Not All Privacy Issues Involve PII

There’s been a lot in the news over the past few years about customer profiling. The term is used somewhat differently by different groups and the definition often debated. However, the mainstream news media generally uses the term to talk about how companies gather many different types of information related to consumers, and then use that information to make determinations about groups of people in various demographics, and even be able to narrow down certain activities to specific individuals when enough data, and it does not need to be personally identifiable information (PII), is collected.

Last Friday I watched an interesting interview on 20/20, “Where Do You Click and What Does it Mean?” where Elizabeth Vargas interviewed Bill Tancer, author of the book “Click.”
Tancer spent years analyzing how 10 million Americans use the Internet, and he talks about how he can tell a lot about people by what they are clicking on. This is a form of data mining, as generally defined. And growing numbers of businesses, such as Google and Microsoft, and many, many others, are doing similar activities, and more plan to.
Is your organization doing some form of data mining? If so it is important to keep in mind that, even if you do not have PII, as typically narrowly defined within one of the many data protection laws, involved, there are still privacy implications.
This was the topic of the third article in my August issue of IT Compliance in Realtime Journal, “Not All Privacy Issues Involve PII.”
Here’s the first half of that article (download the PDF to get a much nicer version):

More organizations are thinking about privacy than ever before; which is good! Significantly fewer do anything substantial to address those privacy issues, but awareness is slowly, but surely, increasing. When I speak with most organizations about privacy, often the first question that is asked is, “What information is considered personally identifiable information, and well, must it really be protected?” This is certainly an important question. Organizations cannot effectively protect personally identifiable information (PII) without first defining what it is for their organization! I’ve identified at least 50 unique types of information items that are considered PII within 90 data protection and privacy laws throughout the world, and it is likely there are even more.
In addition, organizations must think about how they use “de-identified” information–PII that falls into one or many of those 50 categorizations–that has been removed from records within their business. Even when there is no name, Social Security number, or other PII involved, data might contain descriptions of situations and scenarios that could very easily lead to revealing information about a person that the person would consider as an invasion of privacy.
For example, what if you did data profiling to determine how many people purchased a book online in the past month who were from a specific area code, male, and between the ages of 25 to 39. In many parts of the U.S., just knowing this information could lead you to a specific person. Just because his PII was not involved, there was still information about his actions that were revealed.
There are many ways information that does not involve PII can be susceptible to privacy infringement, breaches, or otherwise misused. Consider customer and consumer profiling as one of the activities that can lead to loss of privacy and possibly have other negative impacts.
Customer and Consumer Profiling
From the original data that organizations collect, information can be culled that reveals all sorts of interesting data, particularly to marketers, sales folks, and yes, even law enforcement and government agencies. For example, by looking at the history of grocery purchases, organizations can not only see what customers purchase but also put the customers into categories based on heuristics rules and artificial intelligences methods. The results can be used to attempt to predict customers’ future behaviors. This type of predictive intelligence comes from profiling.
Profiling is accomplished by using a set of rules the organization uses to make a type of educated guess about their targeted consumers, usually based upon assumptions and guesses. For example, marketers within an organization may base many of their decisions upon the following assumptions:

  • People with ethnic names make 30% less income than other people living in a specified zip code.
  • Residents of high-income zip codes are more likely to purchase expensive jewelry, luxury items, and vacation homes.
  • Women who purchase ice-cream and/or chocolate more than once in a week are likely to be depressed and more likely to make impulse purchases.

Businesses then often change their entire practices and sales techniques based upon the results of their profiling. I saw a perfect example of this a few years ago that really had an impact on me. In 2005, the Washington Post ran a story, “In Retail, Profiling for Profit,” about how some businesses train their staff to help customers based upon how they look, and, according to profiling, how much they are likely to spend.
The example provided was for Best Buy, which created a label for one type of shopper that they called a “Jill:”
Code name for a soccer-mom type who is the main shopper for the family but usually avoids electronics stores. She is well-educated and usually very confident, but she is intimidated by the products at Best Buy and the store clerks who spout words like gigabytes and mega-pixels.
Best Buy dedicated 210 employees that first year to the “Jill segment team,” providing pastel clothing for them to wear instead of the royal blue of the other sales folks. At that time, Best Buy indicated that their “Jills” had increased spending by 30%, along with their revenues by a whopping $25 to $30 million! Certainly such results tempt organizations to start using profiling to improve business.
So what is wrong with this? Well, what if you make a mistake and give labels to people that are not correct? Incorrectly categorizing people can have significant impacts on their lives, such as being labeled as credit risks or as likely undependable employees.


Tags: , , , , , , , , ,

Leave a Reply