MBA 8111-Business, Government, and Society
Implied Consent
Case Study
4/17/2020 – page 1
Case Written by MBA student
April 17, 2020
MBA 8111-Business, Government, and Society
Implied Consent
Abstract
Case Study
4/17/2020 – page 2
From before we are born to after we die, we are all creating a trail of data points that trace our lives. Some data points are initiated by us and we are not surprised that they’re tracked (i.e. drivers license, school transcript, credit history, etc.). Other data points are byproducts of everyday activities and we are sometimes surprised at the level of detail that they contain
(locations and items purchased, people we spoke with and how long the conversation lasted including the general area we made the call from, what internet sites we’ve visited in the past year, etc.). These coincidental data points are usually collected by implied consent based on use of a service. There is normally no explicit or express consent given for the company to track your personal information; or if there is consent requested, it is usually buried in a long legal section that you need to approve for use of the service or product. The question is who “owns” all the coincidental data points of your life – you or the company that collected them?
In the past few years there have been several high profile cases of companies using personal information without the person’s express consent including Toysmart, Egghead, and America
Online. This paper will explore the ethical dilemmas that companies face in collecting personal information to create a more personal and customized products and services for consumers.
MBA 8111-Business, Government, and Society
Implied Consent
“Where everyone knows your name…”
Case Study
4/17/2020 – page 3
Put yourself back in a small town in the early 1900’s. You went to the corner store and the proprietor not only knew you by name, but also knew your family and a good deal about what was going on in your life. They knew if you were struggling and might need a little credit to get by. They also knew if you were “good for it” and they could trust you to pay it back. They knew the medications you were taking and that you preferred solid colored fabrics as opposed to stripes. On the flip side, you trusted the shopkeeper to make good suggestions and stand behind his product. The shopkeeper probably gave you a discount on something he had extra inventory of because you were a “good customer” and he could count on your coming back.
Fast-forward 100 years. You really don’t know anybody you interact with on a daily basis, although in some cases you may know their name. You use a loyalty card to receive discounts on your groceries. You have joined numerous frequent-flyer/frequent-buyer programs to receive discounts and promotions. You surf the internet checking on the best deals on the best products.
All the while you are oblivious to the data being collected on your actions. According to
(Chellappa 2005) virtually all forms of electronic access leaves some sort of data trail and consumers are only aware of a portion of the tracking.
Many companies are moving from mass marketing to “One-To-One” marketing and mass customization in attempts to recapture the old days of a small town retail environment where
“everyone knows your name.” (Pitta 2003) In the past, shopkeepers remembered details about your likes and dislikes in their head. Consumers have come to expect that after a number of repeat orders, a face-to-face retailer should be expected to know the preferences of the customer.
MBA 8111-Business, Government, and Society
Implied Consent
Case Study
4/17/2020 – page 4
Marketers have always collected information on their customers – technology has just increased the speed and efficiency at which they do it; it also allows the capture of much more passive information that the customer doesn’t know they are providing. (Rose 2000) Marketing is moving from a mass-market emphasis on selling large numbers of standardized products towards individualized, one-to-one selling of personalized products. To provide individualized products and service, companies are looking at forming relationships with consumers instead of focusing on transactions. And more and more those transactions are based on the Internet. The Internet is the first bi-directional business tool since the telephone to gain entrance into the home. (Franzak
2001)
Consumers today are confronted with too many options – marketers see the variations of products as a way to differentiate and supply exactly what the consumer is looking for; however, for busy consumers the number of choices can actually be a stumbling block to purchase. (Risch
2005) When consumers are overwhelmed with choices, they are more likely to look to what others are choosing to help them make a decision. Similar to eating out with a group of people where the people ordering later simply say “boy that sounds good…I’ll have what he’s having.”
In today’s busy and disconnected society consumers are not aware of each other and companies can use implicit consumer actions to create a virtual shared community of like-minded buyers to exploit community knowledge. In essence, creating the “look what she ordered” on a global scale. According to Culnan (2003) in a vibrant economy, consumers need to have choices, but those choices can be more customer-relevant if “reasonable” corporate access to personal information is allowed in order to help the consumer with their information overload.
MBA 8111-Business, Government, and Society
Implied Consent
Advantages
Case Study
4/17/2020 – page 5
Fragmented consumer markets, shrinking mass media audiences, and demands for greater economic efficiency have spurred use of personal information in highly targeted “one-to-one” marketing strategies. (Phelps 2000)
Chellappa (2005) defines personalization as “the ability to proactively tailor products and product purchasing experiences to tastes of individual consumers based on their personal preferences.”
Profile information can provide more personalized services based on past activites: vendor can offer books on football even though consumer has never searched for books on football because consumer had surfed websites related to football and bought football tickets online. The reason that transaction data is better than consumer surveys and questionnaires is because surveys only report consumer’s stated purchase intentions; while transaction data allows companies to see actual behavior—sometimes very different things. (Graeff 2002)
The advantages of tracking personal information are that suppliers acquire info needed to tailor product offerings and provide superior customer service over the long run; and customers receive products more tailored to meet their needs, personalized attention, and stability in purchasing contacts. (Franzak 2001)
MBA 8111-Business, Government, and Society Case Study
Implied Consent 4/17/2020 – page 6
Consumers and marketers both benefit from “Collaborative Filtering” (Risch 2005) that matches consumers with similar tastes – electronically supporting the principle of the “word of mouth.”
Sales and promotions can also be tailored to specific customers based on their past actions.
Challenges
‘Every art and every inquiry, and similarly every action and pursuit, is thought to aim at some good; and for this reason the good has rightly been declared to be that at which all things aim.
But a certain difference is found among ends. . . ’
Aristotle, Ethica Nicomachea
Most companies store more data than they actually use – because technology has made it possible (the “more is better” philosophy). Search engines on internet keep records of your searches for weeks, months, or years—often these searches are tied to your computer’s internet address so they can identify it was you even if you never gave them your name. (Jesdanun 2006)
Stereo-typing may occur based on the data (related to the example above, gust because someone buys a football, it doesn’t mean they play football – it could have been a gift…)
Rose (2000), also demonstrated that sensitive personal information (medical history, etc.) may be divulged through passive recording of web activity. Companies have tried responding by hiding attributes (eliminate name, address, etc.), however Boyens (2002) showed that with just a birth date and zip code a particular consumer could be identified with a high level of accuracy.
Cell phones are another sources of information. The average cell phone gets replaced every 1.5 years with a growing secondhand market on eBay. Even erasing contacts, pictures, and web
MBA 8111-Business, Government, and Society Case Study
Implied Consent 4/17/2020 – page 7 searches isn’t protection because deleted files can be recovered. According to Shin (2006) Trust
Digital, a mobile security firm, bought 10 used smart phones off eBay and recovered 27,000 pages of personal banking and tax records, corporate sales data, client records, product roadmaps, calendar entries, personal and business correspondence, passwords, and prescription information besides the normal contact lists and phone logs. Law enforcement has already begun using discarded cell phones to nab criminals. Many cell phones are GPS capable so they have the ability to track their physical whereabouts at all times (limited to emergency use at this time); they are also being tested being able to buy things. Even advanced “zero-out resets” or “factory resets” that overwrite everything may not provide total security as electronic storage has been shown to have a “memory” and some advanced techniques have demonstrated that overwritten data can still be recovered in some cases.
Company Uses and Abuses
Medical history requirements were one of the first steps in sharing more personal information than was normally deemed necessary between organizations – it was required and in the consumer’s interest to provide full disclosure between medical facilities. But then the information moved beyond your personal doctor and was shared by health insurance bureaucracies. That information was quickly co-opted to help health insurance companies enhance both their offerings to customers and their bottom-line profitability through targeted rate increases. (Pitta 2003)
Toysmart declared bankruptcy in June, 2000 and the company’s creditors pushed to have it’s database of 250,000 customers sold as an asset even though Toysmart had a posted privacy
MBA 8111-Business, Government, and Society
Implied Consent
Case Study
4/17/2020 – page 8 policy that promised that consumer information would be kept confidential. (Kelly 2004) In
September 1999, Toysmart had posted a privacy policy which stated that the personal information collected would never be shared with third parties:
“Our promise: at Toysmart.com we take great pride in our relationships with our customers and pledge to maintain your privacy while visiting our site. Personal information voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. All information obtained by Toysmart.com is used only to personalize your experience online.”
The Toysmart database was ultimately destroyed because of the public outcry.
Egghead.com tried selling its database to Frye Electronics, but the deal fell through when Frye required 90% of egghead customers to opt-in to sharing their data with Frye. Amazon.com purchased egghead and requested customers to re-enter their data on the Amazon.com site subject to their privacy policies. (Kelly 2004)
Facebook recently backed off a new service to allow users to automatically get updates to their friends pages—consumers were outraged at the apparent invasion of privacy because it started without warning and without specific opt-in choices; even though no additional data was shared than was already available—it was the sensational way it was presented that led consumers to feel their privacy was violated; Facebook apologized and has discontinued the service due to consumer threats of boycott. (Jesdanun 2006)
MBA 8111-Business, Government, and Society
Implied Consent
Case Study
4/17/2020 – page 9
According to Franzak (2001), Amazon.com setup a system for non-profits to collect donations using its payment system. While this provides a service to non-profits that may not be able to afford their own processing, Amazon will now be able to track non-profit groups that customers are interested in and the amounts donated. In a related action, Amazon recently reversed a policy that promised that customer’s book buying habits would remain private.
Jesdanun (2006) reported that Time Warner Inc.’s AOL released search terms from 650,000 subscribers without their permission—AOL thought the search terms were anonymous, but researchers were able to use search topics and other recorded web activities to narrow down and then pin-point the exact consumers without any other info in almost all the cases released
Double-click, an internet advertising company, had tracked surfing activity using anonymous cookies on users computers, it’s privacy policy stated that all users would remain anonymous; but in 1999 DoubleClick acquired Abacus Direct (database marketer) and started work on merging the anonymous surfing data to specific consumers in the database; the plans become public and DoubleClick retreated after the public outcry caused a $30 drop in their stock price.
(Culnan 2003)
Some companies are responding to consumer’s heightened concerns about personal information privacy. E-Loan allows customers worried about safeguards when data gets outsourced to India can choose to have their data handled domestically, though loans in such cases would take two additional days to process – 80% of customers agree to off-shore processing; but the company feels that the choice has pre-empted any consumer backlash. (Jesdanun 2006) Comcast Corp.
MBA 8111-Business, Government, and Society Case Study
Implied Consent 4/17/2020 – page 10 allows customers to determine how long the company’s servers will store the customer’s email.
This is in contrast to the new Gmail service from Google where all email is held indefinitely.
Consumer Impressions
Chellappa (2005), defines privacy as “an individual’s ability to control the terms by which their personal information is acquired and used.” Consumers, in general, believe they are asked to provide excessive amounts of personal information and that they have little control over what happens to the information collected. (Schoenbachler 2002) The result is a sensitization of ordinary consumers to incursions into their privacy. For some consumers, the concept of privacy has become a shield. The implication for marketers is that it is a growing obstacle to forming relationships with consumers. (Pitta 2003) Privacy becomes the excuse if a consumer has too many requests for information. When asked, some now refuse any communication. According to
Ackerman (1999), only 1% of consumers would give share their SSN, but 69% would share their age, and 76% would share their email address.
According to Franzak (2001), while there are a number of vigilant consumers raising flags, the majority of consumers tend to lose interest and pay less attention to losing their right to privacy.
Customers demand more convenience, access to personal offers, and recognition of their importance to the company. Many people would be upset if they were denied the marketing and credit opportunities made available today through the use of their personal information. (Phelps
2000) And while a Business Week/Harris Poll of consumers in 2000 showed that 57% would like government to regulate how personal information is collected and used and 92% are concerned about private data collection and sharing without their knowledge (Kelly 2004); the
MBA 8111-Business, Government, and Society Case Study
Implied Consent 4/17/2020 – page 11 high level of consumer privacy concerns have had little impact on consumer’s shopping behaviors. Most consumers are will to give up some of their privacy to participate in a consumer society
People will normally work through a value equation to determine if they are willing to share their personal information – “if the quantified value of personalized services outweigh or at least compensate for the loss of information privacy.” (Chellappa 2005) In a survey of consumers in
2002 (Graeff 2002), most people didn’t see discount or loyalty cards as an invasion of their privacy because they are receiving a benefit (discount) compensating them for sharing their personal shopping habits. And 62% of consumers do understand that web sites need information about their visitors to market their sites to advertisers and 72% of consumers would provide demographic information if the site simply had a statement regarding how the info collected would be used. (Hoffman 2000)
Government
Internet marketers view personal data as both a “private good” and a “public good” while consumers only see personal data as a “private good.” (Rose 2000) Marketers view personal data as a public good while they are collecting it as it is in the public domain. Once they have processed the data into usable form, marketers consider it a private good. Consumers fail to see the distinction and consider all personal information about themselves as a private good.
Under US law, individuals do not have property rights in information about them – although they may have certain rights to be free from invasions of their privacy. (Kelly 2004) Instead, the law
MBA 8111-Business, Government, and Society
Implied Consent
Case Study
4/17/2020 – page 12 generally recognizes customer lists and customer databases as the property of the business owning it. Moreover, companies have historically been free to sell these assets.
While there are no specific regulations, the Federal Trade Commission (FTC) has setup Fair
Information Practices in relation to capturing consumer data consisting of five principal guidelines (Chellappa 2005):
1.
Notice – disclosure notices should inform online consumers about how their information will be collected
2.
Choice – online consumers should have a choice about how their information will be used and to which parties it will be disclosed
3.
Access – online consumers should have the opportunity to exercise control over their information
4.
Integrity – adequate mechanisms should be employed to protect online consumer information from unauthorized use
5.
Enforcement – effective authority to enforce and impose sanctions for potential violations should exist within the industry
However Government is sometimes the biggest offender of sharing personal information without permission of individuals involved (Graeff 2002). Examples include:
Release of medical records to research organizations without patient permission.
Reference to individual medical histories by politicians without clearance from the patient.
Access to e-mail and telephone records without a stated reason or any legal process.
Trawling of tax records by agencies not involved in tax collection (e.g. police and commerce departments).
Gathering sensitive and controversial data on race and sexual preferences.
Identification of voting.
Collection and use of financial information beyond statements of income or expenditure (e.g. banking and investment specifics).
Storage of DNA samples without the individuals’ permission.
According to Pocono (2006), since 2002, the U.S. Department of Justice has pieced together unrelated bits of personal data to target Americans as potential threats who merit more
MBA 8111-Business, Government, and Society
Implied Consent
Case Study
4/17/2020 – page 13 aggressive surveillance. And in 2005, the departments of Justice, Homeland Security, and Social
Security Administration spent $30 million on data-broker contracts to collect information on individuals. It is impossible to find out the entire extent of the information the government has collected on individuals.
MBA 8111-Business, Government, and Society
Implied Consent
Questions
Case Study
4/17/2020 – page 14
1.
Who really owns personal information – the person or the organization who collects it?
2.
What are the long-term effects on our democratic society of an economy fueled by consumer data?
3.
Who should protect the rights of the various parties involved in the exchange of personal information?
4.
Do consumers have any property rights to personal information that has been voluntarily given to one organization and then resold to another?
5.
Do companies have the right to collect personal information on consumer identity and browsing habits without consumer consent?
6.
Who owns the value-added processing that companies may do to personal data collected during transactions?
7.
Does the ownership of personal data ever transfer from the individual to the organization collecting the data? How does that apply to consumer research organizations that conduct consumer surveys?
8.
What kinds of rights should individuals have to customer profile data that has been formed with data they have provided?
9.
How do individual rights change if the data was collected by data brokers from unrelated sources?
10.
Is it ethical to use computer-generated customer profiles to grant or deny access to products and services? Why or why not?
11.
What if the profile is built from information taken out of its original context?
MBA 8111-Business, Government, and Society
Implied Consent
References
Case Study
4/17/2020 – page 15
Ackerman M.S., Cranor L.F., Reagle J. (1999) “Privacy in E-Commerce: Examining User
Scenarios and Privacy Preferences” Proceedings of the first ACM conference on Electronic
Commerce
Boyens Claus, Gunther Oliver, Teltzrow Maximilian (2002), “Privacy Conflicts in CRM
Services for Online Shops”,
Conference in Research and Practice in Information Technology
Chellappa R., Sin R. (2005), “Personalization versus Privacy: An Empirical Examination of the
Online Consumer’s Dilemma”,
Information Technology and Management, Vol. 6 pp. 181-202
Culnan Mary J., Bies Robert J. (2003), “Consumer Privacy: Balancing Economic and Justice
Considerations”,
Journal of Social Issues , Vol. 59, No. 2, pp. 323-342
Franzak Frank, Pitta Dennis, Fritsche Steve (2001), “Online relationships and the consumer’s right to privacy”,
Journal of Consumer Marketing , Vol. 18, No. 7 pp 631-641
Freeman Eric, Gelernter David (1996), “Lifestreams: A Storage Model for Personal Data”,
SIGMOD Record, Vol. 25, No. 1, March, 1996, pp. 80-86
Fule Peter, Roddick John (2004), “Detecting Privacy and Ethical Sensitivity in Data Mining
Results”, Conferences in Research and Practice in Information Technology, Vol 26
Graeff Timothy R., Harmon Susan (2002), “Collecting and using personal data: consumers’ awareness and concerns”,
Journal of Consumer Marketing , Vol. 19, No. 4 2002 pp. 302-318
Hoffman Donna L., Novak Thomas P., Peralta Marcos (2000), “Building Consumer Trust
Online”, Communications of the ACM , Vol. 42, No. 4, April 1999, pp. 80-85
Jesdanun Anick (2006), “Control over online data rests with companies”,
Seattle Post-
Intelligencer, October, 16, 2006
Jutla Dawn, Bodorik Peter, Gao Deyun (2004), “Management of Private Data: Addressing User
Privacy and Economic, Social, and Ethical Concerns”,
LNCS 3178 , pp 100-117
Karjoth Gunter, Schunter Matthias, Waidner Michael (2003), “Platform for Enterprise Privacy
Practices: Privacy-Enabled Management of Customer Data”, PET 2002, LNCS 2482, pp 69-84
Kelly, E, Erickson G. (2004), “Legal and privacy issues surrounding customer databases and emerchant bankruptcies: reflections on Toysmart.com”,
Industrial Management & Data Systems ,
Vol. 104 No. 3 pp. 209-217
Phelps Joseph, Nowak Glen, Ferrell Elizabeth (2000), “Privacy Concerns and Consumer
Willingness to Provide Personal Information”,
Journal of Public Policy & Marketing , Vol. 19,
No.1, pp. 27-41
MBA 8111-Business, Government, and Society
Implied Consent
Case Study
4/17/2020 – page 16
Pitta D., Franzak F., Laric M., (2003), “Privacy and one-to-one marketing: resolving the conflict”,
Journal of Consumer Marketing , Vol. 20 No. 7 pp. 616-628
Pocono (2006), “Commercial data brokers can rob consumers of privacy”, Pocono Life , October
3, 2006
Risch Daniel, Schubert Petra (2005), “Customer Profiles, Personalization and Privacy”, Institute for Business Economics (IAB), University of Applied Sciences Basel, Switzerland
Rose E. (2000) “Balancing Internet Marketing Needs with Consumer Concerns: A Property
Rights Framework”, Computers and Society , June, pp 20-24
Schoenbachler Denise, Gordon Geoffrey (2002), “Trust and Customer Willingness to Provide
Information in Database-Driven Relationship Marketing”, Journal of Interactive Marketing , Vol.
16, No. 3 pp 2-16
Schwartz John (2006), “Researchers see privacy pitfalls in no-swipe credit cards”,
The Barre
Montpelier Times Argus, October 26, 2006
Shin Annys (2006), “What Your Cell Says About You”,
Washington Post – The Checkout,
October 24, 2006