Enterprise: the business case for privacy

The free flow of information ranks right up there with dress-down Fridays and yearly cost-of-living wage increases as a core American business value. But as organisations develop increasingly intrusive methods of gathering intimate profiles of consumers, another American value-privacy-is starting to come to the fore.

Like two tectonic plates, privacy concerns and a business's right to collect and exploit customer information grind against each other, sending out shock waves to the business world. So far, no company has made a privacy transgression of earthquake proportions. Organisations like Lexis-Nexis Inc and Metromail Corp suffered negative publicity from selling Social Security numbers and children's personal information, respectively, but eventually these disturbances blew over.

Someday, however, the earthquake will come when a sufficiently large incident -- or a series of smaller tremors -- galvanises strong public outrage. The resulting seismic ripples could threaten industry's ability to access data critical to its continued success.

"Customer information could become a key driver of margins in many otherwise commoditised business categories," says Jeffrey Rayport, associate professor of business administration in the service management unit at Harvard Business School in Cambridge, Massachusetts. "Any company that raises privacy concerns among its target market consumers will find it difficult, costly or both to access such information in the future. Thus, if assuring data access is critical, then avoiding crises regarding invasion of privacy is equally important."

No company collecting data on customers will admit it doesn't care about protecting consumer privacy. But very few actually give consumer data protection the attention it deserves; either they don't understand how volatile privacy issues have become or they fail to see any direct business value. While it's easy to see the payback from selling or leveraging consumer data for marketing purposes, the benefits of protecting the data against privacy infringements aren't readily apparent. Staff writers examine companies that have gone beyond what law or public opinion dictated to develop best practices in privacy protection. Each of them was able to see the simple fact that has eluded so many of their competitors: Privacy protection pays.

Firefly Network

Privacy as Business Model

Firefly's long-term success depends on assuring acceptance of its vision of privacy as a de facto standard on the Web. Firefly Network Inc was still in its larval stage when it traded one form of competitive advantage for another less obvious one by helping to foster privacy on the Internet. First, this four-year-old Cambridge, Massachusetts-based vendor of personalisation software for Web sites made the revolutionary decision that the data it collected actually belonged to consumers, not to Firefly. Its software allows companies to collect and pool consumer preference information on the Web, enabling each company to customise its product offerings. For example, if a music vendor knows that a visitor to its Web site likes Patsy Cline and Dolly Parton, it can suggest that the customer buy a Reba McEntire CD. Better yet, if the vendor knows that other individuals who enjoy Cline and Parton also rave about Kenny Rogers, it can make a much more intelligent and insightful recommendation and even bring these country music buffs together in an online community to generate brand loyalty.

When an individual's information is transmitted to the vendor, it is also recorded in Firefly's databases. By now, Firefly has amassed enough data to achieve direct marketing nirvana. Yet, from the very beginning, Firefly regarded consumer privacy as inviolable. "The Web doesn't work unless people feel comfortable sharing information with others," explains Saul Klein, Firefly's senior vice president of corporate strategy and brand.

Firefly maintains data in aggregate form and does not sell it to third parties. Only with the permission of the consumers will Firefly use the data to help them find products or people matching their interests. Each of Firefly's corporate customers must abide by this policy. To validate its privacy claims, Firefly hired Coopers & Lybrand in February 1997, becoming the first company to perform a privacy audit on the Internet.

The company's next move in May 1997 was to take its privacy policies, which it could have leveraged as a way to gain consumer confidence over competitors, and offer them to the world as a specification. Together with Netscape Communications Corp., Firefly spent several months crafting the Open Profiling Standard (OPS), a technical architecture that enables the confidential online exchange of profile information between individuals and businesses.

Devoting time and energy to creating global privacy standards might seem risky for a startup like Firefly, but its founders knew that by promoting wide acceptance of the personalisation model, they would ultimately profit. In essence, Firefly followed a time-tested model for success: By making its own proprietary technology a standard, it hoped to build a branded base among vendors and users and foreclose on competing contenders for standard status. "Our gamble was that, if this marketspace for personalisation is going to be as big as we think, [getting there] is not something we can do on our own," Klein says.

