Online companies have raised the eyebrows of privacy advocates who think web generated data should only be archived for a specified period of time. And while some companies have bowed to public pressure and only keep data on customer searches for a maximum of three months, others have not acquiesced. When it comes to privacy concerns, should Internet based companies be required “to forget?”
Neuroscientists have long claimed the act of forgetting is important to the processes of the human mind. Humans have a need to forget especially because each day our brains deal with tons of trivial information and clutter, not to mention hundreds if not thousands of marketing messages.
Therefore, our mental processes must prioritize which facts should have more importance than others–such as ‘where are my car keys?’ versus ‘what did I eat for lunch last Thursday?’ We must forget, because according to neuroscientists, our brains would overload if we captured every detail of our lives.
Yet, unlike the human mind which has a fixed capacity, computer data stores (i.e. disk, tape etc) are getting larger and cheaper to manufacture thereby allowing companies to keep more transactional details very inexpensively.
In fact, thanks to accelerating technological change, companies can now take advantage of less expensive data storage to keep transactional data for longer periods of time–with the ultimate goal of mining data for insights to improve the customer experience.
However, data retention policies of considerable length run head first into concerns from privacy advocates. For example, according to a Washington Post article, online search companies have policies in which they actively keep query data from 3-18 months, and in some instances longer. Their rationale? Online search companies say query data is used to improve their algorithms, optimize search results, and provide advertisers better targeting.
Privacy advocates, however, argue that search queries often contain personal details, and taken collectively can reveal a complete picture of the person using the search engine. Ultimately they say, too much power in the hands of a few key search engines is a privacy nightmare.
To effectively meet customer needs in a very complex and fluid economic environment, companies must be able to collect and analyze data to understand customer behavior, drive better communications and respond to changing customer needs. That said, the benefits of data collection and analysis must coincide with responsible behavior.
Questions:
- Should online companies be required to “forget” what they know about their customers and transactions? If so, what is the cut-off point?
- Should corporations advertise that they quickly “forget”–much as Ask.com has?
- Are consumer privacy concerns regarding data collection policies more bark than bite?
Tags: corporate memory, data anonymization, data retention policies, human memory, neuroscientists, personally identifiable information, Privacy, search queries
I often wonder what people are worried about companies doing with the sorts of information they collect, that current laws don’t already discourage.
The biggest and most credible threat, I think, isn’t that companies have “too much power,” but that the information they collect will be stolen, since it must remain accessible by the system, which means there is a possibility that someone will figure out a way to breach it and use it for nefarious purposes.
With this in mind, I wonder why “privacy advocates” are up in arms about corporate bogeymen — as long as the information they have was willingly given. Who cares if they extrapolate inferences from that?
While I agree with privacy advocates (for the above reasons) that we must take precautions when considering if, what, and how we collect information from our customers, if we cannot address the real reason for our worries, it will be difficult if not impossible to address the proper causes of our insecurity.
Most of the objections I hear have to do with “privacy advocates” objecting to Internet users being shown a relevant ad. That’s an incredibly weak objection, IMO — one that, if they have it their way, will seriously hamstring an industry bubbling with opportunities for increasing peoples’ productivity and efficiency.
Cam, appreciate that you’ve taken time from your holiday break to respond.
While storing and analyzing behavioral data helps online companies improve user experiences and supports selling advertising, it all really comes down to “trust” doesn’t it? Online companies –esp search–have the power to assemble a complete profile on a user especially when their data is supplemented with third party information.
Do you trust the online sites you use to do the “right thing” with the data they collect? Do you trust them to “do no evil”? That’s a question that every internet user must answer.
To your other point, what if you trust an organization, but there is a security/data breach and your information is stolen by an organization with a nefarious purpose? What would be the ramifications? These are issues that are often not thought about when we browse online, but perhaps deserve careful contemplation.
Paul -
It’s the second part that bothers me more than the first.
Perhaps this is my ignorance talking, but assuming basic measures of confidentiality (i.e., they do not publish or sell what they learn, except arguably as part of aggregate data), what do I have to fear from the profile any company builds on me from information I willingly gave them?
If I trust them with my name, address and credit card information, I’ve already given somebody the capability to steal from me. I would only give it to them if I trusted them enough to safeguard what I’ve given them. That applies to both their moral predilections as well as their technical proficiency for building effective security measures.
If I don’t trust any one of them, I wouldn’t knowingly supply them any information from which they could build an accurate and personally identifiable profile.
So the questions (to me) are twofold:
1. What kind of accurate and personally identifiable profile could they build on me WITHOUT my knowledge or consent?
2. What capacity would that give them to do me actual harm, assuming they were so inclined?
Cam, appreciate your comments! One of the bigger challenges for privacy advocates is data that an internet user does not willingly offer or data that he/she does not know they are “leaking”. For example, when a search engine or other online company can piece together a users behavior from web sites visited, search engine terms used, emails, videos watched, news sites, blogs posted etc, it becomes pretty easy to assemble a complete picture on an individual.
Concerning? You’ll have to decide for yourself!
http://www.eff.org/wp/six-tips-protect-your-search-privacy
Wow Paul, this is a tricky field.
1. Should online companies be required to “forget” what they know about their customers and transactions? If so, what is the cut-off point?
Yes, even tough it can help companies, as well as their customers to live better, they should erase linkage to the personal data. When depends greatly on cases, so several rules should be applied I assume.
2. Should corporations advertise that they quickly “forget”?much as Ask.com has?
For a period yes, but it should become a common practice. I hate ask.com otherwise.
3. Are consumer privacy concerns regarding data collection policies more bark than bite?
In general, the concerns are very much barking. But it can affect specific people and processes, so the bites can be too heavy. Even tough I’m very open and would like to see the world where we would share everything without fear, there are some pretty ugly and bad people around. And they wouldn’t mind destroying your life with few data they get. So just because of these bites, we should be extremly careful. And these people have a way of reaching to ask.com database. It is just a question of time when they will reach something important.
In general, I’m for more strict rules. Marketers were competing in the past as well with other data.
Dusan, coming from the European continent, I knew you’d have a much different perspective on data privacy. In fact, the EU data privacy directive, for instance, offers “protection of individuals with regard to the processing of personal data and on the free movement of such data” across borders. So marketers in the EU must work within the confines of set privacy regulations with the accompanying data anonymization guidelines.
In the United States, no such broad based policy exists. Marketers have a patchwork of various regulations such as Graham-Leach-Bliley Act, Health Insurance Portability and Accountability Act, California’s SB 1386 and other duplicative statewide mandates for data collection, privacy and security.
Data collection and security practices should matter very much to marketers – not only to ensure compliance (both govt and industry), but also with the realization that mistakes can tarnish the very brands we work so hard to build.
Indeed, EU is very strict on that and it bothered me a long time, until I’ve found out that bad people do exist (I’m quite positive towards people otherwise). Sometimes tough things get quite funny with this. We have “officers” that make strange decisions sometimes.
And yes, as you’ve written, not only for customer protection, but for brand protection as well this is important. Great discussion.