Getting to Know You
Corporations have an insatiable appetite for personal data about the habits of consumers. Critics say they shouldn't compile it without asking permission.
Tracey Thomas, an engineer who works in San Francisco, got a personal introduction last year to the new world of Information Age marketing. She wasn't exactly impressed. In fact, she was horrified.
A stockbroker she didn't know, representing a company to which she thought she had no connection, called her and began describing her financial holdings in precise detail. The salesman, who presumably got the information from the bank where Thomas had recently applied for a mortgage, said he could show her how to make more money. But his casual familiarity with her personal finances outraged Thomas, who had just spent a year trying to restore her credit rating after an identity thief had run up thousands of dollars of bogus credit card charges in her name. How many other people might have access to her Social Security number, she wondered. Worse yet, how many strangers had access to her bank account number, or knew what stocks she owned? And what gave this disembodied voice the right to interrupt her in her own home and use her personal information to sell her a service she didn't want?
"I can't believe you have this information," Thomas recalls saying as she cut the broker off. "This is my business and nobody else's. Don't ever call me again." Months later, she still fumes about the incident. "People always predicted that government would be Big Brother," she says, "but Big Brother isn't government, it's big corporations. They seem to think they have some fundamental right to push their products on people."
Thomas isn't alone. While American businesses take great pride in their ability to use computers and massive databases to find new customers and provide them with an array of products finely tuned to meet individual needs, many consumers consider this corporate information machine invasive and paternalistic.
Legislatures around the country are responding to those concerns. Last year, efforts to establish broad controls on corporate data use were launched in California, Connecticut, Georgia, Maryland, New Mexico, North Carolina, Oregon and Virginia. Business lobbied heavily to defeat them, and none of them made it into law. Indeed, three states--Florida, Maine and North Dakota--actually relaxed their privacy laws to conform to less stringent federal requirements, and a fourth, Vermont, narrowly defeated a push to soften its restrictions on corporate sharing of consumer information.
But the longer-term outlook may be different. Polls consistently show that a substantial majority of Americans believe businesses shouldn't be allowed to share information about them without their approval. What's more, public anger is building. After North Dakota's legislature relaxed its privacy protections last year, outraged voters collected enough signatures to put a measure to reverse the action on this June's statewide election ballot. Elsewhere, state lawmakers have introduced some 600 bills designed to crack down on identity theft, telemarketing and information-sharing by retailers. That is almost twice as many as last year, according to StateScape, a legislative tracking service. "The readiness of state legislators to propose and enact broad new consumer privacy protections remains high," warns the journal Privacy & American Business. "This outlook is shared by both Republicans and Democrats, and conservatives as well as liberals. And all types of states are taking these actions, large and small, and in all regions."
The focus of attention at the moment is California, where the debate centers on two simple and competing concepts: "opt-in" and "opt-out." State Senator Jackie Speier is pushing legislation that would allow companies to share customer information only if customers themselves opt-in by returning a form specifically authorizing the practice. Speier introduced her bill last year partly in response to a 1999 federal law that allows unrestricted information-sharing between financial companies and their affiliates, and requires only that consumers be given a chance to opt-out from information-sharing with unrelated companies. "Silence on the consumer's part should not equal consent for companies to sell your personal information to the highest bidder," Speier says. "These institutions should be required to get your permission prior to selling your private information, or at least allow you to easily opt-out. The onus should be on corporate America."
Speier's opt-in bill cleared the state Senate and came within nine votes of passage in the Assembly last year, falling short only after business lobbyists persuaded a group of conservative Democrats, with the blessing of Democratic Governor Gray Davis, to refrain from voting. Speier has renewed the fight this year, and a showdown seems likely before the end of the year.
Although Speier has offered concessions, business groups continue to attack any form of opt-in requirement. They contend that most people wouldn't take the time to read privacy policies, and wouldn't bother to authorize companies to share information about them even though they might not object to the practice. While surveys by Privacy & American Business suggest that as many as 75 percent of Americans would accept marketing based on consumer profiles in at least some circumstances, major financial institutions told Ernst & Young in a 2000 survey that only 10 percent would actually take the steps needed to provide formal consent in an opt-in world.
"Everybody in this debate agrees that consumer choice is appropriate," says John Ross, a prominent Sacramento lobbyist who represents a number of financial services companies. "The debate breaks down over how you effectuate that choice. We believe you can provide clear choice through opt-out in a way that doesn't cripple the ability of business to market products and serve customers."
