How Marketing Professionals Can Avoid Violating Privacy Laws
The trend in marketing is moving toward a more customer-centric approach, where information specific to an individual customer is used to present offers or tailor products to provide unique and customer-specific value. Care must be taken to do so without running afoul of laws implemented to protect privacy.
Over the past few decades, technology has enabled companies to collect an analyze granular details of hundreds of transactions over years to form a more intimate knowledge of their customers. A few anecdotes are provided that illustrate instances in which marketing data has been exploited by hackers, thieves, and fraudsters, and instances in which the company itself stepped across the line of acceptable use.
BACKGROUND: PRIVACY PRINCIPLES
The author defines ten basic principles of privacy:
- Accountability - Any organization that collects personal data is to be held accountable, regardless of the organization's nature (commercial, nonprofit, government), the nature of the data, or the alleged purpose for collecting it.
- Disclosure - The purpose for which collected data will be used must be disclosed to the person from whom it is being collected, and the organization will be restricted to these terms going forward. The individual should be informed of any parties that will have access to their personal data, including third parties with whom the data may be shared, and the purposes to which those parties may use the data.
- Consent - Not only must the individual be informed of the use of their data, but they must actively consent. In some instances, consent may be passive or implicit (signage in a monitored location). Also, there are instances in which refusal to consent cannot result in the abdication of individual rights and freedoms
- Accuracy and Completeness - The data should be accurate and up to date, and the individual should have the ability to review the data and take steps to have it corrected.
- Limitation of Collection - The type and amount data collected should be limited to that which is necessary for a specified purpose, as should the duration of the period(s) in which the data is collected.
- Retention and Disposal - Information should be retained only as long as necessary to fulfill the stated purposes, then "destroyed, erased, or rendered anonymous."
- Safeguards - The organization that collects and maintains the data is responsible for safeguarding it against unauthorized access or unauthorized use, as well as tampering.
- Openness - The organization should "make readily available" to individuals the policies and practices by which that data is handled or managed by the organization.
- Challenging Compliance - The organization must inform individuals of the procedures for challenging their compliance (a bit vague - seems to be providing contact information for governmental agencies the individual may contact if they feel they have been mistreated)
- Access - The organization must provide an individual with access to all information pertaining to them that is stored in company records, and furnish this information "within a reasonable time" of request.
The principles are taken from specific laws in various nations, guidelines developed by industry groups, demands of consumer advocacy groups, and other sources. They are expected to be common components of any legal approach to privacy protection.
ELECTRONIC INTRUSION AND PROTECTING THE CONSUMER
The central issue is the apparent conflict between companies who wish to capture and analyze "massive amounts" of customer information and the consumers, themselves, who are concerned about the misuse of their personal information by the same companies.
There is also some disagreement over exactly what forms of use are acceptable. While a marketer may take the stance that their use of personal information is to better serve the customer, the customer may feel that the use is unacceptable, for various reasons:
- The collection of the data may be intrusive or annoying
- The user does not want to be bothered (unwanted advertisements, contacts, spam)
- The data may be used to discriminate against them (price discrimination)
- The data may be used to restrict their choices (products the company feels are suitable rather than the user's ability to choose form themselves)
- The user may not trust the organization (to safeguard the data, to keep their word about their use of the data)
- The user may fear that the information collected may be personally embarrassing to them (health conditions, unusual lifestyle choices)
The concerns are so many, and abuses so rampant, that consumers are forming a knee-jerk reaction to any attempt to collect any information about them, and have a general desire for privacy and anonymity that may affect future legislation.
This extends to the larger market as well: if there are many incidences of abuse in an industry or market, the customer may be reluctant to deal with any company, even those who have not been involved in the incidents in question.
It is also asserted that companies are inclined to safeguard data for fear of negative publicity that can result when an incident of abuse or infiltration is reported in the media.
The need for privacy assurance has also created a market for certification - organizations such as TrustE that provide a voluntary and independent certification of certain companies. These organizations have been found to be more reassuring to consumers than the "patchwork" of privacy and consumer protection laws in various countries.
Ultimately, the law provides "solutions" in instances where industries fail to regulate themselves, and the letter of the law tends to be far more restrictive than objectively necessary to address consumer concerns, so the author advocates self-regulation.
In general, businesses recognize the concern over privacy, and are acting to comply, but there do not seem to be any industry or market standards in place that will satisfy customer's demands and meet the legal requirements - which "may represent" a demand for a standardized solution.
In the absence of a common solution, the ways in which companies regard and handle privacy may become a basis for competition and differentiation: the company that gets it "right" will have an advantage in the electronic medium - and as technology encroaches on the brick-and-mortar operations, in the traditional channels as well.