If you collect data in any form from your customers, read this article in HuffPo and take notice. Why do you insist on doing things that a good portion of your customers will find incredibly invasive to their privacy? If you aren’t asking the question “would I like this?” you are really going to find yourself in the cross-hairs before too long. Just following the law isn’t enough to avoid attention. Think about how your customers will accept what you are doing.
My thanks to Kerry Childe for sharing this article on LinkedIn. It got me really thinking about this, and I thought I had something more to say.
I was amused by the lead in of HuffPo article. Like all we are worried about is the government tracking us and this kind of commercial conduct is new. What is new is that customers are asking why, and your disclosures are inadequate. The yardstick against which you are being measured is no longer in Washington or the state capital.
Privacy by Design Means Asking the Right Questions
Do you have a process that involves gathering data from users? Have you sat down and whiteboarded that process from beginning to end? If you answered no, you really need to wake up and smell the privacy. If you don’t believe me, you will wake up and smell the regulator knocking on your door, one day. Oh, and don’t forget the PR crisis.
What data do you need? Why do you need it? How will you collect it? How will you store it? How will you use it? What other internal processes can touch it? Why? What about external processes or partners? You need to ask ALL these questions, and more. Think about the lifecycle of the data, too.
When you get done answering all these things, bring in a neutral party and present it all to them. Let them react as a customer/user might ask. They should ask the hard questions. Listen to their reaction. Improve your process and controls. Then rinse and repeat.
I love Best Buy, don’t get me wrong. I also love Home Depot. But they failed here. Let me rephrase that. They failed their customers. They probably have a very valid legal argument to support what they did. But in the court of public opinion, they got it wrong.
Third Party Sharing – The Rub for Me
The third-party sharing here is troubling. Do I know who I am sharing my information with? If I am giving up my name and contact information to facilitate a return with Best Buy, do I know who else is getting that data? What about control of that data downstream. Remember the three-legged stool, value, notice and control. The Retail Equation (TRE) in the article says it doesn’t share data with other stores. However, it very plainly aggregates data and looks across their multiple partners. What really prevents them from selling this data?
How are you sharing data with third-party partner? This is where privacy by design becomes a bit harder. The concepts aren’t harder, just the reality. How familiar are you with the contract between your company and the third-party partner? Did you draft it? Did you review it? Or, like most companies did someone who mainly does transactional work do all that for you? The problem with that scenario is that downstream privacy issues are hard for folks that don’t work in this area.
So, things like their use of your data might be up in the air. In the case of TRE, they are combining data across multiple partners, at least in an aggregate manner. I hope that all their partners were advised of this use when they agreed to sell their consumers to them.
Welcome to the New World, Just Like the Old World, Just So Much Faster and Easier
Ever since the first consultant shared best practices across companies, information about consumers has been shared. What is different here is that the cost of sharing data is small, and the computing cost of analyzing that data (even combined with other large data sets) is also small. The friction, if you will, is negligible. Therefore, any value I can get from that is a profit.
What about tagging frequent returners and applying a surcharge to their future purchases? They are obviously costing the company more money than other customers. Why shouldn’t they be charged more? Maybe return information should be included in the e-score that was talked about last year by the NY Times.
I don’t think this is intended. The issue is that it is so hard to have all that data and not monetize it further. If TRE hasn’t considered this, my apologies for putting the thought out there. Therein lies the whole problem with collecting vast data sets. There is also a worry about what happens if/when TRE dissolves. Who owns that data? TRE? Retailer? Consumer? Creditors?
Where is the Value?
In my three-legged stool of privacy protection, I am missing the value of this information exchange. I am getting my money back, you say. I should be getting my money back. Did I get a faster return? There is no value here to the consumer, only to the retailer. If you are looking for stores with good return policies, read this article on bankrate.com.
Protect Your Consumer as if They Were You
Start from the premise that you are the user and ask all the questions you can think of. Think of it from their perspective. Find yourself someone who understands not only privacy law, but the technology as well. This is only going to get harder.
I have joked to myself that this blog is becoming a privacy rant. With all the concern about government surveillance, it is only natural that we are looking at the whole universe of data collection. This is not the last time that we are going to hear about this. Technologists and lawyers need to do a better job of really thinking this out, or everyone is going to find themselves the subject of these types of reports. Everyone.