Where your personal data goes when you're not looking

What businesses know about any given individual is a lot. But what are companies doing with that data? Not as much as you might think -- at least not yet. Companies are getting more sophisticated, however.

The trove of data that's out there includes:

Traditional offline data gathered by credit bureaus and data aggregators, including public data from telephone directories, court and property records

User account data collected and retained by businesses with which consumers have purchased products or registered for services

Data from online activity including searches, social media profiles and tweets, mobile app activity and Web browsing habits

Add to that relatively new data types, such as that from "scoring" methodologies (PDF) that use data about people to predict their future behavior. Other new data types include:

Data from fitness devices and other "Internet of things"

Emerging retail store tracking systems that may soon identify you through face recognition as well as monitor your location as you move through a store

Location data from your smartphone that lets apps track where you are, how fast you're moving -- even the direction in which you're heading and where you're likely to be going given your previous travel history

It's no surprise, then, that people worry about what businesses are doing with all that information. (For more about how to protect yourself, see: "The paranoid's survival guide, part 1.")

More often than not, however, the answer is that businesses aren't doing as much as they could be. Enterprises face regulatory and technical hurdles that make combining the data they have difficult; some data types and uses of consumer data are highly regulated; and companies usually don't like to share core customer data externally for competitive reasons. When they do, that data is usually boiled down to basic demographic and interest categories and then aggregated for marketing purposes. If the data is being shared with third parties for the purpose of online advertising, personally identifiable information is usually removed. (See related story.)

Too many silos

Most businesses can't even integrate all of the data silos they have cost effectively, much less run sophisticated analytics across all of it or accommodate new data sources, such as the unstructured data streams derived from social media.

In the online advertising world, the behavioral advertising industry has developed a high level of sophistication and expertise, but most of corporate America -- including the manufacturing and consumer products sectors -- remains in the early stages of data integration, says Jim Adler, vice president and chief privacy officer at Metanautix, a firm that specializes data integration within and across companies. "They're still trying to understand what they have" and the data flows for all of it, he says.

As those repositories of consumer data continue to slowly, steadily converge, however, the ways in which businesses interact with consumers will need to change if they are to head off the kinds of consumer privacy and trust headaches that have already confronted traditional data aggregators and the online behavioral advertising industry.

"Transparency overall will need to increase as these environments become more complex and intertwined," says Leigh Feldman, chief privacy officer at American Express Co. The financial and travel services company now has privacy professionals aligned with each business unit. "Privacy will be a competitive differentiator for companies over the next five years," he says. And in addition to offering transparency so users understand what's happening with their data, Feldman says it's important to present meaningful choices that let the user decide how their data can be used, and to guarantee customers that their data will be handled in a responsible fashion.

Regulatory minefield

Traditional types of data -- such as healthcare information and banking records -- and some uses -- such as for identity verification, insurance underwriting, employment or to assess creditworthiness -- are regulated. But the increasing use of personal data for marketing purposes, gathered both offline and online, has fewer regulatory controls. That's a big data bucket. And inappropriate use of that marketing data -- such as for making hiring decisions -- can get a company into hot water with regulators.

Businesses face a jigsaw puzzle of laws and regulations that govern certain types of data assets as well as how information may -- and may not -- be used for some types of decisions, says Tony Hadley, senior vice president of government affairs and public policy at data aggregator Experian. "The overarching regulation of marketing data comes from a mosaic of smaller state and federal laws," he says, as well as from the standards governing ethical practices put forward by the Direct Marketing Association and other professional groups.

One problem, says Metanautix's Adler, is that when companies use marketing data about consumers for purposes other than marketing they can get into trouble. For example, a business that uses information from Facebook or Twitter to make a negative hiring decision -- and does not disclose to the applicant that the information was used in that decision -- can run afoul of the Fair Credit Reporting Act, which governs how data may be used for employment purposes.

"You cannot use marketing data for credit or employment eligibility. There's a firm firewall between those two uses. If you break it the FTC will come after you," says Hadley. "And if someone is taking consumer data and mining it in such as way as to be abusive to customers, that's something the FTC could clean up under its deceptive trade practices."

Offline/online convergence: It's complicated

Just a few decades ago businesses knew very little about their customers beyond name, address and what they bought -- if they used a credit card. Data aggregators like Acxiom and Experian provided personalized demographic data to marketers -- that you are 42 years old, own a truck, like to golf, are married and so on -- to help companies better target advertising and marketing dollars to customers and prospects. That offline data was -- and still is -- culled from public records, surveys and what Acxiom chief global privacy officer Jennifer Barrett Glasgow calls "summarized or aggregated purchase information."

The data about you is personally identifiable information (PII), but gets transformed into generalized, but still personally identifiable, demographic data before it's used. For example, Acxiom might license the subscriber list from a golfing magazine as an input into its scoring mechanism, but the data aggregator agrees not to identify you as a subscriber. Instead, it uses the information and data points from many other sources -- your golf club purchases, for instance -- to determine that you fit into its list of people who like to golf.

Businesses buy these buckets of consumer demographic data to match up with their own customer records for direct marketing and upselling, and they can buy a prospect list of people assigned to an interest group that presumably will be more likely to buy a given product. The advertising message then gets disseminated either through direct mail, telemarketing, email or text messages.

The evolution of online data has led to different practices for gathering data, but with the same objective, says Mike Zaneis, executive vice president and general counsel for the Interactive Advertising Bureau (IAB), an industry trade association. "Consumers don't care if you send them relevant ads, but they don't want you to know their browsing history," he says. So advertisers use cookies to track online activity of website visitors, and that activity is linked to a cookie ID tied to a specific browser on a specific device. The activity is not tied to the individual -- unless the individual has self-identified by registering with a given website.

In the mobile world there's a recognition that access to more sensitive data -- such as apps that want to access the user's location, friends list or address book -- requires a higher level of consumer consent, says Zaneis. The industry has attempted to address that by extending the Digital Advertising Alliance's privacy principles to mobile advertising. "I'm not sure that business practices are as advanced as we're led to believe in the mobile space," he says. "But because that data is available, whether it's really being utilized or not is not as important as the perception that it will be."

The offline and digital worlds have been converging for some time, says Leigh Feldman, chief privacy officer at American Express Co. "Over the next two to five years the distinction between offline and online will for all intents and purposes go away." And as those worlds converge, more information is becoming available for businesses to collect than they know what to do with. The analysis is more complicated, but the end game is the same: To get ads and offers in front of the people who are most likely to buy a given product or service. "The old-fashioned direct marketing ...has moved online, but it's the same activity," Barrett Glasgow says.

But those two worlds have very different rules as to how consumer data may be used. "The offline world is all personally identifiable data. The online world is either anonymous or identifiable [if the user has self-identified by creating an account]," says Barrett Glasgow. Advertising networks track online activity and build interest profiles that link to cookie IDs rather than PII - as required by the code of conduct put forth by the Network Advertising Initiative, an industry trade association.

The ad networks have behavioral advertising data (browsing histories) linked to cookies. Data aggregators have interest and purchase data linked to your PII. If existing customers have self-identified on a business' website, Web publishers and advertising networks can match up both data sets to predict more accurately who is most likely to respond to an ad.

But combining data from offline and online resources to deliver targeted advertising requires an elaborate dance, called cookie syncing, to ensure that a third-party advertising network does not receive any PII, says Barrett Glasgow. First the publisher sends the data aggregator, such as Acxiom, the PII data for its registered customers so it can be matched with the aggregator's profile data.

Acxiom then places cookie on the user's computer and gives a code to the ad network, which uses it to read the Acxiom cookie and pull the relevant demographic and interest data associated with it. It then uses both data sets to determine the most appropriate ad to send to the user. "In the online space there's this whole added dimension of complexity around anonymity," Barrett Glasgow says.

-- Robert L. Mitchell

Another problem can crop up when businesses don't follow their own privacy policies, as happened recently with messaging app vendor Snapchat. "The FTC is quite tenacious about companies violating their own privacy policies," and has created a body of common law through a series of consent decrees, says Adler at Metanautix.

Using data the wrong way

Businesses need to consider how private the data is to the individual and how perilous to the consumer the outcome might be if the data is divulged in unexpected ways, Adler says. He cites retailer Target's textbook case of unwittingly sending a mailer targeted at expectant mothers to a pregnant teenager before her father knew about her condition.

Target used analytics to determine that there was a high probability that the woman was pregnant, and had assigned her to that category. "They knew which customers were pregnant based on what they were buying. And that's where the conversation ended," Adler says. But the retailer failed to think through the implications of sending targeted marketing materials that clearly implied that the customer was pregnant -- a sensitive subject that the customer might not be ready for others to know.

It also feels a bit creepy, says Jules Polonetsky, executive director of the Future of Privacy Forum. Marketing is about having a relationship with the customer, he says. "Where it breaks down is when marketers don't understand the boundaries of those relationships. Here was this very personal experience and the user had no clue that this analysis was happening."

Marketers need to bring people along rather then let them uncover what may seem like unpleasant facts, he adds. For example, a few years ago Orbitz users were shocked to discover that visitors using a Mac were shown pricier vacations and accommodations than those using a Windows PC. "People were surprised and outraged," he says, but Orbitz might have avoided the problem had it been more transparent about how the recommendations were made -- and why -- at the time the user viewed them.

Similarly, misunderstandings over variable pricing practices online by Staples drew fire, in part because customers were left in the dark as to what the retailer was doing and why. Online businesses don't selectively raise prices when and where they can get away with it, says Jennifer Barrett Glasgow, chief global privacy officer for data aggregator Acxiom.

"In 40 years in this industry I've never seen an instance where someone was charged more than the published price," Barrett Glasgow explains. Most of the time, "the question is, will I get a discount?" The answer might depend on factors such as the customer's proximity to a brick-and-mortar competitor. But absent any kind of explanation, people can assume the worst.

And the criteria used for making pricing determinations matter to regulators as well as consumers, says Adler. For example, variable pricing by location might also appear to single out a minority community. "When do price distinctions become price discrimination?" Businesses need to think through that, he says, before they roll out technologies in brick-and-mortar stores as well as online.

Once customers have been identified, he says, it will be possible to use digital signatures to present differential pricing based on whether, for example, a customer's web surfing history shows that they've been comparison shopping online.

Businesses can head off potential issues by providing transparency, allowing customers access to all of data the business has about them, and -- most importantly -- using the data the business has appropriately, Adler says. Unfortunately, he adds, "Companies often default to not disclose."

"Data is increasingly a feature, not just a disclosure that I've given you ways to opt out of marketing," says Polonetsky. Rather than rely on the privacy policy exclusively, the user experience for an online service should let users see how and when data is used to "power the product, to market or to connect with friends" Users can then toggle potentially sensitive features, such as location services, on and off in certain contexts to suit their expectations.

What's more, if 90% of your users aren't having a pleasant experience using the default privacy settings, then something is wrong with your strategy, Polonetsky says. The default privacy settings should match users' expectations without requiring them to read through a lengthy privacy policy to find answers.

Data security

American Express has been a model for transparency, and Amazon.com has been upfront about how it tracks customers to make suggestions about what users might like to buy, Polonetsky says, but many online businesses are far less forthcoming. "Everyone pays lip service to transparency, but with some [companies] you have to do a lot of detective work to understand what they are really up to. Sleuthing is not what users want to do to find out what's going on." The future, he says, will belong to the businesses that understand this.

Opening up

Businesses are slowly beginning to respond to at least some consumer concerns about privacy. For example, Facebook recently decided to allow its users to log into new apps anonymously (although one could argue that it took one step back when it manipulated users' news feeds). Some mobile app vendors offer popular messaging services that can permanently erase messages after a user-determined time limit. And Intellius, which sells personal background checks based on public records, lets users see their own data for free -- and correct it.

For Adler, who helped to develop the program at Intellius a few years ago, the philosophy was simple: "I shouldn't have to guess what information they have and are sharing. I should be able to just look."

More recently, data aggregator Acxiom launched its aboutthedata.com website, which lets validated users see six categories of "core data" used to place them into demographic and interest categories for marketing purposes. Consumers can delete or correct the baseline data, which automatically updates modeled data about the person. However, they can't view the interest and demographic categories to which they've been assigned.

There's a good reason for that, says Adler: The categories and predictive scores used by some companies would be offensive to people, and they would want to know why they were put into those. "No one likes to be labeled and stereotyped, but that's what marketing does. It's about segmentation, and that's often politically incorrect." The industry, he says, will need to figure out how to segment markets accurately and still maintain some semblance of political correctness.

Going forward, Feldman expects people to become even more engaged on privacy issues with the companies with which they transact businesses. "What's changed is now everyone is concerned about privacy. It's much more top of mind."

But companies shouldn't leave it to the lawyers to handle all of the consumer privacy details, says Adler. "The legal department is the wrong place to make decisions about innovation." If the company doesn't have this discussion, it "will either take the conservative approach or innovate in completely irresponsible ways," he says. But things can't keep operating the way they have in the past. One thing is certain, Adler says: "If companies continue to do this in an opaque way, regulators will step in."

Show Comments