Articles
Respecting the Customer's Right to Privacy
By David Henkel, President, Johnson & Quin
Think about it. Suppose you're browsing through your mail and come across an oversize postcard from your health club. Printed across the back in large text you read, "Hi there, Chris! The last time you were here, you weighed in at 183 lbs. Can we make an appointment for you with a personal trainer?" The mail carrier—and perhaps some of your neighbors—might get a laugh out of it. But would you? While the entire marketing world is talking about the value of using what you know about your customer to personalize business communications, just because personal data is available doesn't mean it's always appropriate or welcomed by the recipient. In fact, overly personal communications can be regarded as a threat to privacy or even raise concerns about identity theft.
Database mining and printing technologies allow for creating highly personalized marketing communications that can be based on information taken from a variety of sources, including customer records, stated customer preferences, or data purchased from third-party vendors. While these personalized campaigns are designed to reach the most receptive audience and do generate an impressive response rate, marketers must be wary of crossing the invisible line that separates a friendly offer from an invasion of privacy. This is a growing public concern.
Finding a balance
In response to queries from a coalition of consumer privacy groups, the Federal Trade Commission (FTC) held public hearings in 2007 to review issues related to so-called "Ehavioral Advertising." This involves automatically tracking Internet users in order to gather personal information about them, such as the websites they visit, their online purchases, even their participation in online chat groups. The data collected this way has been used for targeted online advertising. However, consumer watchdog groups claim that the practice is an invasion of privacy when consumers aren't told that they're being monitored and aren't provided a simple and effective way to "opt-out."
To date, the FTC has made efforts only to strike a balance between consumers' rights to privacy and advertisers' needs to provide information about available—and often desirable—products and services. The agency has developed guidelines for industry self-regulation, advising marketers to take special care in the collection, handling, storage, and disposal of sensitive customer information. Apart from legislation like HIPAA, (Health Insurance Portability and Accountability Act) or in the financial industries, Gramm-Leach-Bliley legislation, the government doesn't define or limit exactly what kind of data is hands-off for marketers.
Drawing the line
Based on the 2007 hearing, what did the FTC conclude in terms of how much personalization is too much? In its final report, the agency identified several highly sensitive areas of information:
- Medical data, including insurance information as well as chronic health conditions, medical history, genetic information, prescription drug and related purchases.
- Financial information, such as bank accounts, personal income, investments, credit ratings, income tax and related data.
- Personal identifiers like Social Security, credit card, driver's license and even telephone numbers; physical descriptors like height, body weight, eye color or clothing sizes.
- Any material directed to a minor.
- Individual sexual preference or orientation.
Going a step further, the FTC has developed useful (and not too burdensome) guidelines for handling this type of information. These include:
- Take Stock. Inventory the sensitive data you have on file in a centralized database, on individual computers, disks and CDs, correspondence, and other hard copy files. Credit card and other personal information may be in the Sales or Human Resources department computers, as well as in the Accounting or Payroll system.
- Scale Down. How much of this information do you really need to do business? How long do you need to keep it? Legal requirements may dictate long-term archiving of some data, but businesses may be storing customer credit card numbers well past the account expiration dates, or sales histories for customers they haven't seen for years.
- Lock It. Keep hard copy files and removable digital storage like CDs, disks, and drives in locked file cabinets and locked offices. Businesses that operate with computers linked to a central database can establish a hierarchy of who needs exactly what data and use software applications to block access to anyone else. Complex password protocols are also useful for stand-alone or laptop computers. Take care, too, in leaving computers unattended with data displayed on the screens.
- Pitch It. If personal information on customers, employees, and suppliers isn't actively in use, destroy it. This means shredding, burning, or pulverizing paper documents and over-writing digital storage media—not simply hitting the "delete" button.
- Plan Ahead. Protecting company and customer information must be taken seriously for simple good will and, worst-case scenario, to avoid legal liability. Grant a trusted employee the authority to establish and enforce security procedures and provide active executive support. Develop a written security policy detailing how every member of your organization should handle sensitive information, along with a clear plan for dealing with a situation like a computer system breech. Decide beforehand who may need to be notified and how—and this can include your customers. Investigate every complaint or reported violation immediately to help determine vulnerabilities and correct them.
Keeping it both relevant and appropriate
Any type of personalized marketing communication can be regarded as intrusive when it's inappropriate or uses data obtained without the consumer's knowledge. However, even in industries under the most stringent government regulation, businesses and other organizations have the right to offer their customers appropriate information about available products and services. The key is relevancy. A cardinal rule for personalization is, if the customer information doesn't directly tie into your overall message, don't use it. Too often marketers get caught up in the creative aspects of what's possible and lose sight of the real goal—communicating your company's messages.
