During my childhood, my parents would frequently challenge me with "if-then" decisions, often in an effort to direct my behavior. They'd say, for example, "If you finish your homework early, then you can go out and play." Consumers are constantly faced with similar if-then choices related to disclosing their personal information as they conduct their business, whether online or in physical locations. Many of us have been confronted with this type of choice: "If you want to receive coupons or other special offers, then sign up for our loyalty card program (where we may track all your purchases and may provide that information to others for marketing purposes)." Or: "If you want to access this website, then you must agree to the following terms and conditions." Of course, the consumer can always decline the offer. However, the business doesn't want that to happen, so it generally looks for the right balance that would allow the consumer to feel comfortable while it realizes its goals.
The data privacy issue comes to the forefront with every announcement that some database has been hacked and customer information, including account numbers, has been compromised. Most recently, the state of South Carolina acknowledged that hackers had gained access to information for more than three million bank accounts, almost two million Social Security numbers, and about five thousand credit card numbers. The overall cost of recovering from such a large-scale incident—not only in direct costs including possible fines but also in reputational costs and diminished consumer confidence—can be substantial. Businesses and governmental agencies must continually work to strengthen their data security systems.
The primary privacy issues appear to be focused on overall informational privacy concerns and the lack of consistent and comprehensive state and federal laws. In February 2012, the White House released a privacy bill of rights policy document titled Consumer Data Privacy in a Networked World. This document is intended to serve as a legal baseline for all companies as to how they should treat consumer data and manage customer interactions. Then in March 2012, the Federal Trade Commission (FTC) issued a similar report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. The White House and FTC reports offer similar recommendations, including:
- Congress should enact baseline privacy protection legislation, and the industry should increase its self-regulation efforts.
- Consumers should be clearly provided a "Do Not Track" option. This mechanism would allow them to choose whether they wanted to allow websites to collect information about their Internet activity and use it to deliver targeted marketing messages or other behavioral advertising.
- The company should obtain a positive consent from a user before its uses collected data for a purpose other than for what it was collected.
- The website should allow users to view the data that has been collected by data brokers for marketing purposes and provide a mechanism for updating incorrect information.
It will be interesting to watch these activities over the next year to see at what pace the various data collection and privacy constituencies will examine and address these issues. In a future blog, I will examine in more detail the legislative and regulatory efforts that are underway to address these recommendations. The issues of security and privacy will continue to evolve in the banking and business industries and will be frequent topics of discussion in future Portals and Rails posts. We encourage your comments as this discussion continues.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed