Article 53

Too Close for Comfort WHAT YOU KNOW ABOUT YOUR CUSTOMERS MAY BE DANGEROUS. NO MARKETING TEAM OR SALES FORCE CAN AFFORD TO IGNORE TODAY’S GROUNDSWELL OF CONCERN OVER CUSTOMER PRIVACY By Mark McMaster

Can you keep a secret?

If you think privacy is a matter for the legal department to take care of, think again. Sales and marketing teams deal more closely with customer data than any other company unit, so if you lack a privacy policy and haven’t educated your sales force about the ramifications of privacy law, you may be putting your company at risk legally and financially. “If you have personally identifiable information about customers and you misuse it, you’ll find yourself on the unfriendly end of a lot of attention,” says attorney Ray Everett-Church, the manager of PrivacyClue, a consulting firm in San Jose, California. “Customers do not forgive companies that misuse information.” Need proof? Look at Internet advertising powerhouse DoubleClick. Its Big Brother approach earned it an FTC inquiry, a class action suit, and a 75 percent tumble in its stock price. Likewise, GeoCities, the CVS drug store chain, and Chase Manhattan Bank have all taken legal heat and weeks of bad public relations for the release of unsuspecting consumers’ identifying info. And the issue is just starting to unravel. “Anyone who thinks the privacy issue has peaked is greatly mistaken,” says Jay Stanley, an ecommerce analyst at Forrester Research in Cambridge, Massachusetts. “We are in the early years of a sweeping change in attitudes that will fuel years of political battles and put once routine business practices under the microscope.”

FOR EVERY MORSEL of information you collect about your clients, the answer had better be yes. That applies to the scribbles in your salespeoples’ notebooks just as much as the databases of online browsing habits, credit card numbers, and purchasing histories stored on the company network. The looming debate on consumer privacy challenges assumptions about what client information may be collected, shared, and sold, and it will soon touch every business. Large or small, online or off, companies face new responsibilities in explaining and justifying their use of personal data.

“If you lack a privacy policy and haven’t educated your sales force about the ramifications of privacy law, you may be putting your company at risk legally and financially.” 1

Article 53. Too Close for Comfort

NEW TECHNOLOGIES, NEW FEARS

of serious strategic and financial significance to the victim. The damages become much greater,” says Jack Vonder Heide, the president of the Technology Briefing Center, a training organization in Oakbrook Terrace, Illinois, that offers privacy training. Vonder Heide cites the most visible example of a company strained by privacy concerns, New York-based DoubleClick, which sells its services to businesses, not consumers. DoubleClick’s name has been synonymous with privacy fears since January 2000, when news broke that DoubleClick was soon to offer about 100,000 unique user profiles lifted from a dozen Web sites, complete with real-world identities and contact information gleaned from the company’s recent purchase of offline consumer data seller Abacus Direct. Tracking the online behavior of these profiles would have produced a treasure trove of information for online marketers, but consumer advocates weren’t pleased that advertisers would be aware of their realworld identities each time they logged onto a site affiliated with DoubleClick. Denouncing the company in the national media and threatening legal action, the words of DoubleClick’s critics would scar the company for months to come. Even more damaging, DoubleClick had unceremoniously abridged the privacy statement contained on its Web site just days before these news reports, a move that hinted at its intention to begin merging online and offline data, but offered little warning for Web users who might wish to remove their names from its lists. The popular backlash against DoubleClick shocked the company, which had a sales force focused on businesses and never saw itself as accountable to consumers themselves. “At that point, DoubleClick viewed itself as a businessto-business company—we didn’t interact with consumers directly, and we didn’t really have a good means of explaining how DoubleClick interacted with customers,” says Jules Polonetsky, who in March 2000 was appointed DoubleClick’s chief privacy officer. Another blow was yet to come. In February 2000 the FTC opened an investigation into DoubleClick’s potentially deceptive data handling practices. The company kept news of the investigation under wraps, not issuing a press release until the story was uncovered by reporters just two days before the company was to open a major stock offering. It was a mar-

