Can You Keep a Secret?

The push for online privacy threatens to kill the dream of super-sophisticated, Net-driven marketing. But There are simple ways that companies can have their data and protect it too.

At the height of the internet boom, marketers had big dreams about harnessing the power of consumer information. As they saw it, the Internet had created opportunities for data mining, cross-selling, and targeted marketing that went far beyond what was feasible in traditional commerce. Airlines could find out who was checking fares to the Caribbean. Health-care companies could keep track of who was reading up on diabetes or schizophrenia. At last, it would be fast, easy, and cheap to profile a vast assortment of customers–and to pitch them accordingly.


But then the privacy backlash set in. Consumers began to worry that their health records, their music tastes, and other information about them were being put at the disposal of strangers. Meanwhile, a highly vocal privacy-advocacy community began publicizing outrage-of-the-month incidents–which put pressure on perceived offenders to back away from plans to make full use of customer data., for example, tried to publish lists of the books that sold best among employees of Coca-Cola, IBM, and the like, only to retreat after some customers complained that their reading tastes weren’t anyone else’s business.

As a result, lots of big companies began treating online privacy in a purely defensive way–as an issue to be handled mainly by their legal department. “Just don’t get it wrong” supplanted “Get it right.”

Lately, though, all sorts of organizations that do business on the Internet are taking a fresh look at their privacy strategies. Their objective: to strike the right balance between shielding each user’s privacy and exploiting a rich mountain of consumer data. “Good privacy can be a good business practice,” contends David Kramer, a partner at Wilson Sonsini Goodrich & Rosati, one of Silicon Valley’s top law firms. “If you think about it, it’s really part of good customer service.”

In this new environment, companies aren’t abandoning efforts to extract value from online databases. But they are gathering and exploiting data in a more consumer-sensitive way. Replacing the strip-mining tactics that consumers fear most is an approach that rests on a few basic principles.

Be Up-front

Over the past few years, companies have tended to keep privacy issues in a haze. Too often, privacy policies have been verbose and jargon-filled, and companies have buried them in obscure corners of Web sites or deep inside long-winded emails.

That’s not smart, and in some industries, it’s not even legal. New federal regulations require companies in the health-care and financial-services fields to post clear highly visible privacy policies on the Web, and to remind users repeatedly that they can opt out of future marketing initiatives. But even in industries where anything goes, there’s a strong case to be made for being candid rather than coy. If you want your customers to remain your customers, then you should be reasonably clear about how you plan to use information about them–and what their rights are regarding that information.


Isn’t there a risk that most consumers will make their data off-limits if the opt-out card is easy to play? Not if companies convince consumers that data sharing is worth it. In fact, if opt-out rates start to rise much above 10%, that’s probably a good sign that a company has done a poor job of designing its marketing promotions.

Stay in Control

Don’t let a third party use your data to communicate directly with customers. That’s a steady refrain of Marc Loewenthal, chief privacy officer at Providian Financial, a San Francisco-based credit-card issuer. Sure, there are good reasons why Providian might allow businesses like Avis Rent A Car,, and Marriott Hotels to pitch their goodies to its online customers. But, Loewenthal says, that kind of dialogue should always begin with an email or targeted ad sent by Providian itself, and only those customers who respond to such a message should be put in touch with a third-party marketer.

From a privacy standpoint, Loewenthal argues, that’s a much more attractive option than opening up vast swathes of Providian’s cardholder registry to outsiders. Customers receive only those pitches that Providian thinks might appeal to them–and they don’t run the risk of getting bombarded with spam. What’s more, Providian maximizes the long-term value of its large customer database. “That’s a no-brainer for us,” Loewenthal says. “Customer data is very valuable to us, and we need to guard it very jealously.”

Show Some Restraint

An energetic marketing department can conjure up dozens of online cross-marketing opportunities every month. Did you use the Web to buy a tent? Then surely you’d be a good candidate for lots of targeted email about camping getaways. Given that mass emails to customers are essentially free, it’s tempting to deluge customers with promotional messages.

But smart marketers know that a profusion of pitches can be downright annoying–whether those pitches come in the form of emails or of telemarketing calls at dinnertime. “We try to limit our communications to one per month,” says Sue deLeeuw, head of brand management at NextCard Inc., an online credit-card issuer in San Francisco. “That’s about as much as people want to hear.”

In the past year, otherwise well-respected Internet merchants like and have begun to strain customers’ tolerance by pestering them with too many “special offers” that just aren’t very special. DeLeeuw’s advice: Focus on sending users pitches that are truly valuable and few in number. Beyond that, respect users’ privacy and leave them alone.


Ask for Permission

Marketing mavericks like Fast Company columnist Seth Godin have argued for years that it’s wasteful to beam a message to large masses of online users. Godin has advocated a “permission marketing” approach in which companies contact only users who demonstrate an interest in being courted. (See “Permission Marketing,” April:May 1998.) So far, that’s been a hard concept for most big companies to embrace. But more and more industry leaders contend that customer data should be made available to marketers only if customers say so.

“I’ve become a big believer in opt-in strategies,” says Sandra England, president of PGP Security, a unit of Santa Clara, California-based Network Associates. “You get greater stability over your customer base. Instead of waiting to see who says no, you can create incentives for people to check the ‘yes’ box.”

Of course, the opt-in approach has a downside. Companies that have experimented with it say that 10% to 40% of users choose to share their data–which is well below the 90% to 95% of users whose data typically becomes available through an opt-out approach. But a lower response rate isn’t necessarily bad. If your goal is to sell a sophisticated product, such as a high-end computer server or microchip, then an opt-in strategy may be a good way to target the natural buyers of that item.

Pick a Strategy

When it comes to privacy, consumers don’t all want the same thing. A recent Harris Interactive-Wall Street Journal poll revealed an intriguing split in Internet users’ attitudes toward privacy. Roughly one-quarter (24%) of respondents were “very concerned” about threats to their personal privacy on the Internet . But another quarter (27%) voiced little or no unease. (The rest fell somewhere in the middle.) That schism suggests that industry rivals may thrive by adopting contrasting privacy strategies.

A notable test case comes in the consumer market for Internet service. America Online greets its users with a cornucopia of marketing offers every time they log on to the service. Sure, AOL provides basic privacy safeguards, but if you’re looking for seclusion on the Internet , this is not the service for you. By contrast, smaller ISPs don’t attract nearly as much interest from marketers. So either by necessity or by design, companies like EarthLink are trying to woo users who want more privacy and less chatter.

It may take years to know which strategy works best, but either choice may be better than trying to occupy some ill-defined middle ground. The key is to calibrate your privacy policies to the privacy expectations of customers in your target market. In any case, it’s much too soon to give up on the dream of using the Net to reach those customers.


George Anders (, a Fast Company senior editor, is based in Silicon Valley.