Profitable privacy

Privacy is an important part of Royal Bank Financial Group's customer relationship management (CRM) system. Employees explain Web cookies to customers; the bank offers cell phones with special encryption chips for wireless transactions; and it has a pilot program through which it gives away firewalls and other security products to customers. That's right, for free.

So where's the profit in that?

For Peter Cullen, chief privacy officer at Toronto-based Royal Bank, there's profit in privacy. "It is one of the key drivers of a customer's level of commitment and has a significant contribution to overall demand," he says.

As more countries adopt stricter privacy laws, companies have to adapt their CRM systems to comply. But Royal Bank clearly sees privacy as more than a legal issue -- it's also a pathway to a customer's loyalty and spending.

"We are very much in a relationship business," Cullen says, adding that privacy "plays a measurable part in how customers decide [to] purchase products and services from us. It brings us more share of the customer's wallet."

Many companies are reluctant to offer customers more privacy choices, such as opt-in features that require getting customer permission to collect or transfer personal information. Businesses fear they'll lose their ability to leverage customer data and share such information with affiliates.

Dennis Behrman, an analyst at Meridien Research Inc. in Newton, Mass., sums up the prevailing attitude: "You won't lose customers if you offer privacy options, but you may lose access to your ability to gain information."

But before companies can ask how privacy fits into a CRM strategy, they need systems that can handle privacy compliance. New domestic and international laws are arriving rapidly. Australia, which enacted its new privacy law in December, is a good example.

A section in Australia's law requires companies to destroy customer data or make it anonymous once it's no longer needed. That includes backup files, says Andrew Handelsmann, an attorney at Deacons, a law firm in Sydney. Compliance will involve more than simple deletion to ensure that files are really erased from drives, he says.

Complying with laws of this type, as well as integrating privacy into a CRM strategy, requires changes in IT systems and management. "It's keeping the system smaller, and it's more controlled," says Greta Ostrovitz, IT director at Cadwalader, Wickersham & Taft, an international law firm in New York. "We don't have these huge, huge databases that just have a life of their own and no one knows what's in it."

Tighter control is important to CRM strategies and legal compliance, Ostrovitz says. For instance, when her firm wants to send online and print mailings to clients in England, it must first get client permission for the mailings, according to U.K. privacy regulations. "In building a system, the key is maintaining an audit trail so you know exactly when something gets entered, who entered it, when was something mailed, what exactly got mailed," says Ostrovitz.

The Gramm-Leach-Bliley Financial Services Modernization Act, which took effect in the U.S. July 1 (see story), was one of the reasons Cleveland-based KeyBank revamped its massive customer databases.

KeyBank pulled about 50 million customer records held by various business units and distilled them into a single database of 11 million records.

"We wanted a customer-centric approach, where the customer just came to us once -- at any entry point in the company -- and we could then identify the rest of their relationships in the organization," says Angela Maynard, chief privacy officer at the Fortune 500 bank.

In going through the 50 million customer records, KeyBank also "cleaned" the data held by different business units to improve accuracy. It did this in part by matching the data against 200 million credit records maintained by Experian Inc. in Orange, Calif.

From a CRM perspective, this single view of the database means that if a customer asks to be excluded from certain forms of information sharing, as allowed under the Gramm-Leach-Bliley law, this privacy request can be consistently applied across all business units, Maynard says.

"If you don't have all those [records] collected and connected together, there's a risk you are going to miss a record or two," Maynard says.

Although privacy issues present technical challenges to data management, a well-designed CRM system is much better suited to privacy controls than a hodgepodge of separate legacy systems, says Michael Beresik, national director of the privacy practice at New York-based PricewaterhouseCoopers.

Keeping Data Sacred

Most affected by privacy law compliance is the health care industry, which, under the Health Insurance Portability and Accountability Act (HIPAA), must have strict access controls for records.

Providence Health System, a Beaverton, Ore.-based health care provider with about 780,000 members, is developing a system that limits access to medical records on a need-to-know basis. A financial analyst, for instance, would see only the customer data pertinent to his work, says Chris Apgar, Providence's data security and HIPAA compliance officer.

These changes, although not directed at customers, are nonetheless a form of CRM because customers expect their health care records to be confidential. "One of the big selling points is how well you are taking care of my health data -- that's one of those things that's sacred," Apgar says.

But many industries are worried about the unsettled nature of privacy laws. In addition to various privacy initiatives in Congress, states are free to adopt their own privacy standards. Some, such as California, may require a customer opt-in policy for financial record sharing, instead of the federal opt-out approach, which requires consumers to take action if they want to stop record sharing.

"We are holding our breath that [lawmakers] don't change direction, and we will have to build something totally new," says Maynard.

Internationally, U.S. firms that transfer customer and personnel data out of Europe have to comply with European privacy laws. These laws allow customers access to data that's held about them, and let them determine how that information is used.

Some U.S. firms, such as consumer products giant Procter & Gamble Co. in Cincinnati, have adopted as their global business rule the European privacy standard, which is gradually being followed by other countries. This approach creates uniformity and reduces potential compliance costs, the company says.

Analysts say e-commerce companies can lose business if consumers don't trust that personal information will be carefully guarded. Forrester Research Inc. in Cambridge, Mass., estimates that total online spending last year of $47.6 billion would have been $15 billion higher had it not been for consumer privacy concerns. Companies can increase sales by making their privacy policies clearer and easily understandable and accessible to consumers, says Christopher Kelly, a Forrester analyst.

On the other hand, active online consumers don't seem to pay much attention to privacy policies, according to data compiled by WebSideStory Inc., a company that analyzes Web site data. In its analysis of page views, "the privacy page rarely makes the top 100" of anyone's site, says Randy Broberg, chief privacy officer at the San Diego-based company.

"The opinion polls that say that everybody in America is frightened to death about privacy overstate the reality of people who are actually surfing the Internet," Broberg says.

But based on its internal studies, Royal Bank is convinced that privacy keeps customers coming back, says Cullen. The secret to effective CRM is delivering value to the customer, he says.

If a customer starts turning off the information flow, does that indicate that he's concerned about his privacy, "or does it say that we haven't generated enough value to them?" asks Cullen.

"We have a high level of trust with our customers right now. It's ours to lose," he says. "But there are huge benefits to doing things that continue to reinforce that trust."

For more privacy news, visit Computerworld's Focus on Privacy page.


Tips for Managing Privacy

Customer data has to be "clean." If customer records don't match across business units, privacy preferences may not be consistently applied. This could upset a customer who thought he opted out and learned otherwise, and it could also create legal risk.
Smaller, tighter databases are best. End users say big, bloated databases undercut privacy management.
Enforcement risk is rising. The Federal Trade Commission (FTC) is increasing its enforcement staff, and most experts say European authorities are gearing up for some high-profile privacy law enforcement actions.
Remember: There's no legal difference between off-line and online data. The FTC is making that clear.
Audit trails are important. Proving compliance with the law means having records.
Nothing is certain. Congress is considering new privacy laws as well as changes to old ones. There is no letup in the passage of new international laws.

— Patrick Thibodeau

Special Report


Sober CRM

Stories in this report:


Copyright © 2002 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon