Special Section: Personalization vs. Privacy

Article Featured Image

Marketing Privacy

Whether you consider them valid or not, privacy issues are here to stay. Public concerns over how companies use highly personalized customer data have galvanized political interest here in the United states. Overseas, views on privacy affect companies competing in the global market. If you haven't fielded inquiries about your company's stand on maintaining customer privacy, rest assured, you will very soon.

Depending on your approach, privacy issues can work either for or against your business. If you choose to get ahead of the curve and proactively develop a strategy for dealing with them, you can actually market your privacy strategy as a value-add. But if you fall behind the curve, you may suffer a backlash from distrustful and disappointed customers.

Some concessions to privacy regulation have become either a legislative mandate or a recognized guiding principle. In the United states, three new federal laws offer privacy protection to minors, Children's Online Privacy Protection Act (COPPA); regulate information sharing between insurance companies and banks, Gramm-Leach-Bliely (GLB); and deal with healthcare information, Health Insurance Portability and Accountability Act (HIPPA).

The crafting of privacy policies is now a common corporate procedure. Many companies even have chief privacy officers to navigate privacy issues. Privacy policy statements--though rarely read--appear on many Web sites. Late this spring, credit card companies, in an expensive storm of paper, rushed to get privacy policy statements out to their customers by a June 1 deadline mandated by GLB.

On the global front, individual countries have differing privacy regulations, as well as differing definitions of privacy and personal information. The European Union (EU) has set out its privacy rules--which are much stricter than U.S. approaches--and is negotiating with the United states to get compliance. In a preliminary step to deal with the EU's privacy rules, the United states has crafted a temporary safe-harbor approach for companies that want to trade with, and have offices in, EU member countries.

Privacy on Notice

As more privacy bills come before Congress and the EU presses its case, the question of what to do about privacy issues mounts. Mary U. Musacchia is counsel to the President and director of government relations and public policy at SAS, an analytics and data mining systems vendor. Speaking at a recent eCRM conference hosted by Freedom Technology Media Group, Musacchia advised the business community to make an effort to standardize privacy regulation before a patchwork of state and federal laws make compliance a nightmare. Pre-emption, she says, is critical--the potential for harsh regulation to cripple business increases as political pressure builds.

Musacchia also thinks that to ensure that economic growth from technological innovation continues, privacy regulations should be technology-agnostic. Addressing such laws only to technology would stifle innovation in the technology sector and create problematic contradictions.

Throughout all the turmoil that privacy issues have engendered, one principle seems to have proved itself imperative to building trust: that of notice. It seems that most negative feelings customers have about privacy issues arise from a sense of betrayal. There is a greater acceptance for any kind of privacy policy, so long as it is openly stated.

As proponents of personalization technologies posit the benefits of information gathering and analysis, offering customers a choice of whether or not to share personal information may be the best way to support their brand and build customer confidence. Then it is up to the companies to deliver on the information they compile--they must use it appropriately and consistently, and keep it clean and updated. This service, and the benefits it bestows, can then be marketed as a value-add by savvy companies that turn the extensive and often negative press about privacy to their advantage.

Personalization vs. Privacy

Personalized customer interaction is the ultimate promise of CRM. But will privacy initiatives force companies to throttle back their quests for actionable customer data?

Between the unfettered acquisition and application of customer data and complete transactional anonymity, a battle rages. Privacy advocates call for a hands-off, opt-in approach to personal information. Marketers salivate over the rich promise of personalized, just-in-time offers they can only make if armed with enough data about their customers. The war is fought over every piece of spam, in congressional committee hearings, even within organizations struggling to reconcile a privacy code of conduct with bottom-line profit motivations.

"The value and vision of analytical CRM is too compelling to be ignored," writes Kevin Scott of AMR Research in a March 2001 report. The industry has created tools intelligent enough to sift through decades of history and hundreds of customer touch points to create customer service and marketing initiatives that speak specifically to an individual's needs and wants. Despite every marketing professional's heartfelt belief that this represents the ultimate achievement of mankind, the practice of data collection, and its application to segment and target a customer base, is being seriously questioned. Several countries, including Canada and those in the European Union, have adopted strict policies on personal data use. What's more, those practices still legal in the United states are coming under heavy scrutiny.

Finding an optimal middle ground between unrestricted personalization and complete privacy is not going to be easy. "[Companies] are not sensitive to the issue that privacy is in the eye of the beholder," says Scott Nelson, vice president and research director at Gartner. "On the continuum [between personalization and privacy], where one stops and the other begins is going to vary by individual. If it's information I want tailored to me, it's 'personalization,' but if it's something I don't want tailored to me, it's a 'privacy problem.'"

Although the two goals are often in opposition, even steadfast privacy advocates acknowledge that there is room for and benefit from personalization. "I don't subscribe to this view that privacy and personalization are necessarily at odds," says Jason Catlett, president of privacy technology firm Junkbusters. "The best personalization is done in a privacy-friendly manner where all of the information is handled with the consent and knowledge and active participation of the consumer."

Yet it is clear that data collection and personalized offers go well beyond explicit consent and active participation. Life events, such as the purchase of a new home or the birth of a baby, trigger floods of insurance offers. One catalog purchase suspiciously leads to the arrival of several other catalogs from seemingly unrelated vendors. With the increased velocity of customer contact and data exchange brought about through the Internet, there is a growing sense that companies simply know too much about consumers.

The bitter irony is that much of the data in question may be useless. "There's a tremendous amount of incompetence among companies when it comes to customer information," says Don Peppers, partner with Peppers and Rogers Group. According to Peppers, firms that believe they are making sense of their massive data stores are often mistaken. "One of the most common reactions when you put in an E.piphany system and the marketing people get a look at [the results] is they say, 'this doesn't work; what it's telling us is that our customers are like this, and we know that's not true,'" he says. "E.piphany does work; it's their data that's wrong. Companies are coming face-to-face with the fact that they have big, sophisticated databases full of garbage."

Nelson starkly frames the gap between the potential and reality of personalization data: Although he acknowledges that studies show personalization can make a sales approach up to four times more effective, "you could throw away virtually all of the data in the warehouse and be no worse off for it," he says. "That's not to say I'm not an advocate of capturing data, but you need a capturing strategy, and not go after any old piece of data just because you can get it."

Adjusting to the realities of a multichannel world in which consumers select the mode and intimacy of interactions can help companies set realistic expectations for the appropriate amount of data needed to satisfy a customer request. "From a vendor Web site standpoint, being able to stage a meaningful user experience without gathering authenticated data from that user is the sweet spot, and being able to authenticate users only when those users want to be authenticated is that sweet spot," says Terry Truman, vice president of marketing for Tian Software, which develops a real-time personalization e-commerce engine.

Do You Know? Do You Care?

To date, the bulk of corporate response to privacy concerns has revolved around establishing a privacy policy--a publicly available code of conduct that specifies what a company will, will not and may do with a customer's information. Certification systems have sprung up solely around having a privacy policy that makes sense, which can be a challenge in and of itself.

Simply having a policy is not necessarily enough--it may take liberties some object to, and more importantly, may not engage consumers enough to ensure that data is applied in an accurate and fair manner. "Consumers can't even find out how much information is being collected about them. That's why the principle of access is so important," Catlett says. "It lets the consumer decide whether a company is being excessive in data collection." But rare is the company or data agency that fully opens its files to consumers and invites verification or correction. Acxiom, for example, charges consumers $5 for a copy of its files on them, but begs off when it comes to assisting with corrections, deflecting requests to the companies from which it has collected the data in the first place.

"If the user has given their permission and it's been very overt and very clear...I don't think there's much of a problem," says Steve Robins, director of product marketing for Broadbase Software, which recently merged with Kana. "Where it's a problem is if you're using information against a consumer's wishes, and I think that someone who touches a consumer needs to be very deliberate and use caution--if we don't police ourselves, the government probably will."

Knowing Too Much

Because it takes two to transact, the question of data ownership in an established customer relationship is not cut and dry. "If I sell you a product, the fact that you've bought a product from me is just as much my information as it is your information," Peppers says. "To require me to forget that in the course of my business is an absurd suggestion." Certainly, companies do not ask customers as a matter of course to destroy receipts and business cards out of concerns for institutional privacy.

The issue of data sharing further complicates the issue. Many companies are entirely satisfied with keeping consumer data away from third-party sources (or at least offer some sort of opt-out procedure), but sharing data across different divisions of a company is more common. Yet it is not at all clear that consumers consider themselves customers of every single division in a company, particularly when that firm has extensive reach. In the case of a privately held concern, it may be impossible for a consumer to know about the different business divisions with which a firm may share his data.

Gartner's Nelson believes it is only a matter of time before fine-grained, party-by-party data sharing preferences are a necessary part of doing business. "It's the only way customers are going to be able to feel they have control of the situation."

Asking the Right People

While most companies with modern privacy policies allow the consumer to determine if he or she wants accumulated data shared with business partners or third party sources, the logical reverse of the coin--the ability to instruct a company not to solicit additional data from outside sources--is still missing from the debate. Such a practice would honor Peppers' assertion that transaction history is by mutual agreement between a customer and a supplier, and would acknowledge that transactions with a third party are not. Several sources contacted for this story were asked, but none could point to a company offering this choice to its customers. "Part of it is that customers aren't even aware that a company may ask a third party," Nelson says. "If it became more widely known that it was done, you would see a groundswell of people asking."

Consumers may even inadvertently provide a doorway for information they share with one party in an anonymous or aggregated context to be tied directly to them by another. Startup URpower created a software infrastructure that encourages users within a particular affinity group to download client software that asks for basic demographic information, 3-digit ZIP code and a list of personal preferences and interests. That data is provided--anonymously--to participating Web sites through a special browser cookie in exchange for more targeted offers and special group discounts.

However, nothing stops a site that subscribes to URpower data from integrating the extensive list of information presented by the URpower cookie with any personal data it may collect during that user's session. In other words, as soon as the user positively identifies himself to the Web site (through a login, for example), the site can obtain the demographic and personal preferences and interests information without having to ask consumers to specifically provide it in conjunction with their names. "You could link the two if you wanted to," concedes URpower CEO John Kelley. "I think the end user has to give up a little bit so they can be marketed to a little more effectively. That's what the Internet was designed for."

Laurel Jamtgaard, acting chair of the public policy committee for the Personalization Consortium and chief privacy officer at Angara Database Systems, in Mountain View, Calif., submits that restricting third-party data acquisition may make it difficult for small companies to learn enough about consumers to fight larger firms. "A group of tiny little vendors pooling resources enabling them to target their customers more effectively is just their way of trying to compete," she says. "If they can't look for information from anyone else, that's crippling their ability to compete."

Industry seems unlikely to rush to support this particular privacy initiative. According to the Privacy Leadership Initiative (PLI), third-party data integration saves marketers enormous sums of money--savings that might be difficult to make up elsewhere. According to PLI statistics, apparel catalog merchants would have had to spend an extra $1.4 billion in marketing costs in 2000 alone if they were restricted from obtaining and retaining consumer data from outside sources. "It's a lot easier when you have a children's catalog, if you know which households have children," O'Brien says.

Yet there are signs that incorporating third-party information for personalization purposes offends consumers. Amazon.com demonstrated this lesson to the world when it launched the Amazon Honor System, a payment service aimed at small Web sites looking to collect voluntary tithes from loyal visitors. Initially, the Amazon Honor System payment button would greet visitors by name if they were registered Amazon.com customers. The result was that sites that otherwise might not have known a visitor's name were now displaying that information proudly. Even though it was reasonably clear that the information came from Amazon.com and not the soliciting site, negative feedback quickly led Amazon.com to add an option to make the button anonymous and firmly establish that personal information is not shared with Honor System payees.

Everybody Does It

Those feeling the pressure from increased consumer and government scrutiny often try to deflect privacy concerns by asserting that data collection, integration and application has been a standard business practice for decades. "The people who came into the online marketing world from the direct marketing world didn't want there to be a difference in rules...[in direct marketing] there is no opt-in, there's only opt-out, and they're upset that the rules were different," says Kim Weins, vice president of product marketing for marketing systems vendor Annuncio. Indeed, the response of the traditional offline establishment has been rather sluggish and arguably indifferent or even hostile to the generally increasing demand for privacy and control over data exchange.