The gamble seems to be paying off. In just 18 months, Firefly's consumer customer base has climbed to three million. The company has also developed strong relationships with 100 of the top Internet technology vendors, including IBM Corp, American Express, Digital Equipment Corp and Yahoo Inc, some of which are bundling Firefly products into their own. These relationships ensure that Firefly not only enjoys wide distribution of its products but also stays tuned in to the pulse of the industry.

All of this adds up to "a first-mover advantage", says Klein. "By demonstrating that Firefly was a company ready to commit time and resources to privacy, we validated our leadership and expertise." In short, he says, "It was time well spent."

Equifax

Privacy as Image Rehab

Credit-reporting bureaus are notorious for their privacy missteps. By resorting to a host of privacy-conscious initiatives and some aggressive spin marketing, Equifax is putting distance between itself and the rest of the pack.

Few consumers today think fondly of credit bureaus. Not only have credit bureaus been known in the past for lousy consumer responsiveness and inaccurate data but for notorious privacy violations. Atlanta-based Equifax, for instance, has been entangled in its share of such slip-ups, including a recent fiasco in which a spinoff business unit was alleged to have sold consumers' unlisted telephone numbers to bill collectors and others. But today, a chastened Equifax is rallying to change the industry's negative reputation and recover from its own checkered past by displaying greater sensitivity to privacy issues.

Equifax goes above and beyond what the law requires when it comes to protecting privacy. And it takes great pains to let the world know it. The company named John Ford, a former public relations professional at Equifax for six years, as its vice president of privacy and external affairs. Ford spreads the word about Equifax's policies by speaking at many conferences and events, winning grudging admiration from privacy watchdogs.

"I guess Equifax has a few things to brag about," says Robert Ellis Smith, publisher of Privacy Journal, a consumer privacy publication. "Equifax shows up at these privacy conferences and continues the dialogue, which [is something competing credit agencies] won't do." Equifax also generated publicity by sponsoring an annual survey that gauges consumers' attitudes about privacy.

Equifax's commitment goes beyond just public image, however, says Ford. In 1991, it invested $US30 million for improvements in data quality and consumer responsiveness, including toll-free access enabling people to opt out of credit marketing offers or correct inaccuracies in their records. In 1989, Equifax became the first company to hire an outside privacy consultant. Although that consultant, Alan Westin, professor of public law and government at Columbia University in New York City and publisher of the newsletter Privacy & American Business, can't catch every problem, he makes an effort to review most products and business units in the company to make sure they embody fair information practices. He reports his findings directly to the cheif executive officer and is apparently more than a paper tiger. Westin advised against the idea of a national database for health-claims information because he knew people would be bothered by the idea, he says.

"With such a large, complex business, there will sometimes be errors," says Westin. "But the question is, If they make a mistake, do they move on and try to correct it?"

Why would Equifax do more than the law requires? Much of its motivation springs from the need to react to past snafus and prevent others in the future. Beyond that, however, Equifax's initiatives guarantee it a voice in the ongoing public policy debate over privacy. Ford speaks frequently in front of industry groups, professional associations and educational institutions. He also has testified before the Federal Trade Commission (FTC) and other government bodies, where he can advance Equifax's agenda regarding national privacy law.

But the most important reason is that Equifax hopes to leverage privacy as a key competitive differentiator. As the company's corporate customers increasingly feel heat from consumers on privacy matters, they, in turn, will demand better privacy hygiene from their business partners. Already, says Westin, Equifax is winning business because of its policies, including helping a customer enter into a recent contract with the American Association of Retired Persons.

"The return on investment is first and foremost increased respect and enhanced corporate reputation," says Ford.

Equifax's labours are doubly important because, in the future, it plans to expand into the electronic commerce environment with services and products that help sellers and consumers do business in a secure manner. The surveys and speaking engagements position Equifax as the agency of choice. "Our goal is to be the preferred steward of consumer information," says Ford. "In order to do that, we have to know what consumers are thinking."