CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Privacy in the age of transparency

Strategy + Business explains the delicate balancing act companies face in keeping the data they've collected about customers confidential.

Privacy in the age of transparency
By strategy+business
Special to CNET
March 14, 2004, 6:00 AM PT

It's not often that a blue-chip CEO publicly lectures another CEO from a brand-name company about how he should manage his organization. Then again, it's not often that the practices of one company upset employees of another one so strongly.

The incident occurred in 1999 when introduced purchase circles, an online marketing tool that, supposedly for the customer's benefit, revealed what books Amazon's customers from some well-known corporations were buying. For example, customers from Microsoft, it appeared, liked to read "The Microsoft File: The Secret Case Against Bill Gates," a book that was critical of top management at the software giant. A book about operating system upstart Linux was a hit at Intel.

IBM favorites were also exposed on the Amazon site. As a group, IBM employees weren't reading anything particularly heretical, but Big Blue's then-chief executive Louis V. Gerstner Jr. didn't like the voyeuristic aspects of the purchase circles, and polled IBM's workers for their reactions to Amazon's new program. Gerstner was inundated with 5,000 e-mails within hours; more than 90 percent expressed displeasure about having their corporate book-buying behavior displayed online. Gerstner passed this finding along to Amazon, and IBM was removed from the purchase circles.

Companies are entering an era of information transparency.
As an embarrassing coda, an excerpt from a letter Gerstner sent to Amazon CEO Jeff Bezos was leaked to The New York Times. In it, Gerstner cautioned: "I'm certainly not going to tell you how to run your business, but I do urge you to view this as an enormously important issue."

That anecdote, related by Don Tapscott and David Ticoll in their new book, "The Naked Corporation: How the Age of Transparency Will Revolutionize Business," illustrates well the delicate balancing act companies face in satisfying the imperative to provide an increasingly personalized and streamlined relationship with customers, suppliers and other business partners, and simultaneously keeping the data they've collected about them confidential.

Companies are entering an era of information transparency--a result, Tapscott and Ticoll say, of increasingly activist stakeholders, the growing influence of global markets, the spread of communications technology, and a new customer ethic demanding openness, honesty and integrity from companies.

Consequently, risks to privacy are greater, and safeguarding sensitive information has become more significant, and more difficult to do. Among the companies given high marks by privacy advocates for making data protection a priority are Dell, IBM, Intel, Microsoft, Procter & Gamble, Time Warner and Verizon. Some of these companies--such as Microsoft, which has in the past been plagued by security leaks in its operating system and e-commerce programs--have embraced hard-line privacy stances only after experiencing first-hand the potential damage to their businesses that privacy breaches can inflict.

Business-to-consumer companies that fail to protect customer data can lose the trust and loyalty of customers, and drive them to other companies with which they feel more comfortable sharing personal information.

That, in turn, has the somewhat ironic effect of providing privacy-friendly companies with the greatest aggregate database of valuable demographic, purchasing, and financial information about customers. This sensitive data can be a goldmine for cross-selling additional products and targeting direct mailings on the basis of customer preferences--as long as these sales campaigns are handled gingerly so that consumers feel that their privacy is respected.

Privacy fundamentalists
There's persuasive evidence that consumers are becoming even more protective of their personal information with the increased prevalence of Internet shopping and the aggressive data collection about shoppers by consumer product companies.

The most thought-provoking statistics have been published by Privacy and American Business (P&AB), a monthly newsletter co-founded by Alan F. Westin, a well-known information privacy expert and professor emeritus of public law and government at Columbia University. P&AB is published by the Center for Social & Legal Research, a data-protection think tank.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

According to the research in P&AB's September 2003 issue, 36 percent of the American public, some 75 million adults, call themselves "Privacy Fundamentalists." These are people who are passionate about threats to their privacy by businesses and favor government regulation of corporate information practices.

That's a huge leap from 2000, when only 25 percent of respondents to a similar survey fit this category. Moreover, in 2003, P&AB found that 53 percent of Americans (10 percent fewer than in 2000) could currently be categorized as "Privacy Pragmatists," that is, people who will freely exchange personal information if the benefits they receive are perceived as greater than the privacy risks they're taking.

Professor Westin used other survey data to explain the increase in Fundamentalists and decrease in Pragmatists and to draw the following conclusions: Fifty-six percent of Americans don't believe most businesses handle consumers' personal information in a manner they consider to be proper; 59 percent do not think the existing mixed public-private system of protecting consumer privacy is providing a "reasonable" level of assurance.

Consumers have adopted these beliefs after being exposed to a growing array of privacy intrusions. Since 1990, 33.4 million Americans have been victims of identity theft--in this case, defined as the theft of personal information with the intent to use it for fraudulent purposes. Half of these crimes occurred in the last two years, according to P&AB. There are also many disconcerting ways individual privacy is invaded. It's impossible for individuals to use the Internet without being interrupted by cookies-based marketing piggybacking on Web surfing and purchasing habits; video and biometric surveillance is unavoidable in public places and at work; and in numerous instances, medical and financial databanks have leaked personal information and cost people their jobs, reputations or both.

Opportunity to build trust
The scale and impact of these unwelcome trends is chronicled extensively in "Database Nation: The Death of Privacy in the 21st Century," by longtime privacy activist Simson Garfinkel. In this book, Garfinkel is implacable about the importance of privacy to individuals and why people are so protective of it: "Privacy is about self-possession, autonomy, and integrity. Over the next fifty years we will see new kinds of threats to privacy that don't find their roots in totalitarianism, but in capitalism, the free market, advanced technology, and the unbridled exchange of electronic information."

