Avoiding the "Creep Factor"


Georgia (Jul 23, 2014)

Link To Article


Marketing is often described as a combination of art and science, but the science component of that equation has assumed an increasingly important role in recent years. Data has always played some part in modern marketing, first reflected in rudimentary efforts to measure advertising’s cost and effectiveness, such as CPM and Nielsen ratings. With the emergence of big data as a viable and increasingly lucrative marketing tool, data’s continued ascendance seems assured.

However, along with the opportunities big data presents to marketers come some challenges, and a major/significant one is data protection. How should marketers properly store, safeguard, and use the massive amounts of data they collect and analyze in ways that protect themselves, their customers, and prospects, as well as the data itself?

For marketers in highly regulated industries, such as financial services and health care, data protection issues have long been a part of their job description. “As an asset management firm, we are constantly under a high level of scrutiny in this area,” says Sheri Gilchrist, vice president of relationship marketing at Eaton Vance Distributors, a Boston-based investment management firm. The marketing department has all kinds of compliance issues to deal with, and, while the firm is only in the early stages of using big data for marketing, those efforts will be just as highly regulated. However, Gilchrist adds, “It’s a good box to be in because the high level of compliance forces us to constantly be thinking about how we communicate with our customers. We have to be more astute in some ways than marketers in other industries.”

In B-to-B, CPG, and other consumer-facing segments of marketing, more of a Wild West atmosphere still prevails, although that will almost surely change going forward. Backlash generated by recent high-profile database breaches and what many perceive as overreaching by some government agencies is driving a conversation about data collection and usage that could result in new legislation in this area. Still, marketing use of data will remain a growing phenomenon, one that is industry agnostic. For example, City Year, the Boston-based organization that works with at-risk students and schools in 25 cities across the U.S., uses data to develop focus lists, monitor its interventions with students, and track the effectiveness of City Year corps members and partner AmeriCorps members.

“In our shift to become a more data-centric organization, we’ve also leveraged the help of our corporate partners,” explains Gillian Smith, chief marketing officer at City Year. “One example of this is Bain, where they’ve encouraged City Year to look at recruitment and retention of corps members.” Four years ago, when Bain & Co., the global management consulting firm, began counseling City Year on how to access the numbers, survey corps members, and understand factors affecting their retention, the retention rate was about 87 percent. “City Year will end this current school year with a 93 percent retention rate,” Smith says. “That is the highest retention rate among our peer groups and the highest among AmeriCorps programs.”

City Year developed a new technology strategy four years ago with the overall goal of replacing “a bespoke and siloed collection of software solutions with scale-capable tools,” Smith says. Now it has a robust, cloud-based, fully web-enabled platform for its school teams and staff to get their work done. The organization anticipates data playing an even bigger role in the future and has established a business intelligence and data warehousing capability for richer analytics. Smith expects the technology to help City Year improve its effectiveness and more easily identify the traits that make successful corps members.

Against that backdrop, the organization remains keenly aware of the data protection issue. “We often refer to stewardship of this data as a sacred task,” Smith says. Data protection was an important consideration in City Year’s selection of School-force, a student information system, as its network-wide solution for managing interventions with and progress of at-risk students. Smith says City Year “set the bar high” by using state-of-the-art tools with the highest standards for collection and management of data.

The Need for Diligence

As part of their jobs, marketers work with sensitive data on a regular basis, says Chip Wentz, an executive director at Ernst & Young LLP in Raleigh-Durham, N.C., and the firm’s Americas cybersecurity data protection and privacy leader. He sees concerns originating from two areas: personal information and intellectual property. “Direct interactions with customers and target customers utilize data that many individuals consider sensitive,” Wentz says. “There have been several examples of breaches involving this information, specifically from marketing firms, as this data is rich in value for fraudsters and spammers. Breaches involving these types of data are very damaging to a company’s brand and take a while to recover from.” The major risk-management challenge associated with the second area, intellectual property, is the potential loss of a competitive edge if sensitive internal data, such as product and pricing information, is not secured appropriately.

Dan Jaffe, group executive vice president of government relations at the ANA, notes that the No. 1 goal of ANA members is “to delight their customers and make them happy, not unhappy. They don’t want to do anything that might offend their customers or put them off in any way.” He stresses that the steps marketers take to protect customers’ data are important, but how those efforts are perceived by consumers and regulators is equally important. (See “Big Data Goes to Washington,” available exclusively in this issue’s digital edition.)

“That is why we participate in industry-wide efforts such as the development of standards for online behavioral advertising and the creation of the Digital Advertising Alliance [a consortium of advertising and marketing trade groups that focuses on self-regulatory solutions to online consumer issues]. Anytime we are going to be providing information to consumers because of their activities on the Internet or mobile channels, we give them the power to decide whether they want to receive that kind of messaging or not. The entire marketing industry is very aware of the need for diligence in this area,” Jaffe explains.

Doing No Harm

The most significant transformative effect of data has been to take marketing from a single-product message orientation to a customer — or at least a customer segment — message orientation, says Jennifer Lewis Priestley, professor of applied statistics and data science at Kennesaw State University in Kennesaw, Ga. Today’s big data is just tomorrow’s data, she points out, noting that the term “big data” is not really about size. “It’s about the intersection of size, velocity, and variety — and an organization’s ability to reliably handle the data, which, of course, is relative and a moving target,” she says. As an applied statistician, Priestley is quick to acknowledge that she is not a privacy expert, but she believes that with data collection and the size of databases growing at exponential rates, everyone dealing with data has to develop an understanding of and appreciation for the principle of “doing no harm” with data, particularly in a marketing context.

“From what I see, marketers, as well as researchers, statisticians, and any discipline that is engaged in the use of customer data, should be attentive to three litmus tests when utilizing customer data to make decisions,” Priestley says. She characterizes those tests as the letter of the law, the spirit of the law, and the “creep factor,” and she notes that they become increasingly fuzzy as you move through the sequence. Complying with the letter of the law is cut-and-dried in most cases. More than 80 countries around the world have laws governing consumer data, and most are more restrictive than U.S. consumer privacy laws. “Marketers have to know the laws in the countries or regions in which they are operating,” she warns. “As the corporate lawyers will tell you, not knowing the law is not an excuse you can use in court.”

It gets trickier when it comes to complying with the spirit of the law. In the course of her work, Priestley was recently provided with a big data file containing credit attributes for a few million cardholders. Gender, race, and age were not included in the file, and using them in making credit decisions would be a clear violation of the letter of the law. However, by using credit attributes, transaction data, and what she describes as “some pretty big computers,” Priestley was able to predict (and later validate) gender, race, and age with fairly strong accuracy. “Was I in violation of the letter of the law? Nope. If I had used mathematical factors as proxies for those values to decide to whom to give credit, would that have been a violation of the spirit of the law? Yep. Would I have been caught? Hard to say.”

The final litmus test is Priestley’s creep factor. She claims not to find it creepy when, after abandoning an online cart, she is targeted with ads for similar items in exactly her size, but she has friends who do find it creepy and say they would never shop at a store that was “stalking” them online. Priestley cites some findings from the “2014 TRUSTe U.S. Consumer Confidence Privacy Index” to bolster her argument that although consumers’ electronic footprints are getting bigger, people are simultaneously more concerned about their privacy:

  • Ninety-two percent of U.S. Internet users worry about their privacy online, and 74 percent are more concerned than they were last year.
  • Among those who said they were more concerned than last year, the top two reasons they gave were concern about businesses sharing their personal information with other companies (58 percent) and concern about companies tracking their online behavior to target them with ads and content (47 percent).
  • Only 55 percent said they trust businesses with their personal information online, down from 57 percent in 2013.
  • Eighty-nine percent said they avoid companies they do not trust to protect their privacy.

Building Up Defenses

When it comes to storing the data they use and making sure it is adequately secured, both in terms of protecting the privacy of individuals’ data and protecting proprietary data from unauthorized users, marketers face new challenges, say Dawn Eash, senior managing consultant, and Caroline Willis, managing consultant, both at Berkeley Research Group, a global expert services and consulting firm based in Emeryville, Calif. They advise that data storage should involve a combination of logical security measures (e.g., authorization, authentication, encryption) and physical security measures (e.g., secured and locked servers or data centers, restricted access to machines, intra-organization/facility access). Historically, these two mechanisms have been separate, but new technologies integrate both components to balance security concerns with ease of accessibility. The optimal solution depends on the marketing organization’s key competencies, and since the tools available are constantly evolving, the ability to adapt quickly to more efficient technology is crucial, Eash and Willis add

Durjoy Patranabish, senior vice president of big data analytics at Blueocean Market Intelligence, based in Redmond, Wash., notes that the world of data — especially big data — is becoming more and more complex, making a well-thought-out storage strategy a must for marketers. He suggests these guidelines:

  • Identify and segment sensitive data, establishing clear boundaries, defining clear policies and techniques to handle the sensitive information, and providing different levels of user access based on data sensitivity.
  • Be proactive and vigilant in taking preemptive steps to protect areas most vulnerable to database breach.
  • Encrypt and certify all sensitive information — structured and unstructured data — before storing in the database.

When it comes to preventing the misuse of data by marketers, the key lies in having a comprehensive data protection program and then training employees about data protection and how to comply with that program, says Julia Jacobson, a partner at the Boston office of the business law firm McDermott Will & Emery, who focuses her practice on data privacy and security, advertising, marketing, and promotion law.

“To help avoid antagonizing customers, I generally recommend that U.S. businesses ask for affirmative consent from consumers from whom data is collected before or concurrent with data collection,” Jacobson says. “In addition to requesting consent, the business should make sure that its data protection practices are clearly and accurately represented.” She points marketers to a document from the California Attorney General’s office, “Making Your Privacy Practices Public,” which contains 10 recommendations about how to make clear and effective data protection disclosures that comply with the California Online Privacy Protection Act (CalOPPA), considered the most robust online data privacy law in the U.S. and the de facto national standard.

A stark reality of the big data environment in which the marketing industry must now compete is that despite all the procedures and use of the latest encryption technologies and tools, “breaches are unfortunately a cost of doing business,” declares John Isaza, an internationally recognized expert on information governance and a partner in the Orange County office of the San Francisco–based boutique law firm Rimon, P.C. “The key to defending breaches in litigation is to have systematically applied realistic data protection policies, procedures, and guidelines that all users follow, coupled with technology, of course,” he says. “Policies and procedures must be audited routinely and revised accordingly, based on audit results. Finally, insurance is critical to further protect the organization from this very real risk.”

What Marketers Should Be Doing to Protect Themselves

Don’t capture and store sensitive information that isn’t necessary, and get rid of data when it is no longer needed. “Data hoarding, especially of sensitive information, can exponentially escalate the impact of breaches,” says Chip Wentz, an executive director at Ernst & Young LLP and the firm’s Americas cybersecurity data protection and privacy leader. Here are other tips every marketer working with big data should follow:

  • Review online privacy policies to make sure they clearly explain what and when data is collected and how it is used. Make sure data-use practices match what consumers are told.
  • Audit marketing databases and contact lists to identify where data originated (input) and how it is shared (output).
  • Install and use data security software and hardware with industry certifications on all systems.
  • Use authentication protocols and access controls to provide different levels of access. Limit access to sensitive data to only those who need it, and link authentication and access controls to audit trails.
  • Strike a balance between security and convenience. Test different security options and regularly monitor feedback from users.
  • Be careful dealing with third parties. Outsourcing a function does not relieve you of the responsibility of protecting your data. Understand the safeguards third parties have in place and regularly validate them.
  • Designate an individual responsible for procedures and practices that protect personally identifiable information. “This should not be the same person interacting with the data on a regular basis,” says Dean Abbott, chief data scientist at Indianapolis-based Smarter Remarketer, Inc., which focuses on behavioral- and data-driven marketing automation and customer intelligence.
  • Engage customers in a meaningful dialogue about your data privacy practices, emphasizing the responsibility of both parties to maintain the security of personal data.


A leader in innovative teaching and learning, Kennesaw State University offers undergraduate, graduate and doctoral degrees to its nearly 43,000 students. With 11 colleges on two metro Atlanta campuses, Kennesaw State is a member of the University System of Georgia. The university’s vibrant campus culture, diverse population, strong global ties and entrepreneurial spirit draw students from throughout the country and the world. Kennesaw State is a Carnegie-designated doctoral research institution (R2), placing it among an elite group of only 6 percent of U.S. colleges and universities with an R1 or R2 status. For more information, visit kennesaw.edu