News

The Data-Protection Paradox

By Eric Krell

DMNews, March 2014

Are the 40-something U.S. state data-privacy laws and nearly 30 different European Union (EU) member privacy regulations A) cryptic and burdensome; B) outdated, ineffective, and practically unenforceable; or C) necessary from a compliance standpoint, but lacking from a customer-perception perspective? The answer depends on whom you ask, of course.

Data protection is a highly personal issue and an increasingly emotional one. Just ask Experian Senior Vice President of Government Affairs and Public Policy Tony Hadley, who late last year was grilled during a U.S. Senate Committee hearing by Senator Jay Rockefeller (D-WV). The senior Senator used the forum to announce that he was placing “data broker” companies “on notice” that federal data-privacy oversight efforts will intensify. Even so, Hadley was appreciative of the opportunity to be involved in the discussion.

“Marketers should engage in the debate about responsible information sharing because consumer privacy is good customer service,” says Hadley, who kept his cool under tough questioning and encourages marketers to do the same by constantly reviewing and updating their own self-regulatory data-privacy standards and practices.

The moment marketers wade into this heated debate, however, they'll discover that it's “very, very confusing,” notes Eloqua Chief Privacy Officer Dennis Dayman. The complexity surrounding data privacy, protection, and use today stems from: rapid technological change; opposing and passionate perspectives among regulators, consumer advocates, and marketing industry leaders; varying and often contradictory personal views on privacy among customers; a disjointed regulatory landscape; and the intertwined nature of data privacy and data security.

Overcoming contradiction

Clearly, when it comes to customer data privacy and protection issues, marketers need to be prepared by understanding the current landscape of regulations and opinions, as well as customers' changing expectations. Marketers also need to be proactive if they are to create a satisfactory balance of relevance and privacy in an environment so rife with contradiction.

In a recent SAS survey, for example, 71% of consumers said that their privacy concerns increased in response to recent data breaches. However, 60% of these consumers also expect companies to know their preferences and understand their needs.

“The issue of data privacy is a paradox right now,” says Rich Walker, managing director of Winterberry Group. Walker makes a compelling point. After all, marketers use data to make their advertising and marketing relevant, which is what customers want; data usage restrictions designed to address consumers' privacy concerns could result in less relevant marketing that would actually upset consumers.

Boston Consulting Group Senior Partner John Rose, coauthor of several BCG and World Economic Forum reports on data issues, cites as an example of this paradox a large retailer that recently yanked out scanners that tracked how long smartphone-equipped shoppers visited different areas of the store, so managers could make merchandising and design changes that better aligned with shoppers' habits and preferences. Too many customers, it turned out, deemed the digital tracking to be creepy. Yet, the same retailer had been lauded by customers for decades for introducing enhancements to the shopping experience based on the same types of customer insights, but drawn from information its salespeople had collected via handwritten notes.

“The real issue is that consumers don't like to be surprised,” Rose says. As data-management capabilities change quickly, how those changes are communicated to customers matters as much as the change itself.

Customers tend to fall into two major camps regarding privacy: those who favor a rigorous, detailed, and legislative/regulatory crackdown on privacy and data use abuses; and those who favor largely transparent societies. These camps, however, have many sub-camps and vary widely by country, culture, and demographics. A recent BCG study of consumer sentiment found that almost three times as many U.S. consumers (50%) believe that purchase history data is “moderately or extremely private” compared to Japanese consumers (only 18%). The study also finds that high-income consumers (59%) feel more strongly than low-income consumers (40%) that personal information shouldn't be used outside of the purposes for which it was collected. “Marketers tend to look at data in the context of the state or country that they live in,” Eloqua's Dayman says. “But data crosses national boundaries, and countries and even groups within countries have very different attitudes about privacy.”

Countries also have very different privacy laws, which are either onerous or ineffective, depending on who's making the case. It's not uncommon to hear: CAN-SPAM barely dented spam; California's Do Not Track has ambiguous standards; Congress should consider strengthening the consumer privacy framework.

Like everything else in the realm of customer data privacy, these arguments can change quickly. Rising consumer concerns about data security incidents reported in the media often spark legislators to action. It's not coincidental that Rockfeller's Senate hearing took place after the NSA revelations. Although the U.S. Federal Trade Commission (FTC) and Congress are considering laws to better regulate marketing practices, Acxiom Global Privacy and Public Policy Fellow Jennifer Barrett Glasgow believes that passage of marketing-specific law is unlikely. “There are, however, going to be bills dropped, hearings held, and a lot of press coverage this year,” she reports. “This will drive more legislation in the states.”

Experian's Hadley also notes that federal legislation related to data security is more likely to pass Congress this year than a new law related to data privacy. So how can marketers best take a proactive stance?

Start with self-regulation

Until federal data privacy legislations materializes, Glasgow believes that the marketing profession “has a window to develop good guidance for new practices” regarding, for example, alternatives to cookies, data-collection practices, use and sharing of location data, and notice and choice for mobile devices. “These are complex issues that the industry can best address,” she adds. “Proven self-regulation becomes the roadmap for legislation when it eventually comes along.”

Two ways that marketers can get started on stronger self-regulation, while also shaping external regulation, are to engage with colleagues and experts outside their organizations and to develop guiding principles within their companies.

Engage externally: Attending events like the Online Trust Alliance Data Privacy Day town hall meetings can help marketers navigate and understand the current security and data privacy issues, notes Listrak Chief Privacy Officer James Koons. “These events give attendees one-on-one time with agencies like the FTC, Secret Service, FBI, and State Attorney General Offices, as well as marketing thought leaders, to discuss the latest in security, privacy, and data protection best practices,” he says.

SAS Global Customer Intelligence Director Wilson Raj encourages marketers to become active participants in the legislative subcommittees of professional marketing associations and groups such as American Marketing Association, Association of National Advertisers, and the Direct Marketing Association. Hadley cites the DMA's Data-Driven Marketing Institute as an organization to get involved with due to its laser focus on the responsible use of data in marketing, and points out that its research initiative on responsible information sharing is one that marketers should be aware of.

Develop principles: Alex Romanov, CEO of iSign Media, says it's crucial for marketers to be “privacy respectful.” Acxiom's Glasgow uses the term “accountable marketer”—as in accountable marketers review their campaigns to ensure that they don't offend or “feel creepy” to consumers. Yes, these are qualitative descriptions that hinge on judgment, and that's both a challenge and an advantage. For most marketers, the difficulty lies not in making a decision that's ethical, but in making the more nebulous judgment of balancing company and customer priorities and preferences: Should we do this? If so, how can we best convey what we're doing and why? Does this align with our company's values and how we behave in practice? How might this be perceived?

Compliance with privacy laws and rules is mandatory, but in many cases not sufficient at a time when data privacy decisions are subject to strong and shifting consumer opinions. Many of the legal terms and conditions all of us check online fulfill legal requirements but fall far short of sound judgment when it comes to managing data privacy in a clear manner. Principles (such as those that SAS Global Customer Intelligence Director Wilson Raj shares in “Data Protection Principles;” see below) can help employees understand what they should and should not do above and beyond compliance rules and company policies, which cannot possibly cover every real-life situations. “Marketers should state their information collection and use practices clearly in a concise, easy-to-understand, and readily accessible privacy policy,” says Hadley, who also suggests that marketers provide customers with an easily accessible tool for opting out of data collection or use for further solicitations.

Many marketing and privacy experts praise opt-in as a valuable data-privacy principle and business advantage. Nalini Indorf Kaplan, an associate director with the University of Colorado's Center for Advanced Engineering and Technology Education (CAETE) and a data privacy expert with consulting firm Cultiva Partners, recommends “explicit opt-in opportunities beyond email newsletters and offers; the savviest companies will use the opt-in choice as a respectful trust-building exercise and, at least for a time, a differentiator.”

Kaplan is suggesting that a data-privacy measure can deliver competitive advantage, and she's not alone. The November 2013 research, based on BCG's survey of 10,000 global consumers, conducted by Boston Consulting Group's Rose and his colleagues, concludes that companies that excel at creating trust should be able to increase the amount of consumer data they can access by at least five to 10 times in most countries.

How's that for a data-privacy paradox?

SAS Global Customer Intelligence Director Wilson Raj offers four principles of data protection:

1. There should be a stated purpose for all customer data collected.

2. Information collected on a customer should not be disclosed to other organizations or individuals unless authorized by law or by consent of the customer.

3. Customer records and information should be accurate and up to date.

4. There should be mechanisms for customers to review data about themselves, to ensure accuracy

Return to News Archive