Where your personal data goes when you're not looking

What businesses know about any given individual is a lot. But what are companies doing with that data? Not as much as you might think -- at least not yet. Companies are getting more sophisticated, however.

The trove of data that's out there includes:

Traditional offline data gathered by credit bureaus and data aggregators, including public data from telephone directories, court and property records

User account data collected and retained by businesses with which consumers have purchased products or registered for services

Data from online activity including searches, social media profiles and tweets, mobile app activity and Web browsing habits

Add to that relatively new data types, such as that from "scoring" methodologies (PDF) that use data about people to predict their future behavior. Other new data types include:

Data from fitness devices and other "Internet of things"

Emerging retail store tracking systems that may soon identify you through face recognition as well as monitor your location as you move through a store

Location data from your smartphone that lets apps track where you are, how fast you're moving -- even the direction in which you're heading and where you're likely to be going given your previous travel history

It's no surprise, then, that people worry about what businesses are doing with all that information. (For more about how to protect yourself, see: "The paranoid's survival guide, part 1.")

More often than not, however, the answer is that businesses aren't doing as much as they could be. Enterprises face regulatory and technical hurdles that make combining the data they have difficult; some data types and uses of consumer data are highly regulated; and companies usually don't like to share core customer data externally for competitive reasons. When they do, that data is usually boiled down to basic demographic and interest categories and then aggregated for marketing purposes. If the data is being shared with third parties for the purpose of online advertising, personally identifiable information is usually removed. (See related story.)

Too many silos

Most businesses can't even integrate all of the data silos they have cost effectively, much less run sophisticated analytics across all of it or accommodate new data sources, such as the unstructured data streams derived from social media.

In the online advertising world, the behavioral advertising industry has developed a high level of sophistication and expertise, but most of corporate America -- including the manufacturing and consumer products sectors -- remains in the early stages of data integration, says Jim Adler, vice president and chief privacy officer at Metanautix, a firm that specializes data integration within and across companies. "They're still trying to understand what they have" and the data flows for all of it, he says.

As those repositories of consumer data continue to slowly, steadily converge, however, the ways in which businesses interact with consumers will need to change if they are to head off the kinds of consumer privacy and trust headaches that have already confronted traditional data aggregators and the online behavioral advertising industry.

"Transparency overall will need to increase as these environments become more complex and intertwined," says Leigh Feldman, chief privacy officer at American Express Co. The financial and travel services company now has privacy professionals aligned with each business unit. "Privacy will be a competitive differentiator for companies over the next five years," he says. And in addition to offering transparency so users understand what's happening with their data, Feldman says it's important to present meaningful choices that let the user decide how their data can be used, and to guarantee customers that their data will be handled in a responsible fashion.

Regulatory minefield

Traditional types of data -- such as healthcare information and banking records -- and some uses -- such as for identity verification, insurance underwriting, employment or to assess creditworthiness -- are regulated. But the increasing use of personal data for marketing purposes, gathered both offline and online, has fewer regulatory controls. That's a big data bucket. And inappropriate use of that marketing data -- such as for making hiring decisions -- can get a company into hot water with regulators.

Businesses face a jigsaw puzzle of laws and regulations that govern certain types of data assets as well as how information may -- and may not -- be used for some types of decisions, says Tony Hadley, senior vice president of government affairs and public policy at data aggregator Experian. "The overarching regulation of marketing data comes from a mosaic of smaller state and federal laws," he says, as well as from the standards governing ethical practices put forward by the Direct Marketing Association and other professional groups.

One problem, says Metanautix's Adler, is that when companies use marketing data about consumers for purposes other than marketing they can get into trouble. For example, a business that uses information from Facebook or Twitter to make a negative hiring decision -- and does not disclose to the applicant that the information was used in that decision -- can run afoul of the Fair Credit Reporting Act, which governs how data may be used for employment purposes.

"You cannot use marketing data for credit or employment eligibility. There's a firm firewall between those two uses. If you break it the FTC will come after you," says Hadley. "And if someone is taking consumer data and mining it in such as way as to be abusive to customers, that's something the FTC could clean up under its deceptive trade practices."

Offline/online convergence: It's complicated

Just a few decades ago businesses knew very little about their customers beyond name, address and what they bought -- if they used a credit card. Data aggregators like Acxiom and Experian provided personalized demographic data to marketers -- that you are 42 years old, own a truck, like to golf, are married and so on -- to help companies better target advertising and marketing dollars to customers and prospects. That offline data was -- and still is -- culled from public records, surveys and what Acxiom chief global privacy officer Jennifer Barrett Glasgow calls "summarized or aggregated purchase information."

The data about you is personally identifiable information (PII), but gets transformed into generalized, but still personally identifiable, demographic data before it's used. For example, Acxiom might license the subscriber list from a golfing magazine as an input into its scoring mechanism, but the data aggregator agrees not to identify you as a subscriber. Instead, it uses the information and data points from many other sources -- your golf club purchases, for instance -- to determine that you fit into its list of people who like to golf.

