'One Man's Creepy Is Another's Targeted': Data-Privacy Gray Areas

About a year ago, a large North American bank discovered that employees throughout the organization were looking at the accounts out of a famous athlete to satisfy their curiosity. To stop this behavior, the bank resorted to shaming — it circulated a report every day of all the people who had opened the account record until the activity stopped, according to a former employee.

That kind of voyeurism is clearly inappropriate and presumably as rare as celebrity clients. But banks are bound to confront much knottier privacy questions as they strive to make smarter use of customer data to improve marketing and service by experimenting with technologies like wireless beacons, geolocation and algorithm-recommended offers.

A company that combines information gleaned from various sources about customers' location, preferences and purchases may know more about them than they realize, violating implicit assumptions of transparency and consent. Sometimes what's considered a privacy violation changes with time, as people adapt to new technology and get comfortable with it and the associated benefits. Even so, trepidation and pushback are likely in the near term.

"Caller ID was once considered to be an invasion of our privacy," Al Raymond, head of U.S. privacy and social media compliance for TD Bank, said at a conference last week. "Now it's the complete opposite — it protects our privacy. Over time, these things evolve. It's a subjective and emotional response. It's not always rational. One man's creepy is another man's targeted, depending on your perspective."

Geolocation services track users' locations to provide them with useful information such as driving directions and traffic updates. Uber, for instance, tracks customers as they arrive at an airport and offers them a ride from a nearby car. Taco Bell pushes out coupons to customers as they pass by its restaurants. Starbucks uses geolocation to let users place orders without having to wait in line.

Some banks are experimenting with geolocation combined with Bluetooth wireless beacons that push out signals to communicate with apps on the consumer's phone. For instance, Westpac New Zealand is testing Apple's iBeacons in its branches to greet customers as they walk in and to monitor branch traffic and behavior. Apple requires apps to get opt-in before they receive messages from the Bluetooth sensors and to allow users to opt out afterwards. So there is a measure of protection built in.

Still, businesses that use geolocation data have to be careful.

"As long as institutions respect opt-in rules, using geolocation data is not 'creepy' if it tailors communications in a relevant way," said Paul Leavell, senior marketing analyst at Charlotte Metro Federal Credit Union. "The aim is to get the best deal possible to the consumer on a timely basis. For instance, knowing that they have visited an auto dealership allows their financial institution to reach out with an auto loan offer that may be better than other alternatives."

Text messaging is another potential gray area. Many banks offer customers push notifications for things like fraud alerts and account overdrafts. Consumers are fine with these messages, which they themselves typically set up and opt into.

But tracking keywords in texts, phone calls, and emails to target mobile ads at them is not generally accepted.

"Customers do not want Big Brother and they interpret that as Big Brother," Raymond, of TD Bank, said last week at SourceMedia's Banking Analytics Symposium in New Orleans.

Consumers have proven themselves willing to trade some personal information for something they value — convenience, a discount, a free product. People have come to accept the ads in Gmail that relate directly to their Google searches, for example. (At the other end of the data privacy spectrum is lesser-known search engine DuckDuckGo, which does not collect or share personal information.)

Some banks comb customer transactions for large payments to other financial institutions — a sign they may be leaving. This has been at times called out for privacy issues. But over time it's become more accepted.

"Mining transactions for customers utilizing competitors should be part of any institution's cross-sale arsenal," Leavell said. "The key is presenting the communication in a way that is not offensive."

Retailers and travel providers use transaction data in their marketing initiatives, noted Steven Ramirez, the chief executive of Beyond the Arc, a customer experience strategy firm in Berkeley, Calif.

"Banks already have the data, the question is if they have the data analytics capabilities and the strategic thinking to act on the insights," he said.

Another hazard for banks is analyzing customers' social media data for information about their friends and family, Ramirez said. "By combining spending patterns, social media posts, geolocation, and other factors you can start to connect the dots and understand a lot about a person's social network."

A cautionary example is Facebook, which was sued last year in a class action for its Sponsored Stories. In this feature, once a Facebook user "liked" something on her Facebook page, that like would appear in an ad in a friend's feed, implying that the user had endorsed the product or company. The court found that Facebook violated users' privacy by not letting them opt out of the feature and Facebook quietly shut the service down.

How Banks Can Stay Out of Trouble

The first thing banks need to understand, according to Raymond, is what information their apps are collecting, how that information is used and whether it's too much.

"That's a very European/Canadian/Asia-Pacific concept — in fact, everywhere except the U.S.," he said. Overseas companies will consider whether the information they're gathering is more than what's needed to perform a service, and if it is, they'll "skinny it down" and ask only for what they really need.

"In the U.S. we just take everything, put it in a closet, throw in some drives, we'll be good to go," Raymond said.

Transparency — letting consumers know exactly what data the bank is collecting about them, is also important.

"Transparency is the 'T' word in privacy," Raymond said. "In the privacy world, transparency is nirvana, it's the Shangri-La." When and how to disclose the use of customers' information is not completely clear. If it's buried in the fine print of the Terms of Agreement that no one reads, does that count?

In a similar vein, consent is important and in some ways ambiguous. There are nuances surrounding when to ask for it, when it's implied, whether it needs to be written or oral.

Above all, Raymond cautioned, banks need to make sure they're doing no harm.

"As a credit card issuer, we hold very sensitive information around purchases and in store visits," he said. "We believe that holds us to a high standard of responsibility, and we work hard to protect that information and to be transparent with our customers about how we use it."

For reprint and licensing requests for this article, click here.
Bank technology Fintech
MORE FROM AMERICAN BANKER