Unfortunately, many companies have rendered the opt-out approach almost meaningless by obscuring consumers' options in notices that are wordy, jargon-filled and often downright misleading. Mark Hochhauser, a "readability" consultant from Golden Valley, Minnesota, who analyzed 60 privacy notices issued by financial institutions under the new federal law, concluded that they required, on average, a third- or fourth-year college education to comprehend.
Consider this language in a notice that the diversified financial company Citigroup sent its customers last year: "Unless otherwise permitted by law, we will not share with our affiliates other information that you provide to us or that we obtain from third parties (for example, credit bureaus) if you check Box 2 on the Privacy Choices Form." This awkward sentence appears to suggest that the consumers can prevent the company from sharing information about them. But a close reading shows that checking Box 2 would be meaningless--it only would prevent Citigroup from doing what it is legally prohibited from doing anyway. With privacy notices like that, it shouldn't be surprising that a survey by the American Bankers Association last summer showed that fewer than 1 percent of consumers had exercised their opt-out right under the existing federal law.
Many business leaders seem almost befuddled by the continuing consumer angst over privacy. "The consumer is uneducated," complains Jennifer Barrett, chief privacy officer for Acxiom Corp. "If consumers take the time to understand why business needs information and the benefits that translate back to them, they say okay, but we rarely have the time or the consumers' attention to get through that dialogue."
Acxiom, which describes itself as a "consumer data integration company," helps companies analyze information they collect about their own customers. Then, it scans its database of 164 million individuals for people who fit the same profile--and thus might be good candidates for other direct marketing programs. Acxiom's database, compiled mostly from public records, surveys and product warranty cards, can spit out on demand lists of people classified by income, education, place of residence, whether they own or rent their homes, how much equity they have in their homes, the number and ages of their children and numerous gauges of their purchasing behavior and lifestyle, such as whether they like to buy antiques, read the Bible, participate in politics, or gamble at casinos. The company had $1 billion in revenues last year.
Barrett insists that it trades in people's names in such volume as to be virtually anonymous (Acxiom sells names to direct marketers by the millions). Businesses planning direct-marketing campaigns aren't interested in collecting profiles of individuals, she argues. (That may be true, but somebody is. The Wall Street Journal reported last year that ChoicePoint Inc., which is based in Alpharetta, Georgia, sells dossiers on individuals to employers and 35 federal agencies. The files are compiled from public records and are made available only to law enforcement agencies and other entities with a "legitimate" need for them--such as employers wanting to check the backgrounds of people applying for sensitive positions--according to James Lee, vice president for communication. "If you want information on your neighbor, we don't sell it," says Lee.)
Businesses also argue that profiling reduces the amount of junk mail by enabling them to aim their mail solicitations at the consumers most likely to be interested. Without such targeting, the volume of junk mail would be three to six times higher than it is today, asserts Cynthia Glassman, a former director at Ernst & Young.
Glassman, whom President Bush just appointed to the Securities and Exchange Commission, says the free flow of information saves the average household $195 and four hours of time each year. Information- sharing among affiliated financial companies speeds up approval of loan applications and allows retailers to verify checks and credit on the spot, she adds. Banks can offer investment products to a person who has just paid off his student loans, or reduce insurance premiums for someone with a good driving record, for example.
Consumers might react a little more appreciatively about some of these benefits if businesses weren't so secretive about their information-collection methods. There is, for example, the practice known as "reverse appending": A merchant keeps credit card numbers of people who shop at his store, and then forwards the numbers to a credit-rating agency, which links them to names and addresses in its database and returns the information to the merchant. That way, the store can send customers catalogues or other mailings and not bother about obtaining their permission. Consumer advocates also complain that businesses deceptively lead customers to believe they must return "product registration" cards, which ask for volumes of personal information about buyers, in order to lock in warranties. In fact, receipts are sufficient for that purpose.
Technology keeps creating new methods for surreptitious information- gathering. Until the Connecticut Department of Consumer Protection intervened, a car rental company last year tried to charge a customer $400 for speeding after it tracked him with the vehicle's Global Positioning System unit. And while a growing number of consumers are aware of computer "cookies," small bits of information that Web hosts plant on their computers to track how they use the hosts' Web sites, fewer know much about far more aggressive "adware" or "spyware"-- software programs that, after being downloaded onto an unsuspecting customer's computer, quietly track every site a consumer visits.
