25 Aug 2003  Research & Ideas

Should You Sell Your Digital Privacy?

Regulation won’t stop privacy invasion, says HBS professor John Deighton. What will? What if companies paid us to use our identity? A market approach to privacy problems.

 

It's a startling idea: Instead of relying on regulators to protect our privacy against telemarketers, data miners, and consumer companies, we should capitalize on the value of our personal information and get something of value in return.

That is the idea put forward by HBS professor John Deighton in a recent working paper, Market Solutions to Privacy Problems? And what would consumers get in return for their personal information? Money perhaps, or price discounts, better customer service, maybe products tailored specifically to their needs.

His point: The information that is gathered about you by stores, researchers, and credit agencies belongs to those companies, not to you. They in turn resell that information to others. So if our personal information is such an asset, shouldn't we benefit from our asset as well? Why shouldn't intelligent consumers sell their identities to stores they trust? And wouldn't those trusted stores in return be motivated to use that information wisely?

"The challenge is to give people a claim on their identities while protecting them from mistreatment," says Deighton. "The solution is to create institutions that allow consumers to build and claim the value of their marketplace identities, and that give producers the incentive to respect them."

We asked Deighton to elaborate on his ideas.

Working Knowledge: You argue that market forces can do a better job than regulators in protecting privacy. In general, what is wrong with a regulatory approach? Isn't the telemarketing hotline working?

Deighton: Regulation solution routinely disappoints. Rules lag behind the cunning of those who want to exploit the limitations of the rules, particularly in the nimble digital world.

The Do Not Call list is the rich desserts of a thoroughly nasty industry. The saddest thing about it is that it will not put an end to uninvited outbound telemarketing. You'll still get calls from firms you deal with, including those you have no choice but to deal with such as local phone companies. Politicians will still be free to call. It took twenty years for politicians to act on their constituencies' widespread indignation. Don't count on regulation to solve anything in time or on budget.

This is what makes a market-based way to deliver consumer privacy attractive. Markets have an advantage in that they set cunning against cunning and self-adjust to technological innovation. But the idea of offering the opportunity to buy privacy is hard to swallow—if privacy is something to which we are entitled, should our share of it depend on ability to pay?

Inevitably it does. Whenever we claim privacy, we incur a cost in the form of a loss of valued identity. Our identity is an asset to the extent that others value access to us and use it in ways that benefit us.

The idea of offering the opportunity to buy privacy is hard to swallow.

The challenge is to give people a claim on their identities while protecting them from mistreatment. The solution is to create institutions that allow consumers to build and claim the value of their marketplace identities, and that give producers the incentive to respect them. Privacy and identity then become opposing economic goods, and consumers can choose how much of each they would like to consume. There is some evidence to suggest that markets evolve toward this solution of their own accord, but regulation can accelerate the evolution.

Q: Why is the distinction between privacy as a right and identity as an asset an important one to consider?

A: A right, as I use it, is just a claim that takes precedence over merely contractual or customary claims. It draws its authority from established constitutional, religious, or humanistic principles. In this sense a right cannot be bought or sold.

By contrast, an asset is a possession or quality with value in exchange as well as in use. It is property with a market price and opportunity cost. Rights are matters for regulation, assets are matters safely and usually better left to markets.

Framed in these terms, here is the problem with regulation. It solves the problem of intrusion on consumers caused by the inefficiencies of marketing methods, but at the cost of completely denying the customers the value of their identity.

Q: What are top issues companies need to consider when creating privacy relationships with customers?

A: It's not about privacy. If a company is concerned that its actions might be construed as privacy invasions, it is already so far on the wrong side of the issue that it might as well add the word "spammer" to its corporate mission statement. It's about offering its customers and prospects an identity that they find useful and are proud to wear.

Q: What is the advantage to consumers to think of their identity/privacy in terms of being an asset?

A: I want Amazon to know my identity, in particular my taste in books and music. I know that they respect the value of that knowledge so that the issue of sharing the data won't ever come up.

I want American Airlines to know my flying habits and preferences because I want them to keep giving me the best service they can deliver in exchange for my commitment to fly them whenever I can.

Consumers can achieve anonymity today by declining to join supermarket frequent shopper programs, but by so doing the average household pays $200 a year more for products. The points awarded by airline frequent flyer and hotel frequent guest programs, if redeemed, amount to discounts of 1 percent to 5 percent over the prices paid by non-subscribers. They also lose out on a variety of non-monetary benefits like recognition and preferential service that may matter more than money.

Q: Using the supermarket frequent shopper program as an example, what forces are at work to protect against a consumer being the victim of unwanted intrusion?

A: The grocer, by linking the program to its reputation, finds itself responsible for mistreatment of its customer. It therefore has an incentive to police the actions of the parties to which it sells the data, and to conduct its own interactions with a degree of civility, because its interests are aligned with the interests of the customer.

Q: What is the overall advantage to an economy where anonymous mass markets give way to markets in identified customers?

A: The value of the identity accrues to more than just the shopper. In a supermarket frequent shopper program, there is value in the identity to the grocery store and to manufacturers to whom the store can sell access to selected customers. The program becomes the medium through which a manufacturer can communicate directly to its customers, or, more importantly, to the customers who use competing products. By making a market in this information, the grocer multiplies its value to several times the price it pays in discounts to shoppers.

It's about offering its customers and prospects an identity that they find useful and are proud to wear.

Under a market regime, this value is available to manufacturers, improving the efficiency of its marketing methods, and shoppers capture some of the value. In a market of competing frequent shopper programs, competing grocers bid for the right to gather a shopper's data by offering discounts on merchandise to program members and in some cases by offering members non-price benefits such as superior service.

Anonymous mass markets are giving way to markets in identified customers because many of the information technologies of the last several decades such as databases, call centers, and the Internet have had the effect of facilitating interaction between firms and individually identified customers. Such interactivity makes market-matching much more accountable and hence more efficient than it was under a broadcast marketing regime.

A program of general regulation that lets consumers build and manage identity assets and share in their value holds out the promise of jointly delivering more efficient marketplaces and more civil commercial discourse.

Deighton: Business Needs to Rethink Customer Privacy

by John Deighton

Corporations understand that consumers are indignant over privacy intrusions. Most reputable corporations take steps to be respectful, with privacy policies, opt-out or opt-in consent agreements, and so on. But treat customers' data as the customers' private property? That's going a little far. After all, as long as it abides by the laws of the land when a credit bureau collects a person's credit history, the data belong to the collector, right? When a supermarket monitors its shoppers' purchases and assembles it into a database it is building an asset of the corporation, right? Laws, culture, and convention treat personal information as something that belongs to the institution that gathers it. People don't own data about themselves—they have at best an interest in its use.

When corporations become addicted to practices that abide by current law and convention but cannot be relied on to pass that test over the long term, they risk being blindsided. When they get too far out of line with evolving notions of good practice the result can be litigation and legislation that takes the fun and profit out of entire industries. Witness what happened to corporations that made asbestos or nicotine core to their mission. It may be about to happen to fatty food vendors. And as we move from the industrial age to the information age, it may happen to the feed stock of modern marketing, personal data.

Right now several hundred organizations make a business in assembling and selling personal information, and a much greater number of corporations use the data. (More on this in section of my paper titled "The Market in Identity.") Whole industries, from healthcare to financial services to telecommunications, are incapable of operating without flows of personal data. This whole structure rests precariously on a tangle of regulatory fads.

Today regulation is the way we manage conflicts of interest in the collection and use of these data. Fair Information Practices guidelines designed with the technology standards of 1973 in mind, and a patchwork of federal, state and local laws, regulate all kinds of data from health to financial solvency to video rental. But regulation routinely disappoints, with the result that it gives way to new regulation.

The information age needs to rest on something more robust than regulation. If business is in this for the long haul, it needs to explain to government that the secure foundation for the new go-to-market regime is institutional, not rule-based. What kind of institution? One that pays consumers for their data in money or in positive experiences by creating for them a valued identity.

About the authors

Sean Silverthorne is editor of HBS Working Knowledge.

Manda Salls is a content developer and Web editor for Baker Library.