Contrasting Problems…

I would not even attempt to keep up with the wonderful job the Open Rights Group is doing of providing running commentary on Discgate.

But I would like to compare and contrast the 3 main privacy ‘scandals’ of the last few weeks in order to show the need to manage the problem at both overall level, and at specific component level.

To do so i’ve completed a ‘remote’ Trust Index assessment of Facebook, Sky TV and HMRC.; remote = that which I can assume or glean from outside the organisation.

The three scores are shown below:

Facebook

Facebook

Sky TV (UK)

Sky TV

HMRC

HMRC

As we see, this exercise shows that the organisations that organisations may score broadly the same on The Trust Index – but have significantly differing dynamics within that score.

Beyond that, we should not that scores below 50% on the index are poor anyway. Unless organisations are scoring a minimum on 75% on the index then they are not trying hard enough and are allowing other business factors to override their respect for the personal data of their customers .

Hard Re-set Required for Direct Marketing to Re-invent Itself

(Cross post from Right Side Up)

As a buyer of far too many computing gadgets over the years, I’ve become very familiar with the term ‘hard re-set’. This is typically used to describe a situation in which a system has got its inner workings so tied up in knots that the only way to fix it is to wipe the slate clean and start again.

I’m increasingly of the view that a hard re-set is what is required to re-invent the direct marketing industry (in which I include Facebook, Adwords et al) and in doing so prevent it from self-destructing. Before we get to what that hard re-set will involve, let’s be clear about what the problem is.

In my view, what’s killing the industry (which I’ve been part of since 1986) is its determination to cling on to the principle that unless an individual has ‘Opted Out’ then they are fair game to be targeted with marketing messages.

In some aspects of the direct marketing industry, e.g. direct mail prospecting, the interpretation of ‘opt out’ is not subtle, i.e. we’ll physically mail you with whatever we like, when we like…..and enough of you will respond to make it worth our while.

In other areas, e.g. e-mail marketing or loyalty/ retention marketing there is at least some form of value exchange in place….give us your contact details and consent so we can market to you, and we’ll let you have a look at content ‘for free’ or we’ll give you a discount on something you may buy (both of which, by the way, we may cover the cost of and more by selling your contact details and related data to someone else).

There are further aspects of the industry that are prone to what amounts to self-serving behaviours on behalf of the direct marketer. These typically involve the ‘grey areas’ such as ‘soft opt-in’ (deriving an opt-in from an existing ‘relationship’ rather than a pro-active customer consent); advertising within service communications; selective interpretation of how to use industry suppression files (such as the Mailing Preference Service in UK or Do Not Call list in USA); weak design of suppression files (i.e. too many exceptions left in place); burying the use being made of personal data either by summarising to a meaningless level, or losing within privacy policies that no-one reads other than those who drafted them.

But….guess what….. despite all this trickery, selective interpretation and manipulation, it’s still not working. Opt Out rates continue to climb on internal and external suppression files……, at least until the next work-around or piece of marketing spin makes them dip for a few months, before the inexorable upwards march continues…..and response rates on many direct marketing activities are zero.

What’s the direct marketing industry response to this? It’s simple – find new direct channels (e,g, Google Adwords, Facebook) and/ or send more messages. After all, e-mail costs peanuts to send, and on ‘digital’ we can at least pretend we have permission to market’. So, I’m really looking forward to counting how many ‘twelve days of xmas’ e-mail campaigns I get targeted with this year (in fact I got my first this morning); which marketer can turn down the opportunity to send e-messages 12 days in a row?

