When Privacy Means Business
Amazon.com earned its reputation as a CRM Wunderkind in large measure because of its one-to-one marketing savvy, which leveraged personal purchasing information to better serve individual customers. But even Wunderkinder can stumble.
Late in the summer of 1999, Amazon launched an innovative marketing gambit: book-purchasing circles. Based on reader preference information it had collected, Amazon compiled lists of the books most frequently chosen by members of selected groups.
But Amazon miscalculated when it published this information on its Web site. Many of the same individuals who were pleased that Amazon remembered their preferences when they came to its Web site to shop did not like their choices shared with third parties. Some groups reacted to what they saw as a breach of trust and, under pressure, Amazon offered its customers the option to be taken off the list.
One significant chunk of the protesting customers, according to The New York Times, came from IBM, after Chairman Louis V. Gerstner Jr. received 5,000 e-mail replies within hours of soliciting employee reaction. Reportedly, more than 90 percent objected to having their group book buying habits disclosed online, and IBM was removed from the book-purchase circles. The New York Times quoted Gerstner's written response to Jeff Bezos, Amazon CEO: "I'm certainly not going to tell you how to run your business, but I do urge you to view this as an enormously important issue."
Along with its benefits to business, the rise of CRM brings with it growing concerns about customer privacy. "Enterprises must add data privacy policies to their customer relationship management initiatives to avoid the legal impact and loss of customer loyalty," META Group writes in its application delivery strategies report, "Data Privacy: Customer strikes Back."
There is also a global threat. If your company is poised to expand business in Europe, unresolved international privacy issues could ground your business plan before the ink dries. Arabella Hallawell, senior analyst at Gartner Group, estimates there are big business profits at stake: "In terms of third-party information businesses like Acxiom, at least $1 billion." Many U.S. businesses already have felt the bite: "There have been numerous instances of U.S. companies running into difficulties over previous country-specific data protection laws. Gartner Group clients have told us that certain projects have been postponed because of concern over the European Union Directive, usually applications that require European Union personal information of customers to be processed in the U.S.," she says.
Potentially large legal expenses, coupled with the cost of customer erosion and lost or disrupted business opportunities, would seem to comprise an impressive incentive for businesses to actively address privacy issues. But many seem to have stuck their heads in the sand.
"Ninety-two percent of companies feel like they adequately protect users' privacy by disclosing practices and not selling data. However, 90 percent of sites fail to comply with the five basic privacy protection principles," a Forrester Research report, "Privacy Wake-Up Call," pointed out. "Most privacy policies are a joke."
The Rich Data Harvest
Businesses are increasingly collecting massive stores of personal information on individuals. Companies buy, solicit and collect information about their customers. Today, customers know that. Their expectation that a company will record and remember pertinent personal preference information in order to provide better service is a potent driver of information gathering.
Distinguishing the virtual business place online is a new challenge that is being met with personalized information. "In the brick and mortar world, the physical presence indicates that marketplaces were designed for different customers. Online, you have to do it with information," says Geoffrey Bock, senior consultant at Patricia Seybold Group. Whereas brick and mortar marketplaces were designed for a single segment of customers, online shops seek to be all things to all customers. "Coming to the Web, we're trying to do something different. Most Web sites are trying to personalize the offering trying to display interactively on the page a set of information that is based on a customer's demographics, psychographics, previous buying information there's an obvious interest in personalizing displays of information."
Businesses also collect personal data on employees, necessary for showing compliance with hiring practices, as well as for beneficiary and health insurance applications. "U.S. employers are obligated by law to collect a variety of sensitive information about their employees to protect themselves from complaints involving, for instance, discrimination on the basis of race, sex or disability," writes Sara Fitzgerald in "E-commerce Privacy War," in Corporate Legal Times. Human resource documentation of employees can become extensive over time.
Forrester also cites mounting pressure to "share data with partners," as companies develop multichannel approaches to selling and hence partner with other businesses to offer their own customers more complete product packages and services. The enormous channel potential of e-business and the rapid response system of the Internet speed the facility and impulse of information gathering on the Web.
Technology has made it easy to collect and analyze enormous stockpiles of information.
Forrester Research reports that as "business intelligence tools move from secret service to the storefront, tools like Autonomy used in government intelligence communities are widely available to businesses to detect behavioral patterns among customers." Forrester points out another technological implementer of information gathering: "Interactive tools become digital wiretappers. Clever [online] tools such as Reel.com's Mood Matcher, which helps customers find movies based on their moods, and PlanetRx's personalized prescription filler, which asks users for allergy information, allow a company to collect highly intrusive psychographic data that individuals would rarely provide on a registration form." Cookies, programs that collect the data on destinations of a browser's cyber path, can be launched from a Web site to collect ongoing information about that user's Internet activity.
