That was the focus of Thursday’s Loyalty360 webinar, “Data Privacy–Whose Business is it Really?” which was presented by Aimia.
Fatemeh Khatibloo, Senior Analyst, Forrester, began her data privacy discussion with that theme: “Privacy has become an everyman problem.”
“Privacy’s not dead, no matter what you heard,” Khatibloo said. “The new privacy is all about context. Online and offline lives blurring. The new privacy is all about context.”
Khatibloo told attendees that surveillance cameras popular in retail for loss prevention are now being used for behavioral tracking as well.
“Companies are routinely collecting more data than they really need,” she said. “People are looking for protection tools like ad-blocking tools and do not track settings in your browser.”
Khatibloo said companies’ privacy approach today is wrong. They implement privacy policies to meet regulation and compliance obligations; and to reduce the risk of data breach notification and publicized data breaches.
“They’re funding privacy to reduce their own risk,” she said. “What is we changed that paradigm and made privacy a competitive differentiator?”
There are two reasons to change how companies look at privacy, Khatibloo said.
“Regulation is coming and it’s largely about transparency, which most firms aren’t set up to do,” she said. “It causes public relations headaches— globally, nationally, and locally. Developers are breaking the advertising ecosystem. The other is opportunity. Privacy is a differentiator.”
The new privacy is all about context, she explained. Privacy (and its product, trust) is context-dependent:
People trust banks to “hold” their life savings but may not trust banks to keep their financial identities secure.
People trust Amazon with home address and credit card details and to provide targeted recommendations but they may not trust it with sensitive health data.
“Privacy must balance consumer desire and organizational need,” she said. “Privacy must be redefined to accommodate smartphones, biometric sensors, geolocation, big data, and ‘persistent recognition.’’’
Context enables control, choice, and respect by putting guardrails around:
• Data access and collection.
• Data use.
• Data sharing.
Contextual privacy addresses five questions:
Temporal: When can I collect info about and when can I use it?
Spatial: Where can I use data about you?
Functional: How can I collect and use data about you?
Identity: What persona are you when I interact with you?
Social: With whom can I share information about you?
“Consumers get value in exchange for their data, value they can control,” Khatibloo pointed out. “Value exchange will lead to greater trust, more loyalty, and more willingness to recommend businesses to others.”
She offered some tactical things companies can do immediately:
Practice a doctrine of no surprises
Provide a choice for participating
Explain what happens when customers opt out
Treat more data as personally identifiable
Provide more options
Do you address new types of data like social and device ID?
“It’s incredibly important to redefine what’s personally identifiable,” she said.
Khatibloo offered a four-step roadmap:
Build a cross-functional taskforce
Create an internal data privacy standard
Undertake an enterprise wide data audit
Draft a simpler two-tier privacy policy
Jeremy Henderson-Ross, Legal Director and General Counsel, Aimia told attendees the privacy debate has gone mainstream and he offered several guidelines. He said that companies demonstrate transparency when we:
• Make customers are aware what data we hold about them.
• Use plain language to explain our data rules.
• Make rules visible and clear to our customers.
• Explain what data is collected and how it is used and shared.
• Agree (in writing) data usage rules with our partners.
• Adopt a gold standard approach in the manner in which data is managed.
We fail to demonstrate TRANSPARENCY when we:
• Ignore or forget about the point of view of the customer.
• Hide information from customers about what data will be collected or how it will be used.
• Mislead customers by only saying half the story.
We demonstrate ADDED VALUE when we:
• Make partners and customers aware of the explicit value exchange.
• Regularly introduce new, enhanced valuable uses of data.
• Help our partners earn incremental revenues and build customer loyalty.
• Take a proactive stance shaping the debate on data by giving opinions to partners and regulators.
We fail to demonstrate ADDED VALUE when we:
• Fail to ensure our customers understand that by giving us their data that they get better services or offers as a result of allowing us to access their data.
• Fail to provide customers with the value they expect for providing their data.
We demonstrate CONTROL when we:
• Enable customers to control their data through relevant data choices.
• Monitor our systems to ensure data is held securely and proper safeguards maintained.
• Ensure partners and customers give informed consent on how their data is used.
We fail to demonstrate CONTROL when we:
• Ignore the fact that some data is more valuable than other data and therefore needs to be treated differently.
• Make it difficult for our customers to make changes to the data we hold.
• Fail to get the type of consent customers expect and the law requires.
We demonstrate TRUST when we:
• Use data as we say we will and in accordance with the consents given.
• Act with integrity and trust in all aspects of the use and handling of data provided to us.
• Embrace not just the letter of the law but its spirit.
• Seek out external gold standards for holding and managing data.
We fail to demonstrate TRUST when we:
• Use data in a way that the customer did not agree to or know about.
• Fail to put the customer’s interest at the heart of the decisions on data.
• Mislead customers by generating revenue from data which isn’t agreed upfront.