Of course none of this would matter if marketers were sending messages that were highly targeted, using good input data, and thus were relevant to the recipient. They are not – the average 98% non-response rate is enough evidence for that (wouldn’t it be good for the mind-set change if Marketing Directors tracked campaign performance via non-response rates instead of the response rates they ask for now!!!). And this issue of relevancy of message is where we realise that the inner workings of direct marketing as currently deployed need that hard re-set:

• Sending relevant communications requires rich, ‘needs’ based data (typically expressed as ‘intention’)
• The only source of accurate needs/ intention data is the individual
• But the individual knows that handing over rich, needs based data will increase the amount of direct marketing they are exposed to
• So they either don’t hand it over, or enter flawed or dummy data to get at what they want (where consent is being swapped for information)
• Leaving organisations to derive ‘needs’ from other sources (e.g. transaction history) – and thus send irrelevant messages informed by best guesswork.

As an aside, when deriving from transaction and interaction data, some organisations will direct market better than others…Amazon, Tesco, Network Solutions are some who do it well – at least in the current modus operandi. They typically take the time and effort to do rich analysis on the raw material they do have, and send communications based on it. But even their raw material has flaws; to illustrate:

• Amazon regularly send me e-mails along the lines of ‘other people who bought MySQL for Dummies bought MySQL for Beginners’; the problem being that the MySQL book I bought was for a developer working with us. The chances of me buying another one are zero – that need has long since gone. Of course Amazon could provide me with tools to flag that this book was not for me…..but why would I want to spend time cleaning up data (unless, of course, it was exportable to my own record)?
• Tesco – I have a Clubcard although could not honestly say that it ever influences my buying behaviour as I’ll buy groceries from whichever supermarket is near where I happen to be and rotate around the online deliverers waiting for one to come up to scratch. That said, Tesco don’t seem to bother me much with direct marketing, so I’m obviously not in a high value segment (according to the data they have anyway), and they are probably making enough money from me in re-selling what they do know to the FMCG manufacturers.
• Network Solutions. These guys are my favourites, they try so hard on cross and up-selling and have designed much of it very well that they could be a ‘poster child’ for CRM. The problem is they just don’t know when to stop deriving ‘new stuff we could sell’ from the scraps of data they have access to. Consider the screen-grab below, which is what they present me with each time I’m on their site. Granted, I do live in England; but surely even the most optimistic marketer is not going to expect to sell www.iainhenderson-england.com to a Scotsman!!!!

Iainhendersonengland2007100819540_7

So….back to that hard re-set…..

I believe that there are four components of a solution that, when deployed, would revolutionise direct marketing; and in doing so build a more receptive customer base. A genuine win-win that would far outstrip the short-term headaches. The components are:

Cross-Media Suppression File

The first, and most fundamental, the hard re-set itself, is making available a blanket opt out of all direct marketing suppression file. That is to say, a reference file within which an individual can register their preference to receive NO direct marketing messages at all from point of registration onwards – unless they have actively and overtly opted in through a consents management vehicle under their control. This file would include all direct media (direct mail, e-mail, SMS, telephone, mobile telephone, VOIP, pop-ups/ i.e. tracking cookies – and any other direct media invented over time). The file would be created as a stand alone entity, but could be configured to take in feeds from existing suppression files such as Mailing Preference Service, Do Not Call, the proposed Do Not Track etc.

Persona/ Role Based Opt In Capability

Second – the capability for the individual to establish one or more ‘privacy profiles’ at persona/ role level. The ability to operate at persona level is key in that in different aspects of life an individual may wish to establish different communications preferences. For example an individual in their head of household mode may wish to receive ‘no junk mail’, but in their ‘Secretary of the Golf Club’ persona they may be happy to receive messages from useful business services only….but delivered to a different address.

Articulation of Needs/ Wants (Intentions) in Usable Format

Next – when the blanket opt out is established as a point of principle, the end user then must be enabled to opt back in to specific communications – but on their own terms. This means being able to specify some or all of:

Who they wish to receive messages from
• Which message types they wish to receive (e.g. offers, quotations, reminders, news updates)
About what do they wish to hear
• At what time do they wish messages to arrive
• Through which channel
Over which time period should messaging be switched on

Message Management Capability

Lastly we need a message matching and management capability. The above capabilities, in combination, generate a file of ‘opted in, buying intentions requesting matching offers’. This must then be matched against a file of ‘people/ organisations that want to sell stuff/ provide requested offers or information. Where a match is found, an introduction is made, where not – no message is sent (or that no messages matching criteria set are available). Ideally the message matching and management capability will be able to work across all relevant media. It should also have ‘closed loop’ reporting capabilities in order that all parties can track the success of their actions/ learn for future use. It should also help the recipient understand the upsides and downsides of the various media options in the context of what they wish to receive in order that they choose which works best for each message. (e.g. a mailed catalogue may be most environmentally damaging, but may still be the best means of deciding which conservatory to buy as it offers most detailed visuals and descriptions in a format that can be browsed in a relaxed/ un-pressured manner.

In addition to these 4 building blocks, there is an implied commercial logic in such a modus operandi. This is quite simply that by respecting individuals’ right to chose the direct marketing messages they receive the response and conversion rates from these messages will be much higher.

For example, I already know that I will lease a new car next April when my existing lease runs out. I have a pretty good idea which manufacturers I’ll consider, and which cars within those manufacturers. And what I don’t know now, I will research through buyer-centric information sources such as Which, Edmonds or similar. Once I’ve made up my mind on a preferred option, with all the options I want tagged, and two fall back positions then I’ll ‘go to market’ with a very clear spec, defined time lines, and money waiting to close the deal. I’ll end up with what I want at a fair price, and the suppliers I engage with will either have closed a sale, or come close without wasting too much time/ effort.

My colleagues and I have built a VRM Proof of Concept that demonstrates the above, it is accessible here.

This proof of concept shows a scenario in which the individual is fully in charge of the direct marketing messages they receive. It shows illustrative deployments of the 4 building blocks above. It’s not fully built out by any means – no organisation is using the suppression file in anger, only a few products and services in the opt-in table have any substance behind them (ipods and travel insurance), product/ service selection itself could be built out in many alternate ways, and e-mail is the only messaging protocol demonstrated.

…..but it does show how an individual could be empowered to only receive the direct marketing messages they want to receive….and only those messages.

What would be required to shift from the current approach to something like that shown in the Privacy Preference Service?

Firstly, let’s be clear – it’s not about technology, although that helps in specific aspects of the challenge. Also, it’s not about changes in legislation – all that ever does is raise the bar on a temporary basis until commerce demands that work-arounds be found. New/ upgraded legislation will emerge in the privacy space over time, and will help – but it won’t be leading the charge.

It’s really about that mind-set change, which is, of course, helped if it is underpinned by commercial logic. Organisations must recognise that they are alienating their customers and prospects by sending irrelevant marketing messages. They must also realise, difficult as it will be, that ramping up spend on data mining, customer insight, real-time ‘next best offers’, Facebook beacons etc etc, and all the latest CRM wizardry is not the answer. The real answer is to cede control of ‘customer needs’ data to the customer themselves, and to build tools and services that allow this data to flow.

That’s what Project VRM will do. The logic behind Project VRM is clear – that the tools require to balance relationships must be built on the customer side. Permission management tools such as those discussed above are a good start point.

The Straw (Data Breach) that Broke The Camel’s Back

This appalling loss of 25 million personal data records by Her Majesty’s Revenue and Customs has to become the tipping point for a marked increase in respect for personal data across all of UK government and beyond.

And this on the back of last weeks revelation that the Foreign and Commonwealth office had breached the Data Protection Act.

More resignations please and then some strong proposals on how to transform the situation……

….This is unlikely to be based on an ‘honest we’ll do better next time’ approach, or even bringing in Data Breach legislation after the horse has bolted – Project VRM and User-Centric Identity Community….please help!!!!

Data Breach Laws Rejected in UK – Now We Know Why..

Contrary to House of Lords recommendations, the UK Government are refusing to introduce data breach notification laws.

