provides to financial institutions makes it crystal clear where its intent lies - lawyers working in the regulatory space say that intent gets translated into data residency requirements when financial brands get around to writing their contracts with CDP providers.

As one lawyer with a long history dealing with regulatory issues told MI3 Australia, APRA doesn’t have a rule that says “Thou Shalt Not” but in practical terms they mean “Thou Shalt Not.” Meanwhile a banking executive from one of the Big Four, with a strong pedigree in marketing and technology, told Mi3 that with data residency, “part of the challenge is that there’s safety and security around how people’s data is managed.”

Both spoke on background so they could speak freely.

“Australian law can only really get applied when the data residency is in Australia," the banker told Mi3.  "The issue there is that if your SaaS provider runs or holds the data platform outside of Australia, the law of the country of residency gets applied. The rules, regulations and guidelines around how data is managed are much more difficult to apply when the data is held offshore, he said.

“That’s largely about compliance and data security laws… and then ensuring that people's privacy [is protected]. Now, when you start looking at other components of privacy, around things like the right to be forgotten, practically if all of your data is held offshore, that becomes a lot more difficult.”

There is also a more direct consideration for the executives says Chris Brinkworth, managing partner Civic Data, "Firstly, given the foreign ownership of the majority of world's adtech & martech ecosystem, it's important to note that all foreign entities conducting commercial activity in Australia are now subject to a new Act that was rushed into law in December. "

Following the recent set of high-profile breaches, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 now enforces several new severe penalties, he said. 

"With directors risking fines up to A$2.5 million personally and companies face "greater of A$50 million, thrice the value of benefits from the breach, or 30 per cent of adjusted turnover during the breach period" - you can make a safe bet that this has had a positive impact on Civic Data's pipeline of activity to unearth hidden areas of risk in the MadTech stack, especially given the breaches also resulted in the Act expanding enforcement powers of both the OAIC and the Australian Communications and Media Authority, including bolstered information sharing."

Performance concerns

Quite apart from regulatory concerns, companies also have concerns about application [software] performance and customer experience in a market where consumers have come to expect their online interactions with brands to operate at the speed of Google.

Information technology architecture providers say that latency - which occurs when the CDP is resident overseas AND needs to send data to Australia - can impact website performance, degrade customer experience and even hurt things like Google search rankings or lead to shopping cart abandonment.

VMware’s CTO Kopelke told Mi3 there are revenues attached to some of the CX problems caused by latency. Kopelke's company sits outside the martech world and has no particular agenda around CDPs.  But he knows first hand the impact of latency on performance.

“Take a retailer use case. Even though still relatively quick, just the user experience [declines]. Most retailers measure card abandonment. So if people click a few boxes, add to cart and go to order, and if the wheel spins for a few seconds, especially the younger generation they bail out and move on to the next thing.”

Concerns over customer experience performance issues are also likely to become more prevalent as larger companies start pushing greater volumes of data around and testing the capacity limits of their new platforms, especially in the context of emerging AI solutions such as large language models, he suggested.

The issue of performance degradation due to latency may get less focus than the regulatory speed bump, but CDP vendors agree it’s a live issue.

Take personalisation. Dealing with latency in a personalisation use case is imperative," says David Chinn, founder and CEO of homegrown customer data platform provider Lexer, which sold its first CDP in late 2014. “If you slow the load speed at the site, the rest is history.

“Another business impact of latency is Google search. Where you rank organically in the listings, site load speed is one of the criteria that determines your organic rankings.”

Slow page loads lead to lower organic listings, impacting discoverability, he said. “Your ability to drive organic traffic to your site, then has impacts to conversion rate on the website and ultimately revenue. When a consumer arrives on a website, the first thing that [the client] wants to use Lexer for is, ‘who is this person that I'm about to render the site for? Are they a man or a women? What categories of mine have they purchased or are they interested in? What do I know about them so that I can deliver a more relevant landing page on the website? We do encounter it. We have a profile read-API that we make available to onsite personalisation platforms to make a query to the CDP and return the value in a sub millisecond before the page load.”

Amperity’s Billy Loizou agrees latency can be an issue for some SaaS apps but he says it's less of an issue for his CDP customers. And prior to his time at Amperity, he has seen latency issues drive a SaaS vendor to invest in local data infrastructure.

He was working for a martech vendor with a national food outlet. "We had to have a direct integration into point of sale. So when you scan your loyalty program, that needs to be real time. It has to a look at your profile, understand what rewards you have, understand what offers to issue, how many points you have, and how many points are in the basket you're about to buy so that the point of sale can take off your product, but at the same time, say ‘for an extra $2, you could also get a free gingerbread man.’ That's an example. That has to happen in real time across let's just call it 1000+ stores , at any point in time with two point of sale systems.”

In the context of that use case, latency is most important. "So when we built the data centre in Australia for that company, it was purely to accommodate those latency challenges. It was less about data regulation.”

At Amperity, a relative newcomer to the Australian CDP market, Loizou says: “As a CDP we are less reliant on those real time initiatives because we manage and compress billions of data rows to give companies insight into their customers. It's less about you calling a CDP to figure out what offers I've got.” 

Slow burn

Industry insiders say that beyond the finance sector, the issue is a current slow burn for many brands but will start to bite.

Kitson Kelly, principal technologist at CTO Labs, a boutique consulting firm offering M&A technology advisor services says: "Cybersecurity and data security are top of mind in almost every company that we're looking at. The subtlety there is they're not necessarily viewing data sovereignty as a solution to the forefront,  except, again, financial services where it is absolutely front of mind."

CTO Labs reviews the contracts company's hold during the M&A process, giving it insight into how concerns over data residency and sovereignty translate into the rules governing business relationships. "In other organisations [beyond finance] they are more concerned about the basics of cybersecurity - is our customer data protected? Does the cloud provider that we're using have good data security practices. They are not yet necessarily thinking about sovereignty as a way to help ensure that."

Kris Fagan, mParticle VP APAC and Japan, whose Australian customers include Nova, and which has invested in a local data centre, concurs, "In the [financial services] space, yes. For others it's a nice to have. When we speak to organisations it typically comes up at the beginning.  But the reality is that the tools of the CDP is sending data downstream and they may not be in this region. And so even if you have solved for your CDP, you're still federating data, outside the region."

Yet despite this it was still worth the effort and the expense for mParticle to invest in local data centre facilities, from which it also services all of Asia.

The reasons: “Latency, customer demand and compliance were required,” Fagan said.

Clarification: The story originally said Salesforce Marketing Cloud Personalisation is available on Hyperforce. It is actually available on AWS Cloud Infrastructure in Australia. The original information was provided by the vendor, who subsequently alerted us and provided the new information. As before it still meets data residency requirements.