THE CREEPINESS FACTOR: Getting Smarter About Data Privacy

Businesses need to take a cautious approach to customer data, writes Paul Henninger of FTI Consulting

From the General Data Protection Regulation to the emerging EU E-Privacy Regulation, businesses are facing strict new controls around how they use a broad and growing class of personal data

At the same time, customer analytics, a discipline that classically relies on personal data, has taken a central role in the search for competitive commercial advantage. From share of wallet analysis and customer retention programmes to programmatic advertising and artificial intelligence, more effective use of customer data through advanced analytics can dramatically accelerate growth and profitability. There is a growing tension between the need to respect data privacy regulation and its restrictions on data use versus the drive to gain better understanding through customer data analytics. as a result, many businesses are heading towards an inevitable showdown between these conflicting goals.

In order to create sustainable competitive advantage built on the use of customer data, companies need an approach to sensitive data and advanced analytics that is both careful and highly commercially effective, and that can be therefore relied on for years of insight and data-driven growth.

Achieving the balance between respecting privacy and making the most of data through customer analytics has become more difficult in the last few years; current regulation means that we can’t use all of the data today that we could even a year ago. and corporate privacy initiatives, such as apple’s introduction of intelligent Tracking prevention into the opera web browser, mean that it’s no longer safe to rely on a brute force approach to the use of customer data

The key is to adopt a smarter data strategy that reduces the reliance on clearly private data to understand and model customer behaviour. such a strategy balances, and promotes, the two apparently conflicting objectives of, on the one hand, reducing the cost of near-term data protection compliance, and on the other hand, creating a sustainable lead in the race to better understand and anticipate customer needs and wants.

In formulating the strategy, it’s essential to take account of the Creepiness Factor. This concept is named for that feeling that someone is literally watching over our shoulder when online ads appear connected to an email we sent, or even a conversation we just had. Creepiness provides a way to not only describe how much risk a company is taking by using customer data but to actually measure that risk. By scoring data on three simple criteria, a company can understand how close every aspect of its customer analytic strategy is coming to a line beyond which the use of private data is likely to create customer data risks: that is, it can get a company into trouble with its customers, with investors, and, ultimately with regulators.

The Creepiness Factor

The Creepiness Factor is a composite score measures these customer data risks by combining individual score related to 1) control, 2) distance and 3) granularity. We’ll now consider each of these dimensions in more detail.

1. Control

The degree of control that the customer has over the collection of their data is related to, but more subtle than, the concept of permission. A customer either gives or does not give permission for their data to be used.

Permission can be either active – where a consumer specifically consents to their data being collected and used for certain purposes – or passive – where a customer has the right to decline the use of their data. Active consent requires a specific action by the consumer. Giving passive consent is the equivalent of ignoring an email that says “if I don’t receive a response by the end of the day, I’ll assume we are proceeding with the plan”. Even worse is passive consent with no prompt, when data privacy issues are buried among terms and conditions rather than clearly highlighted for the consumer.

Active consent is clearly the safest and least creepy form of consent, where the consumer has the maximum control over their data. But active consent can be further classified as either compelled or volunteered. Volunteered consent is where a customer offers their data to a company for use without any specific conditions around the use of a service in exchange for that data. A customer might offer their data for networking purposes or so that a service provider can seek out a price on a banking service on their behalf, for example. Compelled consent occurs when a customer is unable to use a service offered by a company unless they agree that their data can be used. Many free online services in essence use compelled active consent to collect customer data: “You can use this excellent email service completely free of charge. Click here to agree to the following terms and conditions.”

Compelled consent isn’t wrong or problematic. A consumer may decide that the service offered in exchange is worth the use of their data. But in calculating the Creepiness Factor, compelled consent gets a higher score than volunteered consent.

The control scale looks like this:

2. Distance

This is a measure of the gap between the circumstances under which a customer gave consent for their data to be used and the application in which the data is used to market or provide a service to that customer. A low distance results when the data is collected within a specific application (e.g. expressing interest in a product) within a specific industry context (e.g. beauty) at a specific time (e.g. today) and used to customise a service that is in close proximity (e.g. presenting a recommendation on another beauty product soon after the collection of the data).

A higher distance occurs when the customer’s data is used to market something that is far away from that original context. In this example, suppose that same data about interest in beauty products was used a year after the data was collected to predict how much a customer would like to recline a car sear in their rental car. The application is different (to customise a product instead of recommend a product, the industry context is different (beauty vs. automotive) and the time elapsed is long (a year). That example would therefore receive a high distance score, which would contribute to a higher Creepiness Factor.

The distance scale looks like this:

When data is collected with very broad permission that the consumer is likely not to understand, there is a danger of “distance abuse” – i.e. the use of data for a purpose unrelated to its collection. This common pitfall increases the risk of upsetting customers and even violating data protection regulations. A recent example is the data that is collected by popular genetic testing services that offer to provide information about your ancestry and health. While consent is required for these services to test your DNA, the consent they typically collect is very broad in terms of both application and time, allowing the companies to do practically anything at any time with very sensitive DNA data.

3. Granularity

This measures how many specific customers a data point is linked to. A very granular use of data occurs when a data point is linked to a single customer. For example, I might use the fact that a specific person bought a tuna sandwich last week on Tuesday at 3pm to offer them a tuna sandwich this Tuesday afternoon. A low-granularity application would link a preference to a large population of customers, such as customers from a particular city or who own iPhones

The granularity scale is a measure of the number of customers who are grouped together:

Low-granularity uses of personal information are safer because they are fundamentally less personal: by combining many observations about individual behaviour across groups of people with common behavioural characteristics, we can clean the data from the point of view of privacy. This requires different analytical techniques from those commonly used today, but can form the basis of a long-term, low-Creepiness data strategy.

The Creepiness Factor provides a valuable extra perspective on your use of data

Which data is, and is not, strictly private is fairly easily established from a close reading of existing and emerging regulations. Restrictions on the use of web browser cookies to track online identity introduce a distinction between active and passive permission, for example. To gain active permission, a consumer must be asked if their data can be used, and informed what it will be used for. Whether data is gathered via active permission or passive permission makes a big difference to the way it can be used for analysis and marketing.

Although the line drawn by regulation around permissible use is important, it’s certainly not the only consideration for customercentric organisations when making use of personal data: the Creepiness Factor provides an important additional perspective. An organisation can score the data it collects, then store and use it in an analytics programme according to control, distance and granularity. The organisation can also combine those scores into a single objective measure of Creepiness for all uses and applications of private data.

Benefits of measuring and managing the Creepiness Factor systematically

There are several reasons to do this:

  • It’s a way to take a broader look at where a business is, relative to not only the legal line on data privacy but also that other very real line: public sentiment. Sometimes a critical mass of consumers reaches a point of significant discomfort with the use of their data by a corporation or other organisation they interact with. This can result in customer attrition, reputational damage and other negative business outcomes.
  • The Creepiness Factor has dogged many data initiatives that were well within the bounds of legality. Even attempts to protect us from bank fraud, for example, have failed because people weren’t comfortable with the thought that a bank was using information about their whereabouts that, whether they knew it or not, they had agreed to share with their mobile phone providers. New products or marketing initiatives that rely on an excessively Creepy data strategy run a risk of commercial failure.
  • Creepiness Factor measurements can play a key role in an effective programme of data governance, empowering managers to make informed decisions about where they as an organisation should draw the line on the use of private data and whether a specific use of data comes close to crossing it. A systematic approach means no nasty surprises resulting from the actions of an aggressive product manager or data analyst.

With the right approach, you can find out what you need to know about customer behaviour while keeping Creepiness low

The good news is that there are ways to understand more about customers that don’t involve risking a high Creepiness Factor. In fact, the core value of the maths at the heart of advanced analytics is the ability to extract and use information when we don’t have a direct view of exactly what’s going to happen to exactly whom, or when data is fragmented or sparse. Done the right way, customer analytics is about using maths that finds a way to indirectly link data about the decisions we make in one arena (e.g. home buying or transportation) to decisions we are trying to better understand and influence (e.g. the decision to book a hotel room or watch a new TV show). And when companies can mine information about customer decisions from places where everyone else isn’t already looking, those companies gain a competitive advantage.

By focusing on understanding how customers make decisions instead of profiling each individually, companies can understand more about those customers and maintain a low-Creepiness data strategy. And whatever the analytics strategy, understanding where a customer data programme is on the Creepiness Factor scale will help avoid trouble with regulators, the media, the public and customers.

This approach can help businesses market more effectively, design better products and services, put stores in the right places (or close the ones in the wrong places), and price services the right way. Building a smart approach to data privacy into an analytics strategy helps avoid regulatory scrutiny and undesirable headlines – but doing data smarter means really understanding customer behaviour without crossing a data privacy line to begin with. The Creepiness Factor is a way to measure exactly where that line is.