The increasingly detailed databases about customers' likes, dislikes and spending patterns represent a potential marketing gold mine, but depending on how the information is gathered and handled, companies could unwittingly dig nothing but a deep hole for themselves.

The need to safeguard data is something most companies are painfully aware of, having seen the embarrassing public fallout when servers are hacked or hard drives full of customers' private information, addresses and credit card details go missing. As a result, many firms are spending millions fortifying their customer privacy mechanisms to make sure customer data doesn't leak into the wrong hands.

"We’ve seen our sales double from 2006 to 2007, so that’s all investment in privacy," says Terry McQuay, president of Toronto-based Nymity Inc., a provider of privacy management tools and programs.

In the U.S. alone, businesses spent a total of $1.9 billion US on security and privacy compliance technology, staff and services in 2007, a 4.1 per cent increase over 2006 figures, according to a study by Boston-based AMR Research.

The TJX security breach that resulted in the theft of more than 45.7 million credit and debit card numbers. Privacy watchdogs say stricter liability legislation is needed to make companies take privacy issues seriously. (Elise Amendola/Associated Press)

But do these investments in software and systems alone actually buy an organization more trust in the public eye?

Not necessarily.

A recent study by Toronto research firm Carlson Marketing Canada, and a privacy think-tank called the Ponemon Institute based in Elk Rapids, Mich., explores the role privacy plays in the process of creating consumer trust in major Canadian companies. The 2007 rankings are based on feedback from about 700 Canadian respondents, and corporate stalwarts such as Bell Canada, Bank of Montreal and the Royal Bank of Canada top the list of trusted companies.

"Old and stodgy plays a role," says Larry Ponemon, chairman of the Ponemon Institute. "They’ve been around so long that people assume they have to be good. They get extra points for longevity."

But new-ish online companies such as Amazon, Indigo Books and e-Bay made significant gains this year compared with the 2006 rankings when it comes to consumer trust. Ponemon says this highlights a growing trend that companies need to pay attention to.

"Older retailers are losing ground," he says. "We find younger demographics consistently rate online retailers very well."

Major online brands are steadily earning more trust as consumers turn to the web and have positive shopping experiences, Ponemon adds. "Convenience trumps privacy fears for this category. People say, 'I don’t want to go to the mall, and I like going to Amazon.'"

That's not to say that all technology companies are considered equal when it comes to privacy. And in some cases, brands and corporate image speak louder to consumers than actions.

Although Microsoft has good privacy practices, for example, it is simply not trusted by consumers, says Ponemon. "People assume Microsoft has clever tricks to get the information it wants."

Conversely, Google gets consistently high ratings in public surveys even though the company doesn’t disclose its privacy practices. "No one really knows what they [Google] do with all the search information they collect," says Ponemon. "And with its acquisition of DoubleClick, a company known for egregious privacy abuses, you have to scratch your head."

Perception is everything

Ponemon points out that part of the problem for those companies trying to foster a positive image is that the consumer perception of what privacy means is very different from the more technical definition business people tend to have.

Annoying ads, excessive data collection and web glitches all create distrust of a company and colour perception among the general public, for example, even though these issues may have little to do with a company’s actual privacy practices.

"Consumers hate the sense that companies are encroaching on their personal space," he says.

An irrelevant ad that pops up when a consumer is trying to get something done on the web is seen as an intrusion on their privacy — although this doesn’t fit the technical definition of a breach of privacy. In other words, employing cutting-edge technology to guard databases of customer information won't do much to safeguard a company's public image if it uses that same information to annoy people with its own marketing practices.

This may explain Google’s glowing marks in consumer polls, Ponemon says. "People think, 'Google isn’t in my face — it helps me get to where I want to go on the web.'"

Opting in, opting out

There are other areas of disconnect between action and image, too.

"Business is on a different wavelength from consumers in so many ways," says Philippa Lawson, executive director at the Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC).

One key area is implied consent. Businesses rightly assume they must get explicit consent from consumers in order to share their information with third parties, she says. "But they think they don’t need it for internal marketing of other products and services they offer."

Lawson says consumers disagree with this assumption of implied consent, as it means the onus is on them to actively opt out by telling companies when they don’t want their information shared. People generally want their information to be off-limits by default and prefer that companies ask them up front for permission to use their information in internal marketing programs.

This area becomes particularly tricky when dealing with large organizations that have multiple lines of business, Lawson says. "Businesses are cagey about affiliates. To the extent an affiliate is a separate organization, it’s treated as a third party in privacy law."

Information gathering

Another problem area is how companies collect information about their customers. Warranty or product registration cards that consumers are asked to complete after purchasing durable products such as toasters and coffee-makers are a case in point that can turn people off a brand.

"This is a marketing thing," warns Lawson. "Consumers don’t need to register their products with companies to get the benefits. All you need to provide is proof of purchase."

In a recent Ekos survey, 40 per cent of Canadian consumers said they weren’t aware companies use information collected from these cards for marketing purposes, she adds. So when these people fill in the cards, they aren't giving their consent to allow the use that information for marketing — they assume it's just the way they activate their warranty coverage.

Another emerging concern is the type of behavioural marketing pioneered by Amazon. Many companies track and profile consumers based on their purchase patterns, and then send personalized e-mails offering new products based on their preferences.

"There are real benefits for both businesses and customers in this," says Lawson.

But the potential for abuse also exists. Although most companies don’t currently connect customer profiles to identities, individuals could in theory be identified via the Internet Protocol (IP) addresses used in e-mails. They can also be identified through social networks they subscribe to — an issue that landed Facebook in hot water with its members when it rolled out its Beacon system to track purchases made by Facebook users on certain e-commerce sites.

"Consumers should be able to choose to opt into behavioural marketing programs," Lawson says. "Right now companies are just assuming all their customers want this, and they can’t assume that."

Corporate privacy policies

Businesses have little incentive to do the right thing when it comes to their privacy practices, since consumers tend to trust their providers, she says. "It’s often unwarranted trust, because most consumers don’t even know what these companies do."

Nymity's McQuay says the consumer's perception of privacy is indeed broader than that of business. But unlike Lawson, he believes Canadian companies are generally erring on the side of caution in their marketing programs because they’re unsure what the public finds acceptable.

"We’re seeing organizations put unnecessary restrictions on their business due to perceived customer concerns," McQuay says. "Many aren’t doing certain marketing programs that they could do from a compliance standpoint because they believe the risks are too high, or perceive the laws say they can’t do it."

This confusion about what is and isn’t permissible under privacy legislation is a growing problem for companies. Corporate privacy officers are struggling with newly created roles and masses of privacy regulations, and they often lack tools and training, McQuay adds. "So when marketing people go to them to find out if a marketing program is allowed under privacy laws, the response is often, 'I’m not sure, so you shouldn’t do it.' It’s a risk-averse approach."

And while good privacy practices don’t create consumer trust, they are essential to maintaining it — so, McQuay argues, companies do have major incentives to respect the privacy of consumers.

"Companies spend years and huge amounts of money building their brand," he says. "A privacy incident can do major damage. So companies need to invest in privacy to reduce the risk to their brand. They won’t get more customers, but it will protect them from losing customers."

But while corporations say they care about their customers’ privacy concerns, their actual behaviour is often at odds with this. And simply spending large sums of money on technology to safeguard databases doesn’t mean companies are necessarily handling the issue of consumer privacy well, says Ponemon — particularly when there’s an incident.

"Most organizations have been horrendous in how they manage this," he says.

Ponemon points to the recent TJX security breach that resulted in the theft of more than 45.7 million credit and debit card numbers; the company repeatedly gave inconsistent reports about the extent of the problem. "They kept giving people the wrong information about how big the problem was, what they were obligated to disclose and why they didn’t disclose it. People who had even a modicum of trust in TJX lost it."

Lawson believes that in the long run, it's more liability legislation and lawsuits that will provide the real incentives needed to make companies heed their customers’ wishes and take privacy issues seriously. "We need to make companies pay for these losses."

The author is a Toronto-based freelance writer.

[an error occurred while processing this directive]