It’s been a week since I got back from SxSW in Austin, and I still can’t believe how absolutely MASSIVE the coverage of privacy, personal data, and identity issues was at the conference. By my count, there were some two dozen sessions, including the Core Conversation I led, across a range of topics that are central to the principles of personal identity management (PIDM).
Photo of PIDM Core Conversation courtesy of Doc Searls
Some of the most interesting takeaways from my perspective:
1. We need a consumer bill of rights that’s defined and ratified mutually by individuals and industry. We need adoption convergence by both groups if PIDM is to succeed in a mutually beneficial manner.
2. We need more cross-functional working groups that include marketers, policy wonks, technologists and consumer advocates. Regulators are simply not going to be able to address the needs and responsibilities of all parties, nor the practical and technological challenges this massive problem faces today.
3. We desperately need guidelines and best practices for privacy policies, governance, and acceptable use of consumer data. By and large, most of the marketers and business people I spoke with WANT to do the right thing, but they’re just not sure what that means right now.
Yesterday, the White House released a long-awaited set of recommendations that are focused on helping individuals take greater control of how their data is collected and used for online marketing purposes. It includes what's being referred to as a "Consumer Privacy Bill of Rights."
The language is vague. The timeline to completion is long. The guidelines, for now, are "opt-in" for organizations. All true.
But folks? The glory days of scraping and selling and repurposing customer data are over. The Oval Office has spoken on the issue of privacy and personal data, and its bill of rights is crystal clear: Tell me what you’re collecting, how you’re using it, protect it well, give me a copy, and give me a chance to correct it, delete it, or opt out entirely.
Despite being something of a romantic, I don't really go in much for the so-called "Hallmark Holidays." In fact, this XKCD comic sums up my feelings rather perfectly:
Still, I'm very aware that lots of other people enjoy Valentine's Day, and that it's a holiday that's just begging for CI pros to get more strategic about. Leveraging shared wish lists is one use case I really like, as is intelligent (read: permission-based) householding. Imagine, for example, a travel company that enables a couple to "gift" each other a special dinner or spa treatment during a shared vacation.
But sometimes, CI goes horribly awry, as I recently experienced with Proflowers.com. I offer Exhibit A:
This email was sent to my email address, but addressed to my ex-husband. It's not hard to understand how this could happen: householding snafus might sometimes create a false connection between an email address and a first name, for example. In the grand scheme of things, if I was going to put CI Fails on a TSA-scale rating, I'd give this one a very bright yellow.
But embarrassingly (for all involved) it got worse. Just a few days later, another of Proflowers' brands, Shari's Berries, sent me this email:
Plenty’s been written already about Facebook’s IPO filing yesterday. I won’t rehash the many excellent analyses that you’ve surely already seen.
Instead, I want to take this blog post into thought-experiment territory. I want to think about a world in which Google and Facebook are primary competitors in a mano-a-mano battle—not just for our eyeballs, but for our data, too. For the right, as it were, to be our “digital identity.”
Over the holidays, my mother—67 year old tech-accepter, Kindle-owner, smartphone-avoider—called me into the office to show me her Facebook newsfeed. “How,” she asked, “do they know that I’m interested in Persian classical music and that I live in Los Angeles?” As I was explaining behavioral targeting and computational advertising, I glanced over at the computer, only to see her click through and order tickets from that Facebook ad.
So I asked, “Do you trust Facebook?” To which she replied, “Of course not!” as she entered her credit card number, home address, and email address for a very spendy concert ticket.
“Do you trust Google?” I asked. “More than Facebook, I suppose,” she answered. “But Facebook shows me stuff I like more often than Google does.”
That experience, plus a brainstorm with my colleagues on the Customer Intelligence team here at Forrester got me thinking: What if, as a consumer, you had to choose between Facebook and Google? Which service is more valuable to you? Which will BE more valuable in the future? I decided to compare the competitors (and let there be no mistake—Facebook’s S-1 filing very clearly identifies Google as Enemy No. 1) across the dimensions of Forrester’s customer engagement cycle:
Now, as a customer intelligence analyst, I preach a “consolidated view of the customer” to clients nearly every day. I advise retailers, CPGs, and others that creating an optimal experience for customers is nearly impossible without having a clear understanding of their needs and preferences, across all channels and lines of business. But what Google’s doing extends well past traditional “single view” and into “personal data locker” territory.
On the face of it, Google claims that it’s making these changes for the same reason: to improve the user experience. But to remain profitable and keep providing free services to several hundred million users, Google will also use its vastly increased insight about users to sell better targeted (read: more expensive) ads to advertisers.
