Where your personal data goes when you're not looking

What businesses know about any given individual is a lot. But what are companies doing with that data? Not as much as you might think -- at least not yet. Companies are getting more sophisticated, however.

What businesses know about any given individual is a lot. But what are companies doing with that data? Not as much as you might think -- at least not yet. Companies are getting more sophisticated, however.

[ It's time to take another look at security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The trove of data that's out there includes:

  • Traditional offline data gathered by credit bureaus and data aggregators, including public data from telephone directories, court and property records
  • User account data collected and retained by businesses with which consumers have purchased products or registered for services
  • Data from online activity including searches, social media profiles and tweets, mobile app activity and Web browsing habits

Add to that relatively new data types, such as that from "scoring" methodologies (PDF) that use data about people to predict their future behavior. Other new data types include:

  • Data from fitness devices and other "Internet of things"
  • Emerging retail store tracking systems that may soon identify you through face recognition as well as monitor your location as you move through a store
  • Location data from your smartphone that lets apps track where you are, how fast you're moving -- even the direction in which you're heading and where you're likely to be going given your previous travel history

It's no surprise, then, that people worry about what businesses are doing with all that information. (For more about how to protect yourself, see: "The paranoid's survival guide, part 1.")

More often than not, however, the answer is that businesses aren't doing as much as they could be. Enterprises face regulatory and technical hurdles that make combining the data they have difficult; some data types and uses of consumer data are highly regulated; and companies usually don't like to share core customer data externally for competitive reasons. When they do, that data is usually boiled down to basic demographic and interest categories and then aggregated for marketing purposes. If the data is being shared with third parties for the purpose of online advertising, personally identifiable information is usually removed. (See related story.)

Too many silos

Most businesses can't even integrate all of the data silos they have cost effectively, much less run sophisticated analytics across all of it or accommodate new data sources, such as the unstructured data streams derived from social media.

In the online advertising world, the behavioral advertising industry has developed a high level of sophistication and expertise, but most of corporate America -- including the manufacturing and consumer products sectors -- remains in the early stages of data integration, says Jim Adler, vice president and chief privacy officer at Metanautix, a firm that specializes data integration within and across companies. "They're still trying to understand what they have" and the data flows for all of it, he says.

As those repositories of consumer data continue to slowly, steadily converge, however, the ways in which businesses interact with consumers will need to change if they are to head off the kinds of consumer privacy and trust headaches that have already confronted traditional data aggregators and the online behavioral advertising industry.

"Transparency overall will need to increase as these environments become more complex and intertwined," says Leigh Feldman, chief privacy officer at American Express Co. The financial and travel services company now has privacy professionals aligned with each business unit. "Privacy will be a competitive differentiator for companies over the next five years," he says. And in addition to offering transparency so users understand what's happening with their data, Feldman says it's important to present meaningful choices that let the user decide how their data can be used, and to guarantee customers that their data will be handled in a responsible fashion.

Regulatory minefield

Traditional types of data -- such as health care information and banking records -- and some uses -- such as for identity verification, insurance underwriting, employment or to assess creditworthiness -- are regulated. But the increasing use of personal data for marketing purposes, gathered both offline and online, has fewer regulatory controls. That's a big data bucket. And inappropriate use of that marketing data -- such as for making hiring decisions -- can get a company into hot water with regulators.

Businesses face a jigsaw puzzle of laws and regulations that govern certain types of data assets as well as how information may -- and may not -- be used for some types of decisions, says Tony Hadley, senior vice president of government affairs and public policy at data aggregator Experian. "The overarching regulation of marketing data comes from a mosaic of smaller state and federal laws," he says, as well as from the standards governing ethical practices put forward by the Direct Marketing Association and other professional groups.

One problem, says Metanautix's Adler, is that when companies use marketing data about consumers for purposes other than marketing they can get into trouble. For example, a business that uses information from Facebook or Twitter to make a negative hiring decision -- and does not disclose to the applicant that the information was used in that decision -- can run afoul of the Fair Credit Reporting Act, which governs how data may be used for employment purposes.

"You cannot use marketing data for credit or employment eligibility. There's a firm firewall between those two uses. If you break it the FTC will come after you," says Hadley. "And if someone is taking consumer data and mining it in such as way as to be abusive to customers, that's something the FTC could clean up under its deceptive trade practices."

Another problem can crop up when businesses don't follow their own privacy policies, as happened recently with messaging app vendor Snapchat. "The FTC is quite tenacious about companies violating their own privacy policies," and has created a body of common law through a series of consent decrees, says Adler at Metanautix.

Using data the wrong way

Businesses need to consider how private the data is to the individual and how perilous to the consumer the outcome might be if the data is divulged in unexpected ways, Adler says. He cites retailer Target's textbook case of unwittingly sending a mailer targeted at expectant mothers to a pregnant teenager before her father knew about her condition.

Target used analytics to determine that there was a high probability that the woman was pregnant, and had assigned her to that category. "They knew which customers were pregnant based on what they were buying. And that's where the conversation ended," Adler says. But the retailer failed to think through the implications of sending targeted marketing materials that clearly implied that the customer was pregnant -- a sensitive subject that the customer might not be ready for others to know.

It also feels a bit creepy, says Jules Polonetsky, executive director of the Future of Privacy Forum. Marketing is about having a relationship with the customer, he says. "Where it breaks down is when marketers don't understand the boundaries of those relationships. Here was this very personal experience and the user had no clue that this analysis was happening."

Marketers need to bring people along rather then let them uncover what may seem like unpleasant facts, he adds. For example, a few years ago Orbitz users were shocked to discover that visitors using a Mac were shown pricier vacations and accommodations than those using a Windows PC. "People were surprised and outraged," he says, but Orbitz might have avoided the problem had it been more transparent about how the recommendations were made -- and why -- at the time the user viewed them.

Similarly, misunderstandings over variable pricing practices online by Staples drew fire, in part because customers were left in the dark as to what the retailer was doing and why. Online businesses don't selectively raise prices when and where they can get away with it, says Jennifer Barrett Glasgow, chief global privacy officer for data aggregator Acxiom.

"In 40 years in this industry I've never seen an instance where someone was charged more than the published price," Barrett Glasgow explains. Most of the time, "the question is, will I get a discount?" The answer might depend on factors such as the customer's proximity to a brick-and-mortar competitor. But absent any kind of explanation, people can assume the worst.

And the criteria used for making pricing determinations matter to regulators as well as consumers, says Adler. For example, variable pricing by location might also appear to single out a minority community. "When do price distinctions become price discrimination?" Businesses need to think through that, he says, before they roll out technologies in brick-and-mortar stores as well as online.

Once customers have been identified, he says, it will be possible to use digital signatures to present differential pricing based on whether, for example, a customer's web surfing history shows that they've been comparison shopping online.

Businesses can head off potential issues by providing transparency, allowing customers access to all of data the business has about them, and -- most importantly -- using the data the business has appropriately, Adler says. Unfortunately, he adds, "Companies often default to not disclose."

"Data is increasingly a feature, not just a disclosure that I've given you ways to opt out of marketing," says Polonetsky. Rather than rely on the privacy policy exclusively, the user experience for an online service should let users see how and when data is used to "power the product, to market or to connect with friends" Users can then toggle potentially sensitive features, such as location services, on and off in certain contexts to suit their expectations.

What's more, if 90% of your users aren't having a pleasant experience using the default privacy settings, then something is wrong with your strategy, Polonetsky says. The default privacy settings should match users' expectations without requiring them to read through a lengthy privacy policy to find answers.

American Express has been a model for transparency, and Amazon.com has been upfront about how it tracks customers to make suggestions about what users might like to buy, Polonetsky says, but many online businesses are far less forthcoming. "Everyone pays lip service to transparency, but with some [companies] you have to do a lot of detective work to understand what they are really up to. Sleuthing is not what users want to do to find out what's going on." The future, he says, will belong to the businesses that understand this.

Opening up

Businesses are slowly beginning to respond to at least some consumer concerns about privacy. For example, Facebook recently decided to allow its users to log into new apps anonymously (although one could argue that it took one step back when it manipulated users' news feeds). Some mobile app vendors offer popular messaging services that can permanently erase messages after a user-determined time limit. And Intellius, which sells personal background checks based on public records, lets users see their own data for free -- and correct it.

For Adler, who helped to develop the program at Intellius a few years ago, the philosophy was simple: "I shouldn't have to guess what information they have and are sharing. I should be able to just look."

More recently, data aggregator Acxiom launched its aboutthedata.com website, which lets validated users see six categories of "core data" used to place them into demographic and interest categories for marketing purposes. Consumers can delete or correct the baseline data, which automatically updates modeled data about the person. However, they can't view the interest and demographic categories to which they've been assigned.

There's a good reason for that, says Adler: The categories and predictive scores used by some companies would be offensive to people, and they would want to know why they were put into those. "No one likes to be labeled and stereotyped, but that's what marketing does. It's about segmentation, and that's often politically incorrect." The industry, he says, will need to figure out how to segment markets accurately and still maintain some semblance of political correctness.

Going forward, Feldman expects people to become even more engaged on privacy issues with the companies with which they transact businesses. "What's changed is now everyone is concerned about privacy. It's much more top of mind."

But companies shouldn't leave it to the lawyers to handle all of the consumer privacy details, says Adler. "The legal department is the wrong place to make decisions about innovation." If the company doesn't have this discussion, it "will either take the conservative approach or innovate in completely irresponsible ways," he says. But things can't keep operating the way they have in the past. One thing is certain, Adler says: "If companies continue to do this in an opaque way, regulators will step in."

Offline/online convergence: It's complicated

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies