Privacy: Do Consumers Really Care?
The discussions of panelists at a recent conference sponsored by the Wharton School of the University of Pennsylvania touched on a point that I've been making for years: to most consumers, "information privacy" is like the weather. As Mark Twain put it, "everybody always talks about the weather but nobody ever does anything about it."
Consumers say they want privacy online although they often behave in ways that contradict those statements by, for example, posting intensely personal information and photos on public websites. Companies insist that they will protect privacy, although they sometimes fail to do so. And everybody is wary of increased government regulation; indeed, some people worry more about potential government misconduct than about corporate abuse.
Of course, for "privacy consultants" and others who specialize in "privacy compliance" (including attorneys), staking out the position that consumers really care about the ways companies (including banks) collect and use personal information about them helps them sell those companies their expertise in complying with privacy laws and "fair information practices." Financial institutions have had to comply with the privacy provisions of Gramm-Leach-Bliley Act for the last six years, with the Fair Credit Reporting Act's provisions on information sharing (particularly among affiliates), with various federal regulations and guidelines concerning information privacy and security, and with various state laws that deal with the same issues. Banks have a unique position, in that they have traditionally been institutions that have been expected to protect the confidential information they obtain on their customers. Therefore, they've been "ahead of the curve" in this area in some respects.
Even without those laws, however, there has been a general assumption that businesses that collect personal information about consumers, especially businesses that collect such information over the Internet, must follow "fair information practices" in order to comply with consumer expectations. Failure to meet those expectations endangers the business. At least, that has been conventional wisdom.
Panelists Declan McCullagh, who covers technology issues for CNET News.com (and whose articles are frequently linked in this blog), and Steve Johnson of Choicestream, were spot-on with the following observations:
McCullagh suggested that most complaints about privacy problems on the web come not from consumers, but from "the privacy fundamentalists -- the pro-regulation privacy groups -- and the politicians, who are always trying to get their names in the newspaper." After Google introduced Gmail, for example, a California lawmaker introduced a bill to ban the service. McCullagh argued that consumers accept existing safeguards as long as they believe they are getting better prices or programming in return for relinquishing personal details.
Panelist Steve Johnson, chief executive of Cambridge, Mass.-based Choicestream, which makes personalization software for websites, agreed. "There is a simple divide in the world of consumer profiling -- the type consumers like and the type they don't. Consumers don't like it when they have no control, when they are being watched with so-called spyware or when they can't opt out. But they like it when they can see that data can be opted out of and when the watching is done by a trusted source like Amazon or iTunes."
In addition, consumers are less likely to try to disguise their identity by lying about themselves in site registrations if they believe that their details will be used to serve them, he said. "With The New York Times, if you are willing to share personal information, you get the most relevant book reviews. So you don't have any incentive to spoof it."
Making full disclosure, I worked for a privacy consulting firm, not as an attorney, but as a "consultant." During that time, I once had a discussion with a partner with the consulting arm of one of the Big Four (now, Big Three) accounting firms, who was talking about the approach to marketing consulting services in general, and privacy consulting services in particular. He said that you had to convince the CEO that there was a [expletive]storm coming and that you had the umbrella. Apparently, many companies bought the umbrellas. Many are convinced that consumers actually care about privacy and that their concern influences their behavior. Another big-time consultant apparently disagrees.
[Gil] Brodnitz [a partner at Accenture] also suggested that companies fret too much about the potential downsides of protecting privacy. They worry, for example, that most customers might reject being marketed to based on their personal information. But consumers, he pointed out, like the idea of privacy more than they like to ensure the protection of theirs. "Everybody wants a privacy policy, but nobody wants to read it. What companies need to realize is that people want the ability to opt-out even if they never do it."
Privacy protection isn't just an obstacle to making money, Brodnitz added. It also presents opportunities. Companies that already occupy trusted positions, like brokerages and law firms, might present themselves as protectors and brokers of private information. Consumers might authorize them to make judgments about when and to what extent personal information should be released.
According to another panelist, Brooklyn School of Law professor Wendy Seltzer, that business model won't make sense until the federal government rationalizes the hodge-podge of state privacy laws, something this blogger has been bleating about for some time.
We don't have an overarching data privacy law, and companies therefore have to contend with a patchwork of federal and state laws.
I think another major issue not discussed in the article is that many consumers speak about "privacy" concerns when they are really referring to "security" concerns. Phishing and other online fraud schemes, hacking, data security breaches, lost backup tapes and laptops, and other instances of failure of companies, including banks, to protect the security of their personal data from criminals is what appears to be getting most of the press these days. While it's necessary to comply with the law on information privacy practices, including sharing of information, what appears to me to be the most critical "consumer-driven" marketing issue is IT security, not collecting and sharing information in order to market products and services to consumer that they might actually wish to purchase.
Comments