Customer-Trust-Chris-Calabrese-InterviewChris Calabrese is Vice President, Policy at the Center for Democracy & Technology (CDT). Prior to CDT, Chris was with the American Civil Liberties Union (ACLU), where he led the Washington Legal Office’s efforts in fighting for privacy and the responsible use of technology.

UnboundID: What kind of advice would CDT offer to consumer brands today, regarding protecting the privacy of their customers and adopting respectful marketing tactics?

Calabrese: This is a new age. Everyone is digital, everyone has privacy issues, and every company has data issues. Brands have a ton of personal data, so they must think about security and privacy issues and customer trust. It’s important to build policy issues around privacy.

UnboundID: And it’s no longer enough to simply state your company’s privacy policy on the website and in other customer communications?

Calabrese: It’s still valuable to communicate privacy policies on your website, particularly for regulators. Beyond that, brands and companies need to consider data in terms of trust and how they can handle data in ways that are not off-putting to customers. A good rule of thumb is, don’t make inferences on data on topics you wouldn’t ask customers. I’ve seen data collection practices that infer information about race, sexual orientation and other highly sensitive topics. Customers and regulators are looking back on corporate data use practices today. A CDT staff member wrote about this topic recently, regarding advertisements for egg freezing procedures targeted to women. At a cocktail party, it wouldn’t be appropriate to ask a young woman about her fertility choices. It’s really sensitive information. Companies need to be responsible and carefully consider the messages they are sending through advertising.

UnboundID: Is more regulation or legislation needed?

Calabrese: I’m not sure that passage of consumer privacy legislation in the U.S. is imminent anytime soon. We already have privacy regulation in the EU, however, and its likely there will be a new directive soon that will control how data on EU citizens is handled. This will obviously affect companies that do business in Europe. We do need laws here in the United States, but not one that is technology-specific. I think something could be crafted based on broader principles with light touch regulation and the involvement of multi-stakeholder processes to work out what’s actually being regulated. This could serve as a baseline for consumers to help them have trust in how their data is being handled and a recourse if their data is being misused. It’s really hard today for consumers to even understand what companies are storing about them.

UnboundID: Talk about the privacy impacts of Internet of things and what companies should consider before launching IoT applications which collect customer data from machines or devices.

Calabrese: The Internet is penetrating into all facets of our life. Use of connected devices is only going to grow and they have tremendous utility for something like energy savings. If you can track energy usage through devices you have the opportunity to reduce electricity across the home. In terms of privacy, companies need to consider where the device lives, and with IoT that’s often in the house. In America, the home is where people expect the most privacy. If a company is collecting data in homes, they need to have a heightened sensitivity about it. Security is another topic. A refrigerator is a long-term investment for a consumer and the security of the data that’s being transmitted from it has to be good enough to last for the next 10 or 20 years. It will be costly to keep these machines updated on security. It’s a totally different mindset for manufacturers. The issue is only going to increase as more devices are connected. There was a recent FTC case involving a company that left an Internet-connected baby monitor unsecured. You can’t imagine anything more sensitive than having a stranger watching your child. These oversights can cause tremendous harm to companies. 

UnboundID: Online advertising is another area of potential conflict with consumers. Marketers want to use analytics and personalized targeting to reach customers with relevant offers at their “moment of need” but sometimes this goes awry. How can a company strike the right balance?

Calabrese: Companies are hungry to improve targeting, but the backlash if you do something creepy can be surprising and very strong. We might suggest a bit more humility by companies. It’s about saying to customers that we don’t claim to be experts in targeting, and this ad will only be 6% more likely to reach you than anyone else. I’m not sure how a company can deliver that message, but it’s important to help customers understand that the company is not judging them. Then follow through, and don’t attempt to collect every granular data point from consumers. Focus on a few key predicted traits and be upfront with people on how the company is collecting their data and for what reasons. Marketing doesn’t really know what will work with targeting; it’s a lot of guesswork. Thinking back to the issue with a major retailer and how the company was sending targeted baby promotions to the home of a pregnant teenage girl, the company has decided to be less explicit with its promotions. They now weave in general offers along with targeted offers. Norms are still evolving but a good practice might be to make a stand that no person should get more than a certain percentage of targeted ads. It just feels too personal.

Register for our upcoming Live Webinar: “Successful Customer Experiences are Identity-Centric”