Consumer profiling is flying in the teeth of public concern about privacy-invasion practices and snowballing efforts by advocates and policy-makers to impose regulation on private sector use of personal data-- Roger Clarke, principal, Xamax ConsultancyA London man says he'll sue British Telecom after an overzealous promotion campaign alerted his wife to his long-running affair.

In a move of almost stunning insensitivity, BT mailed a letter to the elderly couple to advise them that one number which appeared frequently on their phone bills had not been nominated for "friends and family" eligibility at cheaper rates. When the puzzled wife dialled the number to find out to whom it belonged, she discovered her husband had been having an affair with one of their neighbours for several years. Now the man has been evicted from his own home and is demanding satisfaction from BT, claiming the telecommunications company "wrecked" a 40-year marriage.

One might think he had done a pretty fair job of that himself, but the case provides the perfect illustration of the dangers of ill-considered and uncritical adoption of customer relationship management (CRM) and other profiling techniques. Yes, CRM has the potential to help companies become closer to their customers. But employed unwisely, it can easily backfire and alienate at least as many customers as it attracts. It's safe to assume the London man in question will be looking for a new telecommunications carrier, wherever he is forced to set up home.

The endless studies showing people remain deeply concerned about privacy should serve as fair warning to any company that fails to consider privacy issues in its CRM, data warehousing and marketing efforts.

Internet users dislike receiving unsolicited communications. It's getting harder and harder for telemarketers to cold-call customers without raising their ire. Some customers refuse to join loyalty programs, because they worry about the way retailers store and process data for their own business uses without the customer's knowledge or consent. Just as many loathe being bombarded with cross-marketing and would deeply resent receiving a phone call from the bank offering them a new financial service on the basis of their recent financial dealings. For every BT customer who would welcome receiving an invitation to add another number to their "family and friends" portfolio, assume at least one other would receive such a communication with scepticism, whether or not they were having an extra-marital affair.

Curt Hall, editor of the Data Management Strategies and Intelligent Software Strategies newsletters, writing in Cutter Edge, warned recently that it was essential to consider data privacy issues in any data warehouse or e-commerce application.

Hall notes that Intel had been widely criticised by privacy experts, who claimed the Pentium III chip's identifying code would allow marketers to track a consumer's digital footprint on the Internet. In March Microsoft was forced to close a privacy gap in Windows 98 that tied individuals to the documents they created and distributed across a network. News that Microsoft had added a unique identifying number evoked a savage consumer backlash. Privacy advocates were further enraged to learn Microsoft had collected and stored this data itself, even though the company insisted only its support personnel would use it.

Both gaffes resulted in increased demands for the US government to enact stricter consumer-privacy regulations and enforce them, Hall says.

"One of the most far-reaching government regulations concerning data privacy is the EU Directive on Data Privacy, which is already in effect," he writes. "This directive, which went into effect last October, bans the transfer of data pertaining to EU citizens belonging to any of the 15 member nations to any country deemed not to have 'adequate' privacy protections.

"The US Commerce Department is proposing allowing consumers to 'opt out' of having personal data stored by a merchant or vendor and used elsewhere.

Obviously, both of these government efforts, depending on how strictly they are enforced, have the potential to significantly affect the use of data in e-commerce and data warehouse (especially marketing) applications."Hall says companies should implement security measures wherever the potential existed. That way, should privacy issues surface the company could at least show it had acted in good faith to protect sensitive data. "The alternative is to risk violations that could result in potential lawsuits or consumer boycott or, at the very least, in an embarrassing public relations gaffe," Hall says.

It's not a message that seems to have reached most Australian organisations, perhaps in part because the Australia Government was so slow to commit to introducing a privacy regime to the parliament.

Slow Learners

A recent survey by Australian Business Advisers (ABA) found that while 79 per cent of Australia's top 100 companies had a Web site, only 5 per cent had an online privacy policy. Of the 50 most visited sites in Australia, just 20 per cent mentioned privacy and just six of the 129 surveyed sites posted notices stating that personal information would not be disclosed. Indeed, in 5 per cent of cases what probably ought to have been a privacy statement in fact told consumers the site had an active non-privacy policy where all information received was classed as "non-confidential" and open to redistribution "without limitation".

Contrast this with the situation in the US, where privacy is becoming a first-order priority. US companies acted swiftly in reaction to research showing the main concern of US consumers in doing business online was that personal and financial information would not remain private. Now Internet heavyweights responsible for generating about 80 per cent of all Internet traffic -- including IBM, Disney and Time Warner -- have launched the Online Privacy Alliance, defining a code of practice and developing a privacy symbol to be carried by Web site code observers.

Dean Kelly, NCR Asia Pacific marketing manager customer relationship management, believes one reason for the tardiness of Australian companies in addressing privacy issues is the growing recognition that they have another problem to overcome first. Companies abusing customer privacy would certainly lose customers over time, Kelly says. If no Australian customers had yet walked out en masse, it was probably because of the resistance of those customers to receiving CRM-generated communications in the first place.

"The biggest issue that a lot of these companies that are getting into this CRM space are going to face is that as consumers we don't actually give any credence to direct mail. Therefore, even if it is a targeted direct mail, somehow you are going to have to earn our trust for us to even bother having a look at it because at the moment we just put it in the bin. Once we do start having a look at it, then privacy is going to be more of an issue to us."Consumers under ThreatSome consultants have been warning about the downside of uncritical adoption of consumer profiling techniques for several years.

"Consumer profiling is a threatening technology and is dependent for its raw material on the expropriation of personal data," said Roger Clarke in a 1997 address to an AIC Conference on Customer Profiling for Financial Services.

"Application of consumer profiling by financial services organisations will attract considerable opprobrium. It needs to be undertaken very carefully indeed, within frameworks that reflect, and anticipate, increased privacy regulation by governments, and increased demonstration of privacy-sensitiveness on the part of competitors." While marketers appeared to regard customer profiling as a mainstream technique, consumers saw enormous dangers; the public was increasingly aware of and concerned about those dangers, and marketers who failed to appreciate the dangers would suffer, Clarke warned.

"In my view all people are entitled to 'data privacy'," La Trobe University associate professor Dr Karl Reed told CIO. "This means that data must not be kept on them without their knowledge; that we need domains of data collection, which must be agreed; and we must have the right to correct 'false' data. As far as computer data is concerned, data aggregated in an employer's facility should be treated as if it were paper."One way to mitigate the perils of unregulated use of customer data is to adopt an ethical approach to data management issues, Neil McBride of the Centre for Computing and Social Responsibility, De Montfort University, Leicester in the UK, told a recent Ethics seminar.

"Every supermarket transaction, credit card transaction, motor insurance enquiry, or response to a telemarketing call, for example, provides valuable information to organisations on which marketing can be based," he said.

"As providers of such information, individuals may have little idea of the use to which it is being put. A supermarket gathers information on a customer every time [the customer] uses a loyalty card. Is the customer aware that information on buying trends is being captured? Is the customer aware of how that information may be used or the value placed on it by the supermarket? How does the supermarket interpret its use of the information? Is its use to provide a better customer service (as might be suggested by the public face of the company) or to optimise sales to the individual through the use of targeted marketing (as might be the case when the informal or tacit culture of the company is examined)? "Valuing information should involve consideration of its ethical sensitivity, in relation to business ethics and issues such as accuracy, relevance, timeliness and decision support value. This will require a cultural change on the part of the individual. An information-valuing culture will treat information as an important resource, to be generated and distributed carefully."According to Kate Behan, a well-known IT advocate and proprietor of IT consultancy Kerandan, adopting an ethical approach to the use of customer data can also help companies avoid some potentially sticky situations.

Take the scenario where you are collecting data about two of your customers who happen to have, outside of your relationship with each of them, a relationship with each other -- perhaps with one as supplier to the other. Through your data gathering and analysis you learn some business intelligence about those customers that could be greatly to the benefit of one and to the detriment of the other, Behan says.

"What ethical issues arise in your dealing with those customers? Can you tell either one of them? Do you assess which one is the high-value relationship for you and exploit that one and really do an ethical disservice to the other one?" The best approach under such circumstances is to pay both companies equal ethical respect, Behan says, at least as long as you are aware that the potential conflict of interest existed.

"If you are aware of it -- and this isn't one of those situations where you should say to people: 'I don't want to know' -- you know you've really got to treat them both with equal regard, despite the fact that one is worth more to you than the other. It's just possible if they are customer/supplier that they have a relationship closer than what you believe and that you would actually score brownie points by talking to both of them about it."Make it a three-way conversation rather than talking to each customer behind the other's back, Behan says. Otherwise you are almost bound to end up in a situation where you will be unable to pay either customer the respect it deserves as your customer. Oh -- and never forget that the customer who is your biggest and most valuable customer this year may not be the biggest next year, she adds.

No Intimacy Involved

Inchcape Motors Australia is working to help its five Australian franchises transform themselves from product-centric to customer-centric organisations. It is in the second phase of a CRM project that has already transformed both the company and its franchises' business culture, and which should soon start achieving serious ROI.

Discussing the kind of safeguards companies should impose on the use of customer data, CRM project sponsor Paul Morris rejects the notion that CRM equates to customer intimacy.

"I think one of the best sayings that we've heard is from one of our managing directors on our steering committee. We were talking about relationships and he says: 'Look, I can send 100 relationship marketing e-mails out to Elle McPherson, but it doesn't mean I've got a relationship with her'.

"And that is exactly what it is all about," Morris says. "People think because they send information out to somebody they've got a relationship. People don't want relationships with you. A relationship can be an intrusion. They want a professional business association."The key, having collected information from your customer base, is to be sensitive about the timing of communications, Morris says. Because Inchcape collected a lot of information about customer finance and insurance matters, it knew when it was appropriate to communicate with them and when it was best to leave them alone.

"You know yourself. If you have insurance, a month before it comes around is when you think about it. If the finance lease you've taken out on your car is due for renewal, we'll contact you about three to six months before that date."Inchcape also gives people the option of opting out of receiving communications, and asks them what kind of communications they would find acceptable. When customers say they do not want to receive any communications, Inchcape leaves them well alone. "It's about customising information to the customer and giving them the choice," Morris says.

The chance to opt out is a key element of the OnlinePrivacy Alliance's stance.

It allows for two kinds of opt-out: the ability to opt out of having identifiable personal data being used to target an individual for direct marketing; and the ability to opt out of disclosure of identifiable personal data to third parties.

Opt-out is equally consistent with the Platform for Privacy Preferences (P3P) standard that the World Wide Web Consortium is developing. Analysts say the approach, designed to provide a standard mechanism under which users supply personal information to Web sites and privacy rules restricting the use of that information, is equally applicable to data mining and other areas of personal profiling.

P3P comprises a personal profile detailing both personal information and privacy rules regarding the use of that data; a profile of Web site privacy practices; and a protocol for negotiating between the user's agent and the Web site to reach automated agreement concerning the amount of personal information to be provided and the way it will be used.

The good news, according to a White Paper prepared by NCR Corporation, the first enterprise solutions company to address privacy as a primary strategic initiative, is that showing concern for your customer's privacy presents an opportunity to enhance CRM"The need to communicate with customers on the subject of privacy opens up the opportunity to also seek more detailed and personal background and personal preference information from them, along with their wishes regarding the use and protection of such information," the report says.

"In a direct marketing context, such information will result in a richer, more individual profile of each customer, together with a more fine-grained set of marketing opt-outs based on individual customer preferences (eg by product category, and/or by means of contact). Furthermore, the methodology for identifying customer preference information, including the data elements making up the profile, and the associated customer privacy rules (opt-outs), can be based on the P3P profile discussed earlier."The paper notes that since that framework can be extended to include customer-specific information deemed important to enhance the future customer relationship, it represents a significant opportunity to enhance direct marketing and other aspects of CRM towards the goal of "segment-of-one".

Customers Come First

The banking sector is, of course, obliged by legislation to observe strict privacy rules as a matter of course. But at BankWest an overriding respect for customer demands for privacy has encouraged the bank to supplement those privacy rules internally, says head of call centres Gary Kukura.

"A lot of it comes down to understanding the manner in which we want to manage our customers. What is the conversation that we want to have with our customers? What is our customer contact strategy? What does our image stand for? What's the value proposition that we have for our customers?"The group has developed an overall framework and tries to ensure every customer contact -- verbal, written or electronic -- conforms to that framework. The framework is designed not only to satisfy the group's needs in terms of managing both its image and its relationship with the customer, but also covers the sharing of information from a relationship management point of view.

"We're pretty restricted anyway in terms of how we use customer information, and certainly Bankwest has an overall policy where obviously we don't sell any customer detail to anyone," Kukura says. "We don't provide customer information to anyone, full stop. That also goes to sharing of information on our customers within other organisations, separate entities that are part of the banking group. We don't share information with them either."The only other element that gets added to that restrictive framework is a consideration of the relationship the bank is trying to build with its customers.

It asks itself what the customers would demand of the bank in terms of protecting their information, and makes sure that is factored into its customer contact strategy, Kukura says.

-- S Bushell