The problem for businesses is how to best manage the use of this massive store of information.
The Hitch in the Data Gitalong
As necessary and useful as all this personalized information is, businesses are facing increasing pressure dictating just how they use this information. The pressure comes from many camps.
Privacy advocacy groups have begun to bring lawsuits and court media attention on personal data issues.
The Electronic Privacy Information Center (EPIC) has very actively pursued privacy rights, dogging David Aaron, U.S. undersecretary to the Department of Commerce, for public disclosure of his traveling records, as well as filing two "friend of the court" briefs in privacy litigation. EPIC has also sued for information from the FBI, the Department of Commerce, the National Security Council, the U.S. Secret Service and the National Security Agency.
"Cyber marketers need to approach their discipline with the same amount of vigor as accountants if they don't, they're going to be in a situation where lawyers are going to do it, and that's not going to be any good."
In July 1999, Marc Rotenberg, director of EPIC, appearing before a Senate committee, criticized a report from the Federal Trade Commission that recommended against privacy legislation for the Internet. He said the document is "one of the oddest reports on privacy," and that it "doesn't actually discuss any of the specific threats to privacy and it doesn't evaluate any of the recommendations put forward." In addition, he urged the support of development of privacy-enhancing technologies.
Legislation is pending in Congress, with more than 50 bills on privacy policies introduced.
Lawsuits are challenging the practice of selling personal information to third parties, both in the private sector and in government. These lawsuits are also garnering publicity, such as the suit filed by Minnesota's state attorney general against U.S. Bancorp, alleging violation of the Federal Credit Reporting Act, as well as state consumer-fraud and deceptive-advertising laws.
Even lawsuits tangentially involving personal information can create a public stir. When Los Angeles CBS 2 News' Drew Griffin reported on Robert Rivera's suit against a Vons grocery store after he allegedly fell on some spilled yogurt and injured his knee, an urban legend spread like wildfire. Public attention was riveted on the rumor that Vons had threatened to leverage information the store had collected on Rivera's alcohol purchasing habits.
Bad publicity travels quickly in the Internet age, and privacy indiscretions by AOL, Amazon, GeoCities, Hotmail and Lexis-Nexis all spurred swift reprisals and speedy reversals of policy.
"Interesting lawsuits, particularly with punitive damages as well as negative publicity, are probably going to be a big driver of increased interest or increased pressure for businesses to give individuals more control over how people use information. It's going to be those types of things, the bad publicity, the trust issue, particularly as e-business really takes off," says Hallawell.
Bock agrees. "Cyber marketers need to approach their discipline with the same amount of vigor as accountants if they don't, they're going to be in a situation where lawyers are going to do it, and that's not going to be any good."
Privacy concerns drive business processes globally as well as domestically. Doing business in Europe comes with its own difficulties, but privacy issues have raised the ante. In October 1998, the European Union passed into law its Data Protection Directive, which could block the transfer of data, including payroll and personal information, out of the EU economic area by companies that fail to provide adequate data protection. The EU sees "adequate protection" as following legal privacy regulations and answering to a regulatory body. The Data Protection Act also embraces an "opt-in" standard, which requires companies to get individuals' permission when using their information for any purpose other than for which it was collected.
Currently, the United states is negotiating privacy policies with the European Union and has effected a temporary compromise, called Safe Harbor, while the discussions continue. The EU wants the United states to comply with its directive; the U.S. position sees self-regulation as the answer. This hot international debate over how data privacy should be managed may be based on cultural differences, according to Hallawell: "The United states has a different cultural notion of information privacy. In Europe people do see the government as one of the protectors of how their information is treated, whereas in the U.S. there is still a lot more wariness about government and control and information privacy."
For now, U.S. multinational companies are allowed to continue transferring information if they follow the Safe Harbor provision, which is in essence based on these principles:
- Notice. Organizations must inform individuals how collected information will be used.
- Choice. Individuals must be given a choice to provide information.
- Upstream transfer. Organizations must ensure that third parties receiving data also follow Safe Harbor principles.
- Security/Data Integrity. Organizations must reasonably ensure that data is reliable, accurate and complete and is reasonably protected against misuse.
- Access. Individuals must have access to information collected about them.
- Enforcement. Organizations must provide effective means for ensuring compliance with Safe Harbor principles.
Will the U.S. approach to this debate work? "We are seeing that with electronic business, information about others is the cornerstone of how e-business is going to be focused. There's going to be compromise on both sides," Hallawell predicts.
Even within Europe there are differing opinions about privacy terms. "Different countries have got different definitions and different scopes of how they view personalized information," explains Hallawell. "Germany and France have a much more expansive definition of personally identifiable information. In a country like France, for example, they would say the dynamic IP address, which isn't definitely linked to a particular person, is still seen as personally identifiable information. What defines identifiable information varies between France and the UK, and other EU countries. This is particularly important in the Web context. Is the collection of browsing habits of a URL address without knowing the actual user regarded as identifiable information? In France an expansive view is taken if it can be deduced who the user is, then it is identifiable. The UK takes a more strict definition of what is personally identifiable information. The EU says it depends on how much effort is required and whether it's reasonable in the context. Again, the EU Directive is subject to interpretation according to different EU member states' rules."
Just Do It
In the summer of 1999, the FTC published its opinion that U.S. businesses should follow a policy of self-regulation on Internet privacy matters. The FTC suggested that businesses embrace the principles of notice, choice, access and security, and recommended the use of privacy seals. Privacy seals, like CPA WebTrust, TRUste and
BBBOnLine, are the Internet industry's answer to self-regulation. In order to be awarded a seal, a company must show that it follows the principles proscribed by the seal provider, and its membership will be examined if customer complaints indicate the company has not maintained those principles. Several U.S. organizations offer privacy seal programs, including the Direct Marketing Association, the International Association for Human Resource Information Management, the American Institute of Certified Public Accountants and the Council of Better Business Bureaus.
In the fall of 1999, the FTC announced that it would support TRUste's privacy seal by expediting complaints brought by TRUste to the FTC. TRUste is sponsored by industry leaders AT&T, IBM, Oracle, Lands' End, WIRED, Netscape, PC World and Mac World, among others. Another privacy seal provider, BBBOnLine, has enjoyed a long-standing relationship with the FTC through its parent, the Council of Better Business Bureaus.
In another bid for industry self-regulation, nearly 90 global companies and associations joined in a coalition they call the Online Privacy Alliance. OPA members post privacy policies and use their influence to encourage privacy protections. Some of their activities include publishing acknowledgments of companies' linking advertising expenditures to privacy procedures and monitoring privacy policies on Web sites. Among some of the high-profile businesses lauded by OPA in 1999 were IBM, Disney's Buena Vista Internet Group, Microsoft, AT&T, America Online and Acxiom.
Hallawell sees U.S. businesses betting on market force. "If one looks at the broader regulatory stance that we see the U.S. taking, they are taking somewhat more of a laissez-faire, market-based approach."
While it remains to be seen if these industry initiatives will appease the EU, clearly U.S. businesses expect them to sweeten the pot, and in combination with the momentum of the market, allow them to forge ahead with global e-commerce.
Minding the store of Information
With all the pressure to respect personal data in business, the fact is that doing so can become a company's valuable asset. Consumer confidence and loyalty are the source of your profit base, especially in e-commerce. There is broad consensus that, offline or online, careful building of customer relationships and respecting personal privacy will pay off handsomely in future profits.
Bock recommends progressive disclosure, with reciprocal agreement: "As I get to know the site, I get to tell the site more about me. As you learn more about your customers, you start to be able to serve them better. It's a lot like life. It's an important notion of customer relationship and intimacy trust takes time to develop and has to be reciprocal."
In an October 1999 report, Forrester Technographics recommends building better online customer relationships with its four-step privacy model beginning with anonymity, establishing a one-way communication relationship, then moving to a two-way communication with retailers, and finally, dispensing actively sought advice and solicitations.
Will Amazon exploit personal data without permission in the future? Not if it wants to keep its competitive edge.
"With 11 million households shopping online for the first time in 2000, it will become critical for merchants to build customer trust and loyalty in order to remain competitive in a proliferating marketplace," says Christopher M. Kelley, Technographics associate analyst, in the 1999 report.
"Companies need to realize that they are holding their customers' information in trust that really means they have to start respecting their privacy," says Bock. "We should structure privacy in cyberspace in the same way we structured privacy in accounting practices. We have rules which are basically implicit, but they are going to need to get a lot more explicit."
"The business ethics publicly demonstrated by audited privacy policies will become a competitive edge and will drive CRM to the next level," the META Group predicts. "By 2001/02, enterprises exercising data privacy practices will enjoy a competitive edge by marketing their business ethics."