According to a House of Lords spokesman, Lord Errol, the UK government ‘does not get the threat to the internet posed by cybercrime’.

‘The powers would apply to government as well as the private sector. We think that’s why [the government] is resisting it, said Lord Errol.’

A very timely quote, given that on the same day it is announced that Revenue and Customs have ‘lost’ a CD with personal details of 15,000 customers of Standard Life.

12 Components of Trust – In relation to personal data

Over on the Project VRM mailing list there is a developing discussion around the different variants of ‘trust’ that relate to CRM or its VRM counter-point. From that discussion it’s clear that this is a complex area with people coming from multiple different perspectives.

To try to help that debate along, here’s a view from the Trust Index assessment – which tackles only the ‘should I trust you with my personal data’ aspect (*), but does so in some detail. Before delving into that, it is worth reminding that this assessment is based on European grade Privacy Legislation and its underlying principles, and then further enhanced with additional questions arising from good customer management practice. The principles themselves are very solid and based on many years of applied thinking (its only the deployment that does not work well).

When Privacy Officers answer these questions to complete an assessment, they select from 5-point scale answers which are backed with detailed compliance text to help clarify any queries they may have on scoring. Additionally, each question/ score is weighted based on input from experts as to the relative impact of problems in each of the 12 areas.

(*) At present we take the view that to tackle more than one trust component would be too difficult as their definition is less solid than ‘privacy’ which has legal underpinnings. Should string definitions of ‘trust’ occur across other areas of the VRM discussion then this index can be extended.

Trust Index Assessment

1. How would you describe the overall approach your organisation takes to managing personal information?

2. What safeguards does your organisation have in place around the collection of personal information?

3. Does the organisation have processes and controls in place to ensure that my personal information is used only for the purposes I have agreed to in providing it to you?

4. To what extent does the organisation deploy the principle of retaining the minimum information to support the use being made of it?

5. How does your organisation ensure that the accuracy of my personal information is maintained?

6. Does the organisation have a comprehensive, accessible policy around how long it retains personal information, and how it disposes of it on completion of use?

7. How does the organisation approach the principle that I should be able to access the personal information stored on me?

8. How does the organisation ensure the security of my personal information when it is their hands?

9. How does your organisation ensure the security and integrity of personal data when you share it with other your suppliers, partners and other third parties?

10. How does your organisation enable me to understand the risks that exist around your management of my personal information, where liabilities lie and what remedies will be brought to bear in the event of a data breach?

11. Does the organisation have a process in place to proactively contact me if an information breach occurs that exposes personal information about me to risk?

12. To what extent does the organisation enable me to access/ download/ utilise the information within your systems to add value to me?

Can I Own My Data?

(Cross post from Right Side Up)

Ownership sounds like such a simple idea…..

At first glance, the ownership of “my” data seems straight forward. I created it (or at least was involved at the beginning), it’s about me, so I own it. But personal data is a slippery concept. For one thing, a lot of the time it’s co-created – by me and my supplier, including my government. And tying down the legal specifics of data ownership is a bit of a minefield. Hence the recent and continuing debate on the Project VRM mailing list about whether an individual does, can or should ‘own’ personal data relating to them.

I take the view that individuals will ultimately have a form of ownership rights to data that relates to them. So far so good, but the word “ultimately” there is important, and frustrating. This will take some time to happen, and will relate to only some of the data in question. My view is that ‘ownership’ of personal data will come about through a combination of issues and events; and that this will all pan out over the next few years.

Firstly, the sensitivity of individuals to problems with firm’s use of data is rapidly increasing. The way most organisations gather and use data is often invisible to the individual, and almost always annoying to them. For one thing, there are regular and sizable breaches in data security. One example is the TK Maxx breach – which has now doubled in size from that originally admitted. Plus there’s a growing identity theft problem, with little sign of a solution in sight. And as we all know there are ongoing problems with spam to compound the everyday irritation of poorly targeted, invasive direct marketing. In the same ‘worrying’ space are large corporate acquisitions or investments (e.g. Flickr/ Yahoo or Facebook/ Microsoft) in which access to identity data initiated by and important to the subject are traded for a few dollars per record.