Some businesses have hurt their case by being notoriously lax about protecting the confidentiality of customer information. Larry Ponemon, a consultant who audits corporate policy practices, has compiled a number of horror stories: a major hotel chain that shared lists of the movies its individual patrons watched--including pornographic films-- with affiliated hotels and restaurants; a national diagnostics laboratory that sold the results of medical tests to companies trying to determine what health care products people might need; a major pharmaceutical company that hired telemarketers to call patients at home to remind them to refill their prescriptions.
The potential for more such abuses is real. Last year, three major telephone companies, Qwest, Ameritech and Verizon, all asserted that they had the right to share information about their individual customers unless the customers expressly directed them not to do so. The companies suggested they wouldn't share the most personal information, such as the specific numbers people call, but they didn't exactly say they wouldn't, either. "The notice does not describe what information will--and will not--be shared," said Michigan Attorney General Jennifer Granholm, referring to Ameritech's stated policy. Ultimately, Qwest responded to a public outcry by backing down. "When many of our customers tell us that they're concerned or don't understand what we're doing, it's time to stop the process and make a change," said Qwest Chairman and CEO Joseph P. Nacchio.
Back in California, Senator Speier has tried to compromise in hopes of picking up support for her bill. She has agreed to scale back the opt- in requirement so that it would apply only to information-sharing between unrelated companies. Information-sharing among affiliated companies would be subject to the looser opt-out requirement. That has not been enough to satisfy Governor Davis and the pro-business lawmakers, though. State Assemblyman Tim Leslie, who at various times has proposed both opt-in and opt-out legislation, believes Speier will have to compromise further; he predicts lawmakers ultimately will reject any form of opt-in requirement and will simply require companies to make their privacy notices more readable.
Whether this milder form of regulation will satisfy consumer advocates remains to be seen. Some have raised the possibility of following the North Dakota model and launching an initiative drive if the legislature fails to approve strong privacy protections. Polls suggest that if the issue does go to the voters, businesses might end up winning in state legislatures, only to lose in the court of public opinion.
In the process, they could squander a lot of public goodwill for no reason. Many analysts believe business fears of an opt-in system are unfounded. Surveys suggest that 55 percent of Americans are "privacy pragmatists"--that is, they are willing to volunteer personal data if they see benefits to themselves, are convinced there are adequate safeguards and feel they can trust the people who handle the information. E-Loan Inc., a Web-based lending company in Dublin, California, believes those figures are, if anything, conservative. "When we went from opt-out to opt-in, we had to provide a reason and demonstrate why it's good for us to have data," says Chris Larson, E- Loan's chairman and chief executive. "But when we did, our opt-in rate went up to 80 percent." Larson enthusiastically supports "opt in" legislation. "Self-regulation is a total failure," he says. "It is not providing consumers the comfort they need."
Other argue that a legal "opt in" requirement might even be good for direct marketers, since customer lists created through "opt in" tend to be far more useful. The reason is simple: Anyone who takes the trouble to place his name on a contact list is much more likely to become a customer than someone who is there simply through inertia.
Mike DeCastro, vice president for customer acquisition at Gazebo, a start-up investment services company in San Mateo, California, recently tested this idea. Working as a consultant for a company that makes action entertainment toys and games, DeCastro bought two lists of prospective customers. One was opt-out, the other opt-in. The opt- out list included 2 million names, at a cost of 5 cents per name. The opt-in list had just 250,000 names, priced at 10 cents each. The smaller opt-in list turned out to be the better deal, though. It produced 24,000 customers, compared with 17,000 for the bigger one. In short, DeCastro paid $1.04 for each new opt-in customer, compared to $5.88 for each customer from the opt-out list.
"Change is going to happen, sooner or later," DeCastro says, "because consumers are really mad." But he predicts that the industry, especially the many companies that now make money selling customer lists, will have to be dragged kicking and screaming to accept "opt in" as the prevailing system. "Nothing is going to happen until we recognize that we have a basic property right in our personal information," DeCastro says.
Whether or not it takes that sort of change in public opinion, a number of privacy analysts agree that consumers eventually will get more control over information about them. Alan Westin, editor of Privacy & American Business, predicts that "consensus marketing," which will be based on notice and choice by individual consumers, eventually will become common practice. "Hopefully," he says, this will emerge "by voluntary business actions and whatever government support will be needed." For the foreseeable future, however, the action is more likely to be on the regulatory than on the voluntary side.