That statement may be a bit harsh, but the P&AB surveys, as well as other recent polls, indicate that consumers share many of Garfinkel's concerns. Somewhat surprisingly, considering the depth of consumer wariness, this attitude represents an opportunity for companies, if they're willing to develop robust privacy programs.

Since 1990, 33.4 million Americans have been victims of identity theft. Half of these crimes occurred in the last two years, according to the Privacy and American Business newsletter.

This is a central theme of "The Naked Corporation" and an earlier book, "The Privacy Payoff: How Successful Businesses Build Consumer Trust," by the privacy commissioner of Ontario, Canada, Ann Cavoukian, and journalist Tyler J. Hamilton.

Both books argue that the companies that are open and honest in their communications, adopt privacy policies and are very clear about how they use collected data discreetly to further corporate growth, efficiency and performance will benefit from wider consumer acceptance in international markets. This, they further argue, is what leads to increased revenue, less litigation from the aggrieved, enhanced reputations for their brands and more prospective partners willing to enter into lucrative cooperative ventures that require a deep well of trust.

"The Privacy Payoff" points readers to a very powerful instrument for determining how well their companies are complying with fair information practices and to what extent these businesses promote the protection of customer privacy. It's called the Privacy Diagnostic Tool Workbook, and it assesses such essential privacy principles as limiting the collection, disclosure and retention of records; instituting customer consent procedures to opt in or opt out of data-sharing programs; verifying accuracy of records; and protecting data from hackers. In addition, authors of "The Privacy Payoff" provide a Privacy Impact Assessment questionnaire in the book that companies can use to ensure that new technology--whether databank, biometric security system, video camera, ERP system or others--complies with privacy requirements.

Importantly, the authors of the book note that privacy policies and systems are just as pivotal to the success of business-to-business relationships as they are to business-to-consumer interactions. More and more companies are entering into joint ventures, either Internet- or extranet-based, to increase efficiency and innovation in supply chains, inventory management, customer relations and other business operations.

As part of these cooperative undertakings, sensitive and proprietary corporate data is shared among all partners. If strict measures and rules are not in place to safeguard private information--such as customer, manufacturing, design and marketing files--companies can end up unwittingly broadcasting some of their most valuable intellectual assets.

Adapting to local ways
Globalization is another noteworthy factor behind the increased attention being paid to privacy. To do business around the world, companies have had to adapt to local cultures and regulations. Privacy rules vary wildly throughout the globe, and navigating this thicket of laws is critical to international commerce.

This is particularly important for American companies, because the U.S. has weak data-protection rules. As a result, a U.S. firm with toothless, but legal, privacy policies could be forbidden from, for instance, sending payroll files or customer purchasing records to an affiliate in a country where shipping data from one place to another is strictly regulated.

The effort that other nations with tough policies have put into enacting strong privacy policies places in stark relief how little the U.S. has done: The term privacy doesn't appear in the Constitution, and no specific set of laws in the U.S. governs the level of data protection companies must provide. In fact, the lack of mandated privacy safeguards has gotten U.S. companies into hot water with the European Union.

In 2000, after months of negotiation with U.S. Department of Commerce officials, the United States devised a series of privacy policies that reward American companies that voluntarily agree to adhere to them. In exchange for following these rules, U.S. companies have the right to collect data from E.U. citizens, which can include anything from consumer credit information to personnel records of employees at subsidiary operations.

Few U.S. companies will be able to avoid Europe's strict view of how data must be protected, say information strategy consultants Michael Erbschloe and John Vacca in "Net Privacy: A Guide to Developing and Implementing an Ironclad E-Business Privacy Plan." Japan also recently passed its first omnibus privacy law, which Professor Westin at P&AB accurately describes as "a 'middle way' between the industry-sector-based privacy laws of the U.S. and the comprehensive data protection laws of the European Union."

P&AB offers the Guide to Consumer Privacy in Japan and the New Japanese Personal Information Protection Law to explain the data-protection climate in Japan and help companies navigate the legislation.

A dash of humor
Although many U.S. companies initially fought consumers' efforts to make companies pay attention to privacy, almost no major businesses today feel they can completely neglect data protection rules.

That doesn't always mean that leading companies make the right privacy choices. (Recall the JetBlue episode in 2003, in which the airline ran afoul of customers when it shared flight records with a Pentagon contractor that was building a travel security database.)

It is also interesting to see how some companies are using privacy to enhance their brand images. The Internet service provider (ISP) EarthLink has run a humorous ad campaign accusing other unnamed ISPs of sharing personal information and promising to be much more discreet.

Microsoft has launched a project called Trustworthy Computing, under which Chairman Bill Gates has challenged the company to be certain that availability, security, privacy and trustworthiness are key components of every software and service product the company develops.

These are just a few examples of how seriously companies today look upon privacy. There's a strong indication that, because of scrupulous motives, strategic imperatives or the cynical notion that privacy sells, in the future there aren't likely to be any more embarrassing CEO-to-CEO rebukes like the one Jeff Bezos received.

To read more articles like this one, visit

Copyright © 2004 Booz Allen Hamilton Inc.

Reprinted with permission from strategy+business, a quarterly management magazine published by Booz Allen Hamilton.

Interested in more research studies like these? If so, sign up for strategy+business enews, a service of Booz Allen Hamilton's strategy+business magazine.