This increasing pain, without legal recourse, will drive some firms to offer commercial services to reduce that pain. These will include ‘who has data about me’ services such as Garlik, reverse-marketing services such as Pureprofile, transparency enablers such as The Trust Index (disclosure – this one is one of my hobby horse projects) and some plays from more traditional players in the personal data space such as Experian, Equifax or CallCredit. All are now beginning to explore how they can sell personal data back to the data subjects.

Another driver will be data breach notification legislation. It will be deployed in the EU and in many other countries. I expect it will be watered down, and won’t do too much in practice to change the accessibility of stolen customer data. The going rate, by the way, is £140 for 1000 credit card records – with security codes – or so I heard the last time I checked. But no matter, such legislation will at least build some additional legal rights on the side of the individual in the personal data space.

Next, opt-in-based direct marketing is going to become the norm across ALL communications channels – upping the value of ‘permissions’ data. This will be a sensible approach for large organisations to adopt commercially, largely for environmental reasons. And user-centric identity technologies (such as open ID, Infocard and i-names) will start to become more popular. They’ll impact b2c (or more accurately c2b) electronic relationships. People will want to restrict the flow of personal data into organisations, though people will see a clear trade off in offering personal data to get improved customer experience.

Meanwhile, the next generation of personal information management services will emerge. These alternative ‘single views of the customer’ will be available for organisations to tap into — with permission, and usually at a cost. This will be the trigger point for real change. For the first time, data sourced FROM an individual will be more valuable commercially than data gathered ON an individual. In practice, this is about “pull”: the commercial value of these new data sources comes from the higher response rates that come from the much improved relevancy of communications. ‘Pull’ beats ‘push’ every time at the micro, one-to-one level.

When this new value is created within the PIMS, commercial law swings into gear. Individuals and suppliers will build robust contracts around these new services and at last, we have something akin to ownership of our personal data.

In short, the point at which I will ‘own’ my personal data is the point at which I can actively manage it. If I have the choice over whether to sell it to someone, and can cover that sale with a standard commercial contract, then I clearly have title. But – and this is crucial – this doesn’t mean that I ‘own’ all the personal data that relates to me. Lots of it will still be lying around in various supplier operational systems that I won’t have access to (and probably don’t want to – much of it is not worth me bothering about).

Technically we can just about do this now. As ever, I think we’ll have to wait a bit longer for all this to build a mass market for personal data ownership and management. That said, I think we’ll start to see little signs of life in this space over the next 12 months. Watch, as they say, this space.

Talking of which, do any of you database marketers out there want to buy my ‘intention to buy’ data for the next 6 months? I’ll break it down by product / service category, add likely purchase dates, indicative amounts and existing preferences of various types… and send it in a format that feeds straight in to your CRM system. £10 per category for a one off use, and I can GUARANTEE that my data will be more predictive of what I’m going to buy than your own analysis or what you can buy in from other external data providers.

Iain Henderson

Some Useful Research

Here’s some useful input from Experian; we’ll be looking to take this down several evels of detail with The Trust Index over the next few months.

Consumer threat to blacklist unsecure brands

The majority of UK consumers have threatened to go out of their way to spread brand-owners data protection failings, following a sharp rise in firms failing to keep personal information.

According to a new study by creditexpert.co.uk how businesses store and use personal data is a crucial factor in whether a person is likely to buy from an organisation or not.

Sixty-five per cent of respondents in the survey claim they would not buy again from a company that did not keep their personal information absolutely safe.

The survey also found that car dealers are the organisation consumers are least likely to trust – 46 per cent of respondents would not rely on them to keep personal data safe, closely followed by insurance and Internet companies.