The Consumer Revolution Over Privacy Protection

Technology vendors should make this a top priority



The issue of privacy protection (especially for the American consumer) has been publicly aired of late in the rather broad context of identity theft and Homeland Security. Consumers want convenience, yet are concerned with credit card and identity protection in, for example, private sector online e-commerce applications. In the public domain, citizens want to feel safe within their homes, yet bristle at the notion that the very government they look to for protection might ask the occasional embarrassing question in order to provide that protection. Now extend the scenario to encompass spam, misuse of social security numbers, disclosure of medical information, employment history, purchase behavior, and more.

In the context of Customer Intelligence and Demand Chain Performance, one would expect that these concerns would spawn systematic reviews of customer-facing applications and a fair amount of technology advances and use-case analyses. Yet, Ventana Research finds there is little evidence that the firms deploying consumer-facing CRM applications those organizations that have the most at stake have taken serious note.

Conditions are ripe for an electronic privacy revolution. Ventana Research recommends that firms take action to prepare themselves, and sooner rather than later.


Ventana Research believes that the issue of customer privacy has been sufficiently debated on a number of fronts, and it will soon become a priority among all players across the Customer Intelligence milieu. Vendors, their customers, and those customers' customers are all players in the game. Worse yet, in the view of some, consumer privacy and related issues sit squarely in the sights of the U.S. Congressional agenda. Each has a role to play in defining the limits of behavior, and the means to resolution.

The topic tends to fall into four categories. Each of these grows out of sometimes very different motivations, therefore implying different approaches from the Customer Intelligence industry.

1. "Leave me alone."

A result of excesses in the fields of telemarketing and e-marketing, conditions have led to broad consumer backlash and complaints of invasion of privacy. In recent months, the national 'do-not-call' list in the U.S. and widely supported anti-SPAM movements around the world have received much attention.

Regulation and legislation are most often considered sufficient to address this matter. One can argue with the specific solutions propagated, but that does not change the need to comply. Technology solutions will be virtually mandated by regulations and all customer-facing firms will be expected to adhere to attendant compliance requirements. They will then look to the vendors to embed compliance into applications. The good news is that telephony, email and direct marketing vendors are already addressing these issues primarily without major technological advances.

2. "Protect me from criminal elements."

Not necessarily a privacy' matter, per se, but criminal detection and enforcement are still issues difficult to keep completely separate from it, especially in the eyes of consumers. Identity theft, credit fraud, internet confidence games and the like, are all matters that have been on the business and government agendas all along. That is the good news, if you can call it that. Here the bad news is that the effort is ongoing, and ongoing, and ongoing, into perpetuity. The bad guys have access to technology, too. In many cases, their technology is more advanced, more creative, and faster evolving than that coming from Customer Intelligence vendors and client firms.

Detection and enforcement of criminal violations are clearly in the purview of law enforcement. In this sense, we look favorably upon government engaging with and deploying advanced diagnostic technology (not always welcome, as we will note later). Prevention should be the goal, however, and that burden falls squarely on the shoulders of firms engaged directly with the customers put at risk. The onus is on all customer-facing organizations, especially those privy to financial identifiers and social security numbers, to establish a strong framework for protecting the privacy of customers.

3. "Protect me from the government."

In the finest American tradition, we expect our government not only to serve and protect, but also to keep its distance in doing so. We expect the government to obey the law, certainly, but we also expect it will acknowledge our cultural ethos and respect our civil rights. In this age of Homeland Security and the so-called USA Patriot Act of 2001, some are concerned that there is a creeping measure of degree to the granting of civil rights. The conversation includes the creation of a national identification system and Federal agency rights to access both public and commercial databases and intercept electronic communications for data mining projects. While similar predictive modeling techniques are applied with great commercial success to the purpose of understanding who will likely be a loyal customer, spend more money and generate more profit, the notion of the FBI using them to 'profile' likely terrorists is considered invasive and illegal.

This traps the Customer Intelligence market on the horns of a potentially devastating dilemma. It is easy to imagine a scenario in which citizen resistance to government agency data mining could directly carry over into consumer resistance to long-established commercial predictive modeling. At best, vendors and practitioners could be faced with the task of defending the practice; at worst, they could suffer the apparent fate of the telemarketing industry.

4. "Keep what you know of me to yourself."

Opt-in programs and website registrations often elicit customer information and permission to use it for marketing or other purposes; whenever a customer interaction of any kind occurs, a business can learn more about its customer. Accumulating these tidbits into a base of customer information is precisely the point of most operational CRM applications: a 360-degree view of the customer, a single version of the truth about customer preferences, behaviors, demographics, etc. Customer Intelligence and Customer Analytics strive to systematically learn from that information, and derive more efficacious and lucrative approaches to the next interaction. In some circles and under certain circumstances, this could be interpreted as a violation of customer privacy. Consider the following:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is directed to the obligation of healthcare, medication, and hospitalization organizations to be accountable for holding patient information in confidence. As indirect providers of group life and health insurance, every employer organization is impacted in some way.

In 1998, the European Commission's Directive on Data Protection went into effect. The Directive is an attempt to protect the data privacy of Europeans regardless of where their personal data is transferred and processed. Article 25 extends the reach, prohibiting the transfer of personally identifiable data from Europe to any third country, including the U.S., which does not provide "adequate protection," as defined by the European Commission. U.S. multi-national firms can voluntarily enroll in an approved "Safe Harbor" program under the directive, but few have done so. It is not inconceivable that this could lead to constrained data flows between Europe and the U.S.

The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 outlines financial services firms' disclosure requirements for privacy policies, among other things. It prompted those nearly unreadable notices from banks describing privacy and information-sharing policies, offering customers the opportunity to opt-out. A visible offshoot is the linked access to privacy statements on most websites today. Consumers tend to mistakenly assume, often without reading the statements provided, that the existence of a privacy policy automatically protects their privacy. We all know this is not really the case.

Ventana Research believes that Customer Intelligence vendors and their customers would be wise to take note of the nature of these provisions, as they are indicative of the legislative mind-set and the nature of compliance requirements to come.


To organizations setting or evaluating strategic direction for customer-centric data integration, customer interaction support, and/or customer behavior analysis, Ventana Research strongly recommends first directing resources to building a coherent framework for addressing customer privacy issues. It is important that all parties be acutely aware not only of legal constraints that ensure protection of customer privacy, but also of customer priorities and perceptions.

Organizations currently evaluating vendors for initial implementation of customer-facing operational applications, customer intelligence, and customer-centric marketing and sales systems should elevate the consumer privacy issue in strategy formation and therefore their selection criteria. Learn how customers' privacy can come into play within your operation and how it is protected specifically within each application considered, now and in plans for future releases.

Existing implementations may or may not be well positioned for the future. Ventana Research believes it is time well spent revisiting your strategy. If there is no specific position with respect to privacy protection for your customers, create one. Talk with your vendor about how they do and will ensure privacy inside their application. It is also important to influence your vendor to be up-front with its plans for ongoing compliance.

Ventana Research urges technology vendors in the CRM, Customer Intelligence and customer analytics niche to outline development strategies to their customers and aggressively articulate assumptions about the privacy framework that customer-facing organizations are expected to have in place.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing