Magazine Spring 2013 Research Highlight

Why Managing Consumer Privacy Can Be an Opportunity

Too often, companies treat privacy policies as a compliance cost. Instead, think of managing consumer privacy as a way to give people a positive experience with your brand.

Avi Goldfarb and Catherine Tucker Reading Time: 7 min 

Topics

Permissions and PDF

How many privacy policy updates does your credit card company send you each year? How many of them do you read through — and how many get immediately trashed? Companies often “manage privacy” and “keep consumers informed” by drafting their privacy policies as broadly as possible and consider their job done if they change the policy 10 times a year to fit with changing practices within the company. However, there is a difference between informing consumers and respecting them. Managing privacy should not be seen by businesses as a burden. Instead, it can be a valuable way to generate and maintain a good relationship with your customers. Companies should view the establishment of a framework of consumer privacy controls as a key marketing and strategic variable that conveys considerable benefits.

Many large companies have privacy officers who set rules for managing data and audit compliance with those rules; however, hiring a privacy officer is usually seen by senior managers as a compliance cost. A company that respects the relationship with its customers, on the other hand, would think of the privacy officer as a strategic role and would establish a framework of consumer privacy controls as a key marketing and strategic variable.

This is not to say that compliance is irrelevant. Privacy regulations do exist, and all companies must abide by their legal obligations to their customers. However, the regulations that exist often provide little guidance to managers regarding how to manage consumer privacy. In the U.S., for example, a health-care law simply mandates that hospitals have a privacy policy, without making recommendations as to what it should be.

There are three strategies that companies can follow to transform touch points around privacy into a positive customer experience:

  1. Develop user-centric privacy controls to give customers control.
  2. Avoid multiple intrusions.
  3. Prevent human intrusion by using automation wherever possible.

1. Develop user-centric privacy controls. Companies can make their customers feel helpless when it comes to their privacy. Privacy policies are usually drafted from a legally conservative perspective, from which a privacy policy that is vague or all-encompassing is seen as somehow benefiting the company if things go wrong. The result is lots of legalese that consumers either don’t read or can barely understand. These policies are typically tucked away in remote corners of companies’ websites, in companies’ mailings to consumers and in responses to regulators.

Topics

About the Authors

Avi Goldfarb is a professor of marketing at the Rotman School of Management at the University of Toronto in Toronto, Ontario. Catherine Tucker is the Mark Hyman Jr. Career Development Professor and an associate professor of marketing at the MIT Sloan School of Management in Cambridge, Massachusetts.

Tags:

Reprint #:

54309

More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comment (1)
Timothy Keller
By and large I agree.  I encourage my clients to think about how their privacy practices are a customer relationship opportunity.  However, there are a few things in this article that bear some comment. First, your legal department cannot insulate your company from legal risk.  That is particularly true in this area, as the law is not black and white.  What a good legal department should do is work with the other stakeholders to develop a approach to this matter that balances customer relations goals with legal risk.  You cannot protect yourself to success, and good lawyers understand that.

This brings me to perhaps the more important point.  If your company is changing privacy policy 10 times a year you've got bad management, and possibly bad lawyers.  Here's the thing that almost never gets considered when putting together a first privacy policy - your privacy policy is a contract with your customers with respect to their personal information.  If Tuesday your privacy policy says you will never share customer information with third parties, then everything you collect on Tuesday is subject to that rule.  If you change your policy Wednesday to one that allows disclosures to third parties, (subject to applicable law) you can disclose to third parties the information you collect on Wednesday - but NOT what you collected on Tuesday.

Dealing with this requires internal controls that segregates data gathered under different policies.  This is why many lawyers (like me) suggest starting with a privacy policy that gives the company broad rights to use and disclose information.  You can always reduce those rights when you figure out how you want to deal with the issue.  If you take this approach you also have less concern about data segregation, because you can treat all the information you collect in the most conservative manner you have communicated to your customers - without breaching any of your various privacy policies.  It just doesn't work the other way around.

Let's ease up on the lawyer stereotypes.  They're no more fair than any other stereotype.