Businesses buy these buckets of consumer demographic data to match up with their own customer records for direct marketing and upselling, and they can buy a prospect list of people assigned to an interest group that presumably will be more likely to buy a given product. The advertising message then gets disseminated either through direct mail, telemarketing, email or text messages.

The evolution of online data has led to different practices for gathering data, but with the same objective, says Mike Zaneis, executive vice president and general counsel for the Interactive Advertising Bureau (IAB), an industry trade association. "Consumers don't care if you send them relevant ads, but they don't want you to know their browsing history," he says. So advertisers use cookies to track online activity of website visitors, and that activity is linked to a cookie ID tied to a specific browser on a specific device. The activity is not tied to the individual -- unless the individual has self-identified by registering with a given website.

In the mobile world there's a recognition that access to more sensitive data -- such as apps that want to access the user's location, friends list or address book -- requires a higher level of consumer consent, says Zaneis. The industry has attempted to address that by extending the Digital Advertising Alliance's privacy principles to mobile advertising. "I'm not sure that business practices are as advanced as we're led to believe in the mobile space," he says. "But because that data is available, whether it's really being utilized or not is not as important as the perception that it will be."

The offline and digital worlds have been converging for some time, says Leigh Feldman, chief privacy officer at American Express Co. "Over the next two to five years the distinction between offline and online will for all intents and purposes go away." And as those worlds converge, more information is becoming available for businesses to collect than they know what to do with. The analysis is more complicated, but the end game is the same: To get ads and offers in front of the people who are most likely to buy a given product or service. "The old-fashioned direct marketing ...has moved online, but it's the same activity," Barrett Glasgow says.

But those two worlds have very different rules as to how consumer data may be used. "The offline world is all personally identifiable data. The online world is either anonymous or identifiable [if the user has self-identified by creating an account]," says Barrett Glasgow. Advertising networks track online activity and build interest profiles that link to cookie IDs rather than PII - as required by the code of conduct put forth by the Network Advertising Initiative, an industry trade association.

The ad networks have behavioral advertising data (browsing histories) linked to cookies. Data aggregators have interest and purchase data linked to your PII. If existing customers have self-identified on a business' website, Web publishers and advertising networks can match up both data sets to predict more accurately who is most likely to respond to an ad.

But combining data from offline and online resources to deliver targeted advertising requires an elaborate dance, called cookie syncing, to ensure that a third-party advertising network does not receive any PII, says Barrett Glasgow. First the publisher sends the data aggregator, such as Acxiom, the PII data for its registered customers so it can be matched with the aggregator's profile data.

Acxiom then places cookie on the user's computer and gives a code to the ad network, which uses it to read the Acxiom cookie and pull the relevant demographic and interest data associated with it. It then uses both data sets to determine the most appropriate ad to send to the user. "In the online space there's this whole added dimension of complexity around anonymity," Barrett Glasgow says.

-- Robert L. Mitchell

Another problem can crop up when businesses don't follow their own privacy policies, as happened recently with messaging app vendor Snapchat. "The FTC is quite tenacious about companies violating their own privacy policies," and has created a body of common law through a series of consent decrees, says Adler at Metanautix.

Using data the wrong way

Businesses need to consider how private the data is to the individual and how perilous to the consumer the outcome might be if the data is divulged in unexpected ways, Adler says. He cites retailer Target's textbook case of unwittingly sending a mailer targeted at expectant mothers to a pregnant teenager before her father knew about her condition.

Target used analytics to determine that there was a high probability that the woman was pregnant, and had assigned her to that category. "They knew which customers were pregnant based on what they were buying. And that's where the conversation ended," Adler says. But the retailer failed to think through the implications of sending targeted marketing materials that clearly implied that the customer was pregnant -- a sensitive subject that the customer might not be ready for others to know.

It also feels a bit creepy, says Jules Polonetsky, executive director of the Future of Privacy Forum. Marketing is about having a relationship with the customer, he says. "Where it breaks down is when marketers don't understand the boundaries of those relationships. Here was this very personal experience and the user had no clue that this analysis was happening."

Marketers need to bring people along rather then let them uncover what may seem like unpleasant facts, he adds. For example, a few years ago Orbitz users were shocked to discover that visitors using a Mac were shown pricier vacations and accommodations than those using a Windows PC. "People were surprised and outraged," he says, but Orbitz might have avoided the problem had it been more transparent about how the recommendations were made -- and why -- at the time the user viewed them.

Similarly, misunderstandings over variable pricing practices online by Staples drew fire, in part because customers were left in the dark as to what the retailer was doing and why. Online businesses don't selectively raise prices when and where they can get away with it, says Jennifer Barrett Glasgow, chief global privacy officer for data aggregator Acxiom.

1 2 Page
Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies