The last year has been particularly interesting from a privacy perspective. As issues from geolocation tracking, to the right to be forgotten has been discussed and debated in legislatures across the United States, companies have come up with more and more methods of providing “value” to customers. The “always-on” world in which most of us now live and work provides endless opportunities for consumers to shop, communicate, socialize and even make payments. Often, the notion that these movements in the mobile world leave a trail is either pushed aside in exchange for a “lightning deal” or is forgotten in the face of the convenience offered by our connected society. The U.S. legislature, seeking to protect customers’ rights, has held a series of hearings on the question of geolocation tracking, social media sharing and a variety of other ways that people are vulnerable to having their activities monitored. Many consumer advocates operate under the belief that consumers would be outraged if their information was being tracked, monitor and used. They would simply not trade their online or mobile privacy for targeted solicitations. Or would they?
A recent report released by consulting firm KPMG might suggest otherwise. The study, titled “Consumers and Convergence 5: The Converged Lifestyle,” asked consumers about the ways in which they interact with businesses, particularly online. The responses indicate that consumers are growing increasingly comfortable with the notion of being tracked. According to the findings in the report, 52% of U.S. consumers would willingly trade their personal information and their buying and browsing history for discounts on goods and services. Furthermore, 42% of U.S. respondents would allow companies to send them advertising if they did not have to divulge any personal information. This study is interesting in that it suggests that consumers are willing to sacrifice their privacy and their valuable behavioral information if the organizations seeking it can find some common ground.
This becomes particularly important as the payments industry embarks on a new era of consumer-merchant interaction. The advent of mobile payments and e-wallets provides a wide array of opportunities for merchants to interact with customers and collect specific, behavioral information about those customers. Loyalty programs and targeted marketing activities are becoming increasingly visible, particularly as consumers have an instant connection at their disposal. Via the Smartphone, retailers can now provide messaging to consumers based on their past purchase history. For many consumers, the Smartphone represents a more reliable communication medium than email. Particularly among the millennial generation, users are more likely to respond to text messages and push notifications than they are to respond to emails.
So, if consumers are relatively at ease with the notion of being tracked, where should organizations focus their efforts to avoid consumer concern? Two possibilities are the concepts of awareness and consent. These two principles are paramount to the notion of fair information practices. In at least two of the major stories that arose this year regarding the tracking of mobile phone users, the major area of concern was that consumers were unaware that the tracking was taking place. As an example, I have a Smartphone that provides a “find me” service in the event that the device is lost. In order to take advantage of that service, I have to enable geolocation services so that the “find me” service can locate the phone. As a user, I knowingly exchanged my geolocation information for the convenience of being able to find my expensive mobile device should I happen to misplace it. Had I not known of the information exchange requirement and instead learned of it after the fact, I would certainly feel like my privacy was violated and would likely not purchase from that app provider again.
In a similar vein, consumers can be wary of “Big Brother,” and the idea that our devices are tracking us without our knowledge can understandably introduce some reticence. Awareness, as a pillar of fair information practices, simply means that the consumer knows what the businesses information practices are. What data is being collected and when? With whom is the data shared and how is it used?
However, simply informing customers of information practices is not sufficient. To ease a consumer’s mind the organization should also receive the consumer’s informed consent. This can be accomplished in a number of ways, the most advisable of which is the “opt-in” method. In this instance the consumer must make an affirmative action to allow the organization to collect and use the information. If an organization uses an opt-out method, in which the information is automatically collected unless the customer actively disallows it, the organization runs the risk of not only losing the trust of its customer, but of being on the wrong side of the Federal Trade Commission.
It is important to note, though, that while awareness and consent are important pillars of fair information practices, they are not the only considerations. There are a number of sources to which one can look for guidance on creating a fair information policy. Some of these include:
 Federal Trade Commission Fair Information Practice Principles
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
Generally Accepted Privacy Principles
Privacy by Design
Organizations would be well-advised to reference these documents against their own policies. Additionally, as organizations are developing new products and services, these documents should help to inform their data collection and use practices.
With all of this being said, one might ask what this has to do with payments. Simply put, as more and more payment functionality migrates to the mobile space the possibilities for increased data collection expands proportionally. In an environment in which customers are growing increasingly cynical about the protection of their data, it is important to create and cultivate a trusting relationship between consumers and the technologies that they use. Further, it is important for technology providers to be clear with their channel partners, be they ISO or acquirer, with respect to the data collection practices and capabilities of the technologies that are being provided to merchants.
One of the primary challenges facing payment technology providers today is walking the fine line between what the technology can do and what the technology should do. A clear understanding of the privacy guidelines listed above can help providers navigate those issues. In addition, it may be helpful for those that partner with technology providers, resell the technology, or just license it, to become familiar with the guidelines as well. This can help in the evaluation process and ultimately help these organizations determine whether the privacy and information capabilities of the technologies are commensurate with internal practice and policy or whether they might expose the organization or its partners and customers to potential risk.
The bottom line with respect to technology and privacy is that there really is a middle ground for merchants and consumers. Consumers may be willing to allow technology to track their purchases and their browsing history as long as they know that it is happening, they have agreed to allow it to happen and they are getting something in the bargain. Organizations that recognize this trend and are able to create a program that incorporates fair information practices while providing value to customers will be winners twice over. They get the benefit of the customer behavior analysis and they gain a reputation for fair dealing.  |