TODAY’S SHIFTING ATTITUDES about privacy are largely a reaction to the unprecedented opportunity for gathering consumer data on the Internet. “When you visit a Web site about baby care, and suddenly for three weeks every banner ad you see is for baby items, you start to feel like you’re being watched,” says Larry Ponemon, the former head of privacy practice at PricewaterhouseCoopers and the president of Guardent, a privacy management and data security firm in Waltham, Massachusetts. “Customers have learned to assume the worst,” he says. Threats to privacy with innocent names like cookies and spam have entered the consumer lexicon, making Web surfers reluctant to give up information about individual preferences or identity. As businesses track customers ever more closely with sophisticated personalization techniques and data mining technology, these fears have spread to the offline world, and consumer anxiety has produced a political response. No less than six privacy protection bills await debate in Congress, all of which would limit the ability of businesses to collect personal information about their customers. Meanwhile, the Federal Trade Commission (FTC) is using existing law to aggressively punish companies that violate consumers’ rights, says Simon Lazarus, an attorney at Powell, Goldstein, Frazer & Murphy in, Washington, D.C. A key piece of privacy legislation, the Gramm-Leach-Bliley Act, went into effect in July and requires financial institutions to provide written notice of its privacy policies and practices, and prohibits any disclosure of nonpublic personal information—such as purchase histories, birth dates, or even phone numbers—to third parties unless the consumer has the opportunity to opt out of the disclosure. Its ramifications may extend far beyond the industry it was intended to regulate, Lazarus says, extending to any company that offers credit to its customers.

B-TO-B COMPANIES AT RISK IT’S NOT JUST business-to-consumer companies that are vulnerable. “The damages [of privacy invasion] can be more pronounced in the business-to-business world, because you’re dealing with situations where information that is shared can be

2

ANNUAL EDITIONS example, insurance agents often form partnerships with other local salespeople, such as real estate agents, car dealers, and bank representatives, passing on leads about clients new to the area and referring valuable customers. If personal information about Nationwide customers were to be shared in these exchanges, both the agents and the company itself could be sued. “We knew our sales force would be a big source of liability,” Herath says, so he developed a comprehensive training program on privacy that includes dozens of pages of practices to follow, a guide for managers on how to train agents, and a certification test for agents. The curriculum is in the early stages of implementation, and with more than 8,000 agents, including many who work at independent agencies not managed by Nationwide, achieving full compliance will take months of work.

keting blunder, and over the next week, the stock fell nearly 25 percent. Unable to squeeze a return out of its sizable investment in Abacus Direct, it plunged to less than $15 a share by December 2000, after a high of $135.25 in January of that year. “It was a learning moment for the entire industry,” says Nuala O’Connor, the vice president of data protection at DoubleClick. “I think DoubleClick crystallized concerns about data collection online and off. We found ourselves in the middle of a huge issue.”

SALES FORCES—THE WEAKEST LINK? SURPRISINGLY, SALESPEOPLE MAY be companies’ most vulnerable point-of-contact when it comes to privacy liability. “The problem you have in a sales organization is that individual sales reps tend to be the masters of their own data,” Vonder Heide says. “Salespeople have systems that range anywhere from day planners and traditional filing cabinets with paper notes, all the way up to sophisticated programs like Outlook, ACT!, and GoldMine that share data and upload it to a centralized database.” Savvy salespeople slip in personal information useful in keeping up relationships with clients—perhaps the ages of a customer’s children, or that a particular client is prone to overdrinking, or that Mr. Thompson’s wife is battling cancer—knowledge that, in the wrong hands, could embarrass clients and encourage lawsuits. “Most companies that sell exclusively through sales organizations don’t have privacy policies,” Vonder Heide says. “But every sales rep should understand which customer information should be maintained, and which is appropriate to share with other parties.” Nationwide Insurance, based in Columbus, Ohio, has been grappling with the challenge of educating its salespeople about privacy for two years, says Kirk Herath, the company’s chief privacy officer. “It took us half a year to determine our information practices for all of our companies and affiliates, but before we published our policies we had to educate the people on the front lines about what our privacy practices were and what their individual responsibilities were,” he says.