Most marketers and customer intelligence (CI) pros tend to lump together most types of customer data. Sure, things like passwords and social security numbers are considered more "sensitive," but for the most part, the systems that protect all the data -- and the privacy policies that communicate their capture and governance -- are largely the same.
Individuals see different types of data differently -- they're most worried about what we consider individual identity data, and far less concerned about the capture and use of their behavioral data.
Most consumers are willing to share their data in exchange for value. But, what they consider "valuable" is very age-dependent -- in other words, the same consumer isn't equally motivated by discounts and cash rewards.
By now, you’ve likely read a whole host of stories about Google’s reported play at competing with Amazon’s Prime "one-day shipping" program. The crux of it? The internet giant is planning to leverage its local search product to offer consumers a same-day shipping option if they purchase from a participating retailer.
There are plenty of challenges to this business model, many of which are covered here and here--logistics, data sharing, and cost structure are just three key issues that Google would need to tackle head-on to make such a program viable. Nonetheless, it got me thinking... there’s an aspect of this proposed plan that is awfully intriguing from a Personal Identity Management (PIDM) perspective.
Google could effectively build the first purchase transaction personal data locker. Here's how:
In order to facilitate delivery, Google would have to capture transaction data at the product level.
This would let consumers maintain "anytime-anywhere" access to their purchase history. Imagine never again rooting around for a receipt to return an item, or trying to remember which size bags your vacuum cleaner takes.
This week, some Wells Fargo customers in South Carolina and Florida got a nasty surprise. Turns out, a "malfunctioning printer" printed multiple customers' account information (including transactions and, in some cases, Social Security numbers) on the pages of other customers' statements.
The number of customers affected hasn't been made public -- a real misstep in my opinion, and one which renders Wells Fargo's public apology rather hollow sounding. Remember: Transparency is a key factor in gaining consumer trust in the era of personal identity management.
Aside from the bank's public handling of the matter, though, there's another important issue. Too often, when organizations talk to us about security and privacy, they're focused on digital data. But the truth is, there is plenty of analog data that follows individuals around, from in-store transactions and personal trainer visits to, yup, mailed bank statements. It's not enough for firms to spend millions of dollars protecting consumers' digital footprints if they're not also thinking about both inbound and outbound uses of offline data.
Does your organization have discipline and governance around the way offline data is captured, managed, and disseminated?
It has been a few years since Forrester delved deeply into the issues surrounding consumer privacy, and in that time, an awful lot has changed:
Facebook Connect, Google ID, Yahoo Identity, and Sign In With Twitter have emerged as a wholenew way of being recognized across a myriad of websites across the Net. As little as a decade ago, most adults online couldn’t have imagined the convenience of single sign-on.
At the same time, data capture methods have not only proliferated, they’ve become exceptionally sophisticated. Tactics like Flash-based cookies and deep packet sniffing surreptitiously collect behavioral data about online consumers, while loyalty and membership cards provide more insight into consumers’ purchasing habits at the line item level than ever before.
All that extra data is hard to protect without big changes to governance policies and technology stacks, and when data breaches happen, they're public and ugly.
Finally, legislators have forged ahead with regulations to protect consumer data. Europe's answer is the Data Protection Directive – a regulatory framework that governs the capture, management and use of consumer data, while in the US, congressional leaders, egged on by consumer advocacy groups, are introducing bills designed to limit data capture and to provide remediation in cases of data and security breach.
My Customer Intelligence colleagues and I, like many others, can't help but wonder how Carol Bartz's departure from Yahoo! is going to play out for the digital behemoth. Shar VanBoskirk's post last week summarizes Yahoo!'s current state, and I agree with her assessment that the company's assets are worth far more piecemeal than as a whole. As she points out, Yahoo!'s advertising capabilities are one of its greatest assets.
But from a CI perspective, so is its OpenID-based Yahoo! ID, which enables single sign-on (SSO) functionality for its more than 273mm global email-service users. Now, while a relative minority of those users actually take advantage of Yahoo! ID across the web today, the demand for SSO and federated identity is growing such that Yahoo!'s broad user base and consumer trust is already tremendously valuable.
So, who are the "unusual suspects" that have the most interesting opportunity for acquiring Yahoo!'s personal services/communications/identity management business?
Wal-Mart. Yep, you read it right. Wal-Mart, despite being the world's largest retailer, continues to lose digital market share to Amazon, and it clearly wants to change that. Last month, it restructured its online organization to better align with its brick-and-mortar presence and just this week announced plans to to buy "key assets" of mobile ad targeter OneRiot. Yahoo! ID would give Wal-Mart the single sign-on capability that it doesn't have today, with some nice benefits over Amazon's closed-ecosystem identity service. And Yahoo!'s user base is, demographically speaking, a slightly better fit for Wal-Mart than other major big-box retailers.