Introduction
In 2014, the 113th U.S. Congress adopted a nonbinding agreement to recognize January 28 as “National Data Privacy Day.” Companies celebrate, or at least acknowledge, the annual observation by participating in various events, such as the speakers and panel discussions held at LinkedIn’s headquarters in San Francisco. Motivation for National Data Privacy Day was nicely articulated by David Hoffman, Associate General Counsel and Global Privacy Officer for the Intel Corporation who noted, “All companies are data companies today, and we all have a role to play in promoting the ethical and innovative use of data” [1]. This quote reinforces growing evidence that many prominent technology companies, including Intel, welcome the event and embrace related data privacy initiatives. The Data Privacy Day Impact Report for 2018, published by the National Cyber Security Alliance overviewed a variety of these initiatives by its partner and supporting organizations. Another notable technology company mention included Facebook, which had recently launched its Privacy Checkup tool and announced its commitment to simplifying its privacy settings to give customers greater control over personal information.
Just a short time after the 2018 Data Privacy Day though, we learned of one of the most invasive consumer data privacy violations of our time, with Facebook in the center of the maelstrom. An application developer and academic had worked to harvest highly sensitive personal information, using what was billed as a “personality quiz,” which the highly sophisticated and savvy data analysis firm Cambridge Analytica purchased and used, allegedly for nefarious reasons—including exerting untoward influence over U.S. election outcomes. Facebook CEO Mark Zuckerberg endured days of Congressional testimony, answering myriad questions from various lawmakers about his company’s failure to protect the personal information of its user base. Of gravest concern to Congress and the public at large was the realization that most of the information was being used without people’s knowledge or consent. Only 270,000 Facebook users had agreed to install the “thisisyourdigitallife” app, but anyone linked to those users through networks of friends suffered compromised privacy, with contents of their personal messages readily available to the since-terminated Cambridge Analytica [2]. Ultimately, the breach is thought to have affected more than 87 million Facebook users.
Immediately after the scandal broke, many consumers immediately deleted the app or vowed to limit their personal use. Widespread coverage and detailed, step-by-step explanations circulated about how to delete Facebook from not only people’s devices but also, more challengingly, from their lives. Several high profile companies and their CEOs—including the Firefox browser’s parent company Mozilla, Tesla and SpaceX CEO Elon Musk, and Apple co-founder Steve Wozniak—noted that they personally had deleted their Facebook pages [3]. On the day of the breach announcement, the company’s stock price dropped 7%, its largest drop ever, resulting in a loss of about $43 billion.
Furthermore, people familiar with the inner workings of Facebook’s data harvesting capacity speculate that Cambridge Analytica may be the tip of the proverbial data misuse iceberg. Applications even more powerful than Cambridge Analytica’s seems to be something of an open secret among marketers seeking sophisticated data techniques to target consumers and modify their behavior [4]. As the Cambridge Analytica scandal continues to unfold, growing public outrage about the blatant misuse and lack of customer transparency also has increased scrutiny into companies’ data privacy practices. Experts have called for investigations of multiple companies’ data privacy practices, noting that firms such as Google may have considerably more personal data than Facebook does [5]. For example, Google has ready access to people’s search and browsing histories, installed apps, and shopping patterns, and by using identifiers, it can track users across all their devices.
And yet, even with all the bad press and critical coverage, within a few weeks, Facebook’s financial health had fully recovered. Consumer ire over its mistakes continues to slowly dissipate. As one expert summarized the situation, “The reality is that when it comes to privacy, the trade-off has already been made: We decided long ago to give away our personal information in exchange for free content and the ability to interact seamlessly with others” [6]. Even a known victim