The Uses and Abuses of Customer Profiling

For business in the Internet age, knowledge about one's customers represents the intersection of the irresistible force and the immovable object.

The irresistible force is the phenomenal power of processed information. When employed appropriately, the application of customer knowledge to product marketing brings important advantages to both the buyer and seller in any potential transaction. The buyer finds a better-suited product offer and more efficient buying process. The seller finds a more receptive, less cluttered market.

On the other hand, the immovable object is the consumer's right to privacy that is inherent in American culture. Too often, businesses fail to manage customer knowledge with appropriate safeguards, resulting in a backlash against legitimate efforts to serve customer interests.

Benefit or intrusion?

As a consumer, Babette Heimbuch worries about the privacy of her personal information as much as anybody else. But as president of First Federal Bank in Santa Monica, she has to face the wrath of anybody who even thinks the bank sold his or her information.

"In an industry that relies on repeat customers, or where customers are looking for trust in dealing with a business, then there is a big disincentive to make them angry by selling off information," she says. "It is certainly a bigger negative than any side revenue that could be generated. In our business, customers want us to be confidential."

In many cases, however, acting on knowledge of the customer can serve the interests of the customer. The more the enterprise knows about individuals' preferences, the better it is able to tailor products to their needs and desires; the faster it can respond with the right answers to service problems; and the less it needs to overwhelm customers with marketing messages.

But as every consumer knows, it doesn't always work that way- -especially in the wide-open territory of the World Wide Web. On the Internet, companies collect personal information either overtly, through registration, surveys, forms and contests, or covertly, through cookies and tracking software that allows sites to track browsing habits in ways that infer interests and preferences. Using this data enables sellers to tailor products and services to individual preferences, but it also opens the door to privacy abuses.

For example, Amazon.com brought on a storm of criticism over its Purchase Circle program, in which bestseller lists are collated by the zip codes, workplaces, and colleges that buyers order from. At first blush, that may sound innocuous, but privacy activists argued that Purchase Circles are not so different from tracking the checkout-records for videotapes and library books, information that is best left for subpoenas. The uproar led the online bookseller to modify the program to allow for customers to opt out of the system.

Web community purveyor Geocities offered free Web sites to cyberspace homesteaders and promised that optional personal information such as occupation and income wouldn't be disclosed without consent. When the information was sold to third parties--and when information collected from a children's area on the Web was not properly managed by voluntary community leaders--the Federal Trade Commission imposed sanctions.

While concerns over customer data have been heightened by the explosion of e-commerce, it is by no means an issue only with online information. Every time a consumer fills out a warranty card, makes a grocery purchase using a discount card, buys from a mail-order catalogue, registers a car at the DMV or answers a phone survey, he or she is adding to the store of personal information that is available about them. By aggregating this information from disparate sources, marketing firms are able to maintain searchable lists detailing an amazing amount of consumer behavioral data. Not all companies draw the line in the same place when it comes to which sources of information are ethical- -or even legal.

Finding a balance

So far, no one has gone out of business- -or to jail- -for being reckless with customer data. But it would certainly be shortsighted to assume that consumers and/or the government aren't going to hold corporations accountable at some point. So how can companies walk the fine line between providing welcome customer value and permitting unwelcome intrusion on customer privacy?

For starters, companies should recognize that using customer knowledge internally to learn how to better respond to the market is generally considered more acceptable than permitting or selling access to external parties.

One way out of the impasse is to tease apart anonymity from privacy. In England, any Harrod's salesperson is accustomed to being approached by a private shopper conveying the secret details and desires of a celebrity or royal- -everything but the customer's actual name. Since Harrod's doesn't know it's ringing up underwear for, say, the queen, the very private person is willing to give up tons of personal information, because anonymity is guaranteed.

"The dialogue was between customer and intermediary, which [in computer terms] could be a proxy, an intelligent agent or a pseudo identity," explains Doug Peckover, CEO of ecommerce/privacy startup @YourCommand in Dallas.. "You could choose to not have your information stored, whether it's data about you or your transactions."

This model, for what Al Van Ranst, partner-in-charge of KPMG International's secure electronic commerce practice, calls "trusted information utilities," where individuals have control of their business-to-consumer information, has lead to startups such as @YourCommand, Lumeria and Brodia.

Technology can also contribute to privacy protection through the use of appropriate encryption, as in the business-to-business example cited by Mitch Wyle, chief scientist at Datamain. When a group of employees spun out of one company to start a competitor, a rigorous policy protected against the risk of intellectual property theft yet guaranteed individual privacy. All email between employees of the two companies was parked in a repository hedged by audit trails. The repository was encrypted, only to be unlocked if there was a suggestion of impropriety.

Privacy concerns are generally a consumer-market issue, since business-to-business transactions tend to be covered by contractual guidelines for data handling and exchange, with all the commercial protocols and legal remedies that implies. But shouldn't the same standards apply? Thoughtful application of technology may be a way that best-case business-to-business privacy practices might be adapted for business-to-consumer transactions.

Policies and practices

Beyond technical solutions, companies should determine their legal and ethical responsibilities- -and their limitations- -and devise both privacy policies and practices appropriate for their business (see "Privacy Policy Pitfalls" sidebar). They should think through what kind of company they want to be, then implement procedures to back up the policy.

"It's practices, not policies, that count," says Dave Boer, vice president of strategic development at Brodia.

"Companies should provide training on privacy and responsible information handling, because bad practices are usually not an employee's fault. They happen because employees are not given training," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse in San Diego. "Good privacy practices are good business."

Meanwhile, companies should seek third-party certification of their privacy policies and demand such certification from their data vendors and partners. Although both privacy policies and seal programs have been criticized as inadequate, they are important first steps for any company engaging in electronic business.

Next, companies should recognize that just because technology makes it possible to build customer profiles, that doesn't mean that it is always a good idea to do it. When the Vons supermarket chain allegedly threatened to defend itself in a personal injury case by revealing a Los Angeles man's alcohol-buying records, the supermarket chain faced a firestorm of bad publicity. (The company denied making such a threat). On the other hand, Raley's, a company that owns four grocery-store chains, scored a public relations coup when it terminated the affinity-card program at its Northern California Nob Hill chain.

Ending the affinity-card program in its home market helped differentiate Raley's from its huge national competitor, Von's parent Safeway. "We want to treat all customers equally," explains Carolyn White, Raley's communications manager. "And we don't want to set up two-tier system."

Ultimately, making effective use of customer knowledge comes down to maintaining a corporate culture that respects consumer's rights and expectations.

Kathy Burke, manager of the customer privacy program for Hewlett-Packard, explains that the corporate culture that came from HP founders Bill Hewlett and Dave Packard is built around respect for customers. Because of its underlying values, ingrained in data management practices throughout the decentralized company, HP hasn't needed to put a formalized privacy policy in place.

"As long as anyone can remember, it's been this way. Customer information is HP-confidential, and treated as such. We don't ask for more data than can be kept from going astray. We don't rent, sell, or lease data. But we do share it internally, and with agents and contractors who conform to our policies," Burke says.

Rules and regulations
Business has an unlikely ally in its quest to be taken seriously about consumer privacy: the Federal Trade Commission, which has so far taken a laissez-faire stance. "Self-regulation is the least intrusive and most efficient means to ensure fair information practices, given the rapidly evolving nature of the Internet and computer technology," the FTC has held.

In the GeoCities case mentioned earlier, the FTC did exert jurisdiction. But without fines, privacy advocates would argue that that the dressing down wasn't much more than a slap on the wrist. And the adverse publicity that resulted from the incident did not prevent the company from having a rip-roaringly successful IPO one day after the FTC settlement was announced.

Such ambiguous outcomes may be inevitable since technology is enmeshed in a larger political, economic and cultural matrix. And regulation is a particularly hot and constantly changing issue.

"Without regulation, [privacy protection] won't move ahead. Just because you post a policy, it doesn't mean anything," warns Donna Hoffman, professor of marketing at Vanderbilt University and cofounder of Project 2000 center for electronic commerce. However she doesn't expect legislation until there is a "major violation in cyberspace" with disastrous consequences.

While there may not be U.S. legislation to comply with yet (except over specific types of information- -medical records, for instance), overseas rules such as those imposed by the European Union are important in an age of global business and electronic commerce.

European Union (EU) Directive 95/46/EC gives European consumers far more control over the use and privacy of their data than U.S. citizens have. Not only does the directive create strong EU-wide protections on the provenance of personal data, individual access to personal data, rectification of errors regarding personal data and opt-out rights, it also demands that these protections be extended to data transferred outside EU countries. As might be imagined, U.S. businesses are not happy with the EU directive, and an attempt to adjudicate the differences, called Safe Harbor, is in progress.

Two other privacy benchmarks that bear mentioning are P3P (Platform for Privacy Preference Project) and the Code of Fair Information Practices (CFIP). P3P, an activity of the World Wide Web Consortium (W3C), is a technology standard proposed for communication between a Web site's privacy practices and the privacy preferences of a user. "It's great to read the working drafts," Brodia's Dave Boer says. "But P3P is too complex. It will never get implemented."

Proposed by the U.S. Department of Health, Education, and Welfare in 1973, CFIP has also never been adopted, but remains a measure for how privacy practices might be enacted--and is quite similar in intent to the EU privacy directive.

Because law and policy is inevitably subject to political process, regulatory efforts are bound to always trail fast-changing economics and technology. "Technology evolves, corporate strategy evolves, understanding what customers want evolves," says Jeff Richards, executive director of The Internet Alliance, a Washington, D.C., trade organization.

But he believes that the current differences of opinion- -and diversity of practices- -are a necessary step towards answering the difficult questions. As government and industry struggle to define norms for the appropriate uses of customer knowledge, only the give and take of actual experience can help society as a whole reach a consensus.