PRACTICE MUST FOLLOW POLICY GEOCITIES LEARNED A universal lesson in privacy law back in 1998: After you state what your policy is, you have to live up to it. The Web hosting site’s registration page then contained the statement, “We will not share this information without your permission.” The company nonetheless released the responses—including customers’ age, education, occupation, income, and personal interests—to business partners and advertisers. In response the FTC, in its first Internet privacy enforcement action, charged GeoCities with engaging in deceptive practices. After three months of investigation, GeoCities emerged with a lucky settlement. There was no admission of wrongdoing, fine, or penalty; instead the site simply changed its privacy policy to reflect its behavior. (Federal law allows penalties of up to $11,000 per violation in such cases, Everett-Church says, and GeoCities had 2 million subscribers at the time of the FTC inquiry.) Despite emerging clean from the inquiry, GeoCities’ stock fell 15 percent the day the charges were announced. In short, any violation of a privacy policy is fraud, says Everett-Church. And this not only holds true to a company’s own behavior, but its business partners’ actions as well. John Blaber learned this firsthand when his company was slapped with a lawsuit for work it had done for the now-defunct Toysrus.com Web site. Blaber is the vice president of marketing for Coremetrics, a San Francisco data analysis firm that processes consumer information on Web sites. In its privacy policy, Toys “R” Us had never informed its customers that a third party was involved in collecting data, but because Coremetrics was acting as a contractor, Blaber never saw this as his concern. “The lawsuit surprised us,” he says, because Coremetrics never owned the data or distributed it to an outside party. It simply recorded consumer behavior on Toysrus.com, repackaged it, and gave reports back to the company. At press time the suit was still in litigation, but Coremetrics has taken steps to avoid such problems in the future. “As we work with clients, we step through a process of educating them,” Blaber says, and the company now insists that each client notify its customers of Coremetrics’ service. After

It’s not just b-to-c companies that are vulnerable. Privacy violation can be even more damaging in the business-to-business world, where leaked information can be of serious strategic significance to the victim. Herath was particularly concerned about the company’s sales force. Decades-old prospecting techniques used by insurance agents would soon become illegal under the GrammLeach-Bliley Act and violate Nationwide’s new policies. For 3

Article 53. Too Close for Comfort compared with only 20 in 1999. (Among companies that already had a privacy policy in place, only 80 percent complied with their policies, Ponemon estimated while at PricewaterhouseCoopers.) Everett-Church suggests that companies also need an internal expert who can manage privacy issues throughout the company. “Respect for customer data has to permeate a company’s contacts with its customers, continually reassuring them that they are protected,” he says. “That’s more than just someone in the legal department slapping a privacy policy on the company Web site. Sales and marketing people must be in on the privacy story.” Communication must go both ways, he adds, with salespeople and marketers receiving training on privacy policies and procedures while helping privacy officers develop rules that meet their clients’ expectations. “[Sales executives] are learning that they have to take a proactive step to explain their practices and policies so they won’t be misrepresented by those who are critical of marketing and advertising,” DoubleClick’s Polonetsky adds. “Instead of focusing on the specifics of technologies, we need to explain simply what’s taking place. As everyone understands the reality of how the technology is used, it increases consumers’ comfort level.” Successful communication also benefits a brand’s image. “When you’ve got other companies out there that aren’t clued in on these issues, you can differentiate yourself by giving customers more control over their privacy,” Everett-Church says. “Trust is something that is very hard to build and easy to lose, but if you incorporate it into your message, it can be a huge advantage.” That’s why it’s crucial that sales and marketing teams focus on matters of privacy. “They’ve absolutely not yet paid enough attention,” Ponemon says. “The mindset of sales and marketing executives has been that privacy is the nemesis of marketing. Yes, respecting privacy creates some roadblocks and barriers. But ultimately, it’s about knowing your customers and what they want and expect. It’s not necessarily antagonistic.”

his experience, Blaber suggests that in any business partnership, if any consumer data is shared, the partner must live up to the same standards set in your own company’s privacy policy.

FOLLOWING THE TRAIL OF CUSTOMER DATA WHEN BUSINESSES ARE bought or sold, or salespeople change jobs, difficult questions arise about who owns customer data and how it can be used. Sales organizations are famous for high turnover, and when reps move from company to company, they often carry along their stash of customer information. This knowledge of purchasing habits and personal facts, along with contact names and numbers, could land the rep and her former company in a lawsuit, Vonder Heide says. “The stimulus for [current and pending privacy legislation] was the growth of electronic data exchange, largely through the Internet. But the rules aren’t limited to electronic methods. They cover the sharing of data in and of itself, and that sharing could be done in a word-of-mouth manner,” he says.

Salespeople, who trade daily in clients’ personal information, may be the weakest link in privacy protection. Few reps are kept up-todate on corporate privacy policies. When entire businesses are bought and sold, similar privacy quandaries emerge. CVS, a Rhode Island-based pharmacy chain, was hit with a class action lawsuit earlier this year as a result of its acquisition of 250,000 customer records from the purchase of 300 independent pharmacies. The suit was launched by an AIDS patient who felt violated by the sharing of information that clearly identified him as having the disease. Although there is no legal precedent regarding the sale of pharmacy records, Vonder Heide says there is no reason to believe that courts will not find companies liable in groundbreaking cases. “There’s a certain danger now because of the litigious society we live in,” he says. “You have all kinds of parties looking for test cases. If individuals feel they were wronged because their information was shared, they’ll have no trouble finding a lawyer to take the case on a pro bono basis.”

THE MARKETING CHALLENGE MICHAEL MIORA, a consultant with the ePrivacy Group, in Playa del Rey, California, summarizes the situation marketers face when dealing with personal information as “the privacy paradox.” He says, “on the one hand, people want more privacy. They want the sites they visit to know less about them, but on the other hand, they only want information that’s relevant to them to come into their mailbox.” The solution is effective marketing communication—understanding customers’ concerns, addressing them in policy, and sending the right message about why your company can be trusted. Violate customers’ perceptions of privacy once, and they may never come back, says Ponemon, so the time to look at your company’s privacy practices is now. In the meantime, salespeople and marketers maintaining stockpiles of customer data had best keep their mouths shut.

COMMUNICATING PRIVACY TO CUSTOMERS WHEN IT COMES time to confront the privacy issue, many companies turn to experts like PricewaterhouseCoopers or Ernst & Young to create policies and ensure enterprisewide compliance. In 2000 PricewaterhouseCoopers completed 200 privacy audits

ASSOCIATE EDITOR MARK MCMASTER CAN BE REACHED AT [email protected]

4

ANNUAL EDITIONS

Are You Putting Your Customers’ Privacy at Risk? WITHOUT A CLEAR privacy policy, your customers may be wary of offering personal information and your sales force won’t have a code of contact to adhere to. Here are what industry experts say are the four components to an airtight privacy policy:

ACCESS The ability for consumers to review the data that has been collected, then correct any errors that could result in misrepresentation or shoddy marketing, is another must for companies that collect large amounts of data.

NOTICE A clearly written and easily accessible privacy statement allows people to understand what information is being collected about them.

SECURITY Companies must ensure that the systems and procedures used for collecting and storing customer information are protected enough that employee error, technology problems, or data theft won’t jeopardize clients’ privacy. “Even if you’ve developed the best policy, if suddenly your Web server goes berserk and shoots out personal information all over the Internet like a garden sprinkler, then you’ve got bigger problems,” attorney Ray Everett-Church says.

CHOICE Customers should be able to decline the sharing or collection of information if they so desire. A simple e-mail form or check box should be presented at the time information is gathered so that clients can decline to participate. Opt-in policies require a customer to explicitly give approval before data is shared, while less restrictive opt-out policies assume customer consent unless they otherwise give notice.

—M.M.

From Sales & Marketing Management, July 2001, pp. 42-48. © 2001 by Sales & Marketing Management. Reprinted by permission.

5