Tread carefully on privacy

By Published on .

For Eli Lilly & Co., it was a case of an adverse reaction. Not from one of the pharmaceutical giant's medications, but from an online CRM effort that, due to an innocent mistake, caused a privacy blunder.

Two years ago, Lilly started an e-mail campaign reminding more than 600 users of its depression, bulimia and obsessive-compulsive disorder medications to take their dosages. Feedback was positive, but last June the company reportedly decided the list was ineffective as a marketing tool and notified subscribers via e-mail that the service was about to be discontinued. Due to a technical glitch, every person who received the message was able to view the entire list of e-mail addresses. While Lilly quickly apologized and stressed that the company takes privacy issues seriously, its reputation took a major hit.


Marketers find the Internet a valuable medium to foster relationships with their customers and learn more about them, but failure to protect consumer privacy can result in severe and lasting damage, even if it doesn't attract the attention of government regulators. "The struggle between privacy and personalizing services or offers over the Web is going to be one of the quintessential struggles of the next 20 years," says Jupiter Media Metrix analyst Rob Leathern. "You're going to see companies weighing the desire to market more precisely against the concern that their customers will revolt if information about them is used improperly."

Online privacy issues have clearly struck a chord with regulators. This year alone, more than 250 pieces of privacy legislation have been put before Congress. There already are comprehensive-if flawed-regulations covering the use and sale of healthcare information (Health Insurance Portability & Accountability Act) and financial information (Gramm-Leach-Bliley Act), as well as rules limiting the collection of information from children under the age of 13 (Children's Online Privacy Protection Act). While the Federal Trade Commission's new chairman, Tim Muris, said earlier this month that no further legislation on adult privacy is on the immediate horizon (AA, Oct. 8), he promised the FTC will increase by 50% the resources dedicated to privacy protection.

But marketers plying customer relationship management programs on the Web need to take privacy issues seriously. "There's so much rogue business [that poses privacy concerns] on the Internet," says Bruce Culbert, senior VP-global practice leader for CRM at KPMG. "Here I am, a so-called expert, and I can't tell you the extent of it."

As much as companies continue to preach the CRM gospel, there are relatively few cutting-edge one-to-one marketing techniques currently being employed online, experts say. One of the main reasons is that marketers are unwilling to stick with a tactic that doesn't generate immediate results in a down market. So fledgling companies and established brands alike are largely resorting to tried-and-true direct marketing tactics that can pose privacy risks if the user isn't careful.


Such tactics include unsolicited mailings-"spam" e-mail in the cyberworld-and quid pro quo value propositions. To explain the latter technique, True Audience President-CEO Dave Morgan says: "If you're giving medicine to a dog, you put it inside some peanut butter. Tell consumers what you're going to do, but give them something for it."

Consumers commonly disclose their names, e-mail addresses and some limited demographic information in return for e-mail updates from, say, their favorite magazine. Or a company, based on a consumer's prior orders and stated interests, e-mails recommendations and offers one-click ordering in the body of the message.

While these techniques sound simple, they still can raise consumer ire: People may want a financial services company to remember their personal information and customize offers for them, but those same consumers object when they learn the company is compiling this information or tracking their online activity.

"Consumers are very schizophrenic," Mr. Leathern flatly says. "They want their privacy, but they're willing to give out information for entry into an online sweepstakes."

Besides, the reality is that nearly every piece of information tells marketers something about the person who provides it. "Your ZIP code alone says something about your income level," says David K. Black, a manager in Accenture's global technology integration services security specialty.

Most privacy problems revolve around the way that information gleaned from CRM efforts is used, observers say. Sometimes there's a gap between what a consumer expects a company will do with it and what the company's privacy policy explicitly says. "It's not malicious. It just tends to get out of control," says Kevin Mabley, VP-operations for Cyber Dialogue subsidiary UCO Software.

A more serious privacy issue, however, may be the aggregation of personal information knowingly entered by the consumer with information acquired about that consumer anonymously (by tracking his or her "click path" through the Web, among other methods). "Say I go to a health site and sign up for a newsletter, and give them my name and e-mail address," explains Randy Broberg, chief privacy officer and general counsel for WebSideStory, a company that provides analysis of Web site navigation patterns. "Then, over the next few months, I look up various diseases on the site. Now they have that knowledge linked with my name. A lot of people find that scary."

The obvious way to avoid privacy pitfalls is to be as honest with consumers as possible, telling them when information is being collected, how it will be used and with whom it might be shared. Consumers also should be given the ability to opt out of all future marketing communications-"make it as simple as clicking a link rather than having to handwrite a letter in French to say you're not interested," quips Forrester Research analyst Chris Kelley. A link to the company's formal privacy policy should be displayed prominently.


Ironically, companies often go too far when they try to take care of privacy issues once and for all. "Sometimes they don't understand the limiting effect [the policies] could have on their business," says Bill Wilhelm, a senior associate at Washington-based law firm Swidler Berlin Shereff Friedman. "They may reassure customers, but midway through a marketing campaign, companies will realize that what they've really done is [needlessly] restrict themselves."

When an online CRM program does go awry, a company may find angry customers abandoning ship. Also, the company may sail into the FTC's crosshairs, which could result in fines and litigation.

As for the future, most observers predict the passage of industry-specific bills, such as HIPAA or Gramm-Leach-Bliley, rather than sweeping federal privacy protection legislation. And, of course, marketers swoon over the possibility of using location-based marketing techniques to reach users of cell phones.

Additionally, there's a veritable cottage industry of companies offering "software solutions" designed to prevent one-to-one marketers from running afoul of privacy rules, both their own and the government's. But given the uncertain regulatory atmosphere, it's questionable whether such solutions will prove anything more than a short-term fix.

"The FTC will eventually go hunting," predicts Mr. Wilhelm. "When they do, they're going to have to shoot some elephants."

In this article:
Most Popular