The Direct Marketing Association (DMA), for example, manages opt-out lists for e-mail, telephone and direct mail contact for its members. Traditionally, consumers who wished to opt-out of mailers and telemarketing contacts could be placed on a "delete" list that would remain valid for five years by sending a letter to the DMA. The DMA has added online registration, with a $5 fee for the privilege, without increasing the frequency of the list updates (still quarterly) or the duration of the opt-out.

Since one of the primary benefits of e-commerce is lower transaction costs, intuitively the DMA's processing costs should be less for an electronic registration than for a physical letter, giving the $5 charge the distinct aroma of a disincentive, discouraging consumers from registering through the convenient online channel. DMA spokesperson Christina Duffney defends the charge by pointing out that online requests are immediately entered into the DMA's database (but still must await the quarterly publication), while mailed requests can take 30 days to process and therefore may miss the next scheduled quarterly update. The DMA's e-mail opt-out list is free, but requires consumers to send a request, then reply to a confirmation e-mail, and only remains valid for one year.

Searching for Traffic Cops

Although CRM vendors and service providers are eager to be part of the privacy enforcement equation, they are often reluctant to take an active hand in enforcing the "best practices" they claim to have embraced. Rather, they seemingly remain content simply to enforce the rules by which their corporate customers choose to abide. "What our software allows people to do is make rules that can be supported," says Chris Bergh, chief technology officer of CRM marketing software vendor MarketSoft. "There's a judgment question that the marketer has to [answer] about when they want to intrude beyond those contact preferences the customer has put in, but if they're going to bypass our privacy controls without good reason, it's going to give [the company] a black eye."

"[We] don't impose any judgment on the client in how they use the data, but we do encourage and provide best practices, templates, flexibility and the proper framework to build a privacy policy on," says Yuchun Lee, co-founder and CEO of Unica, which is adding enterprise-wide privacy policy management to its CRM suite.

Consider the difficult line walked by the direct marketing agency for the Minneapolis star Tribune. While the agency maintains a master opt-out list that applies to all campaigns it runs-whether launched by the newspaper or one of its advertising partners-it will bend the rules and allow companies to contact opted-out consumers it claims to own on its own rolls, as long as the client signs off and takes full responsibility for any repercussions.

Personalization Without Apology

Despite the uproar, the personalization industry still maintains it is providing a service that both companies and consumers want. "Survey after survey shows customers want to be treated differently, and companies are rising to that challenge by employing technology," Peppers says. "In order to be treated differently, a customer has to reveal individual information."

Quoting findings from research conducted by the Personalization Consortium (which he co-chairs), Peppers claims that 87 percent of customers are annoyed when they are asked to provide the same information more than once, and 82 percent are willing to provide basic personal information, including age, gender and ethnicity in exchange for that organizational memory.

Here the irony rears its head once again: If the numbers are to be believed, and the expert assessment of the state of most personalization efforts is to be believed, most consumers aren't even getting the targeted service they ask for when they turn over personal information. Even in the industries he considers most advanced in personalization and analytical CRM (telecommunications, financial services and retail), AMR's Scott says that data collection and management is still so fragmented that integrating data within a company is an enormous challenge. "Until companies start to collect all the information in one single data repository...I would say it would be almost impossible to transfer data around from the divisions of one company."

If companies can't keep customer data straight across their systems, how can they possibly manage privacy policies consistently? "I think the bulk of failures in not respecting the customer's [privacy] requirement is on the technology side," says Unica's Lee. "It's an IT nightmare that needs to be managed. Hopefully, as more companies start to move toward making privacy a strong part of their business...opt-outs won't be a joke down the road."

Consumers are worried about the corporation that knows too much. Corporations are worried that tightening restrictions will reduce their ability to communicate with customers down to "Dear Occupant." And the CRM vendors in the middle just want the two to stop fighting and settle on rules they can enforce and everybody can live with. "Nothing is really as sophisticated as privacy advocates say, or as us business consultants want it to be," Peppers says.

Jason Compton is an Evanston, Ill-based business and technology writer.

Wireless Raises the Privacy Alarm

Is the ability to pinpoint the location of wireless users a useful tool for emergencies, or a shocking invasion of privacy?

As the debate resounds among regulators and the media concerning the risks to individual privacy posed by Web-based profiling technologies, wireless technology promises to both intensify the fray and complicate the solutions. Since the FCC (Federal Communications Commission) passed its "e-911" mandate requiring all cellular carriers to have the capacity to pinpoint subscribers within 400 feet by October 2001, the threat of cyber-privacy violations spilling over into the physical world has flared in the minds of a consumer population already shaken by reports of information abuse.

"The Internet is this super-recorder," says John McCarthy, group director of research at Forrester Research in Cambridge, Mass. "In the virtual world, we can track everywhere you go. With wireless, companies not only know where someone surfs on the Web, they know where he walks around and uses his cell phone and PDA. So you have another pool of data that can be potentially abused. "


As with online privacy, the debate centers on the relative trade-offs for consumers. While the benefits of the FCC mandate in the case of an emergency are clear, the technology also allows access to multiple categories of services (such as restaurants and retail stores) available in a person's immediate area, along with special offers and coupons for favorite brands. As such, wireless represents the ultimate point-of-sale impression, delivering information in real time to customers at the very moment when it can most powerfully influence a purchase.

But for consumers, these positives are rather negatively charged. Consumers cringe at the prospect of waves of wireless spam assaulting them in supermarket aisles. According to Forrester Research's February 2001 report, Surviving the Privacy Revolution, 61 percent of consumers interviewed indicated a belief that their information would fall into the wrong hands if businesses had access to it. Forty-three percent of consumers said that location-based wireless ads were a threat to their privacy, compared to 25 percent of respondents who said they were not. In fact, only 10 percent of respondents felt that these wireless promotions would be useful.

Legislative Limits

The Forrester report acknowledges that legislation has done little to address the complexities of wireless privacy protection. Current regulations for wireless location data apply only to carriers, for instance, who can share that data with third parties. No limits exist, either, on the amount of data that can be stored on individuals. And no standards have been set for when and how government agencies can obtain access to personal location data.

The report also voices concern that Congress has thus far focused too narrowly on the landline Internet. "Congress needs to recognize the total scope of privacy concerns," the report reads, "or its legislative efforts will become contradictory and self-negating." For example, Congress and Internet industry leaders support an opt-out model for personal data collection on the Web, which enables companies to gather user information until the user requests that the collection cease. Members of the wireless industry, anxious to gain user confidence, support an opt-in approach for location-based collection, recognizing that Congress' current tack will prove inadequate in addressing the problems associated with location data. This places the industry not only at odds with other industry lobbies and Congress, but actually allies them with privacy advocates who have pushed for an opt-in model across all media.

Approaches to Consent

"Privacy, whether wireless or online, is about transparent information collection and fair information practices," says Andrew Shen, senior policy analyst for the Electronic Privacy Information Center, a Washington D.C. think tank that supports privacy protection. "Some consumers may not mind walking down the street and getting a notice that, two blocks away, there's a sale. What marketers really have to do is to establish a process where consumers can dictate their actual desires. Consumers must take part in deciding how their information is used."

Shen points out that, even among industry exponents of opt-in models for location-based data, varying interpretations abound. Some carriers have pressed the FCC for a vague definition of consent that would allow agreements to be buried in the fine print of larger documents. Companies who will succeed in this emerging market will not skirt the perimeter of regulations or test the ethical boundaries of privacy; instead, they will recognize privacy's profound impact on CRM and take steps to ensure that their privacy policies, whatever the regulatory environment, enhance the customer experience.

According to Forrester's McCarthy, a chief privacy officer (CPO) is indispensable to this process in establishing a privacy policy and in isolating the organization's greatest exposures to risk. "There's no silver bullet from either an enforcement or a legislative point of view. Companies need to think about privacy as an ongoing business issue because our ability to regulate and control its abuses will never entirely catch up with the evolution of technology."

Brett Anderson is a Los Angeles-based writer who specializes in business and technology.

CRM Covers
for qualified subscribers
Subscribe Now Current Issue Past Issues

Related Articles

I Want You to Know Me

Customers want — and expect — personalization.

“The Internet Is Still the Wild, Wild West”

AOTA '08: Security is nascent and consumers are still hesitant to make an online transaction. What will it take for the Internet to be a place where everybody knows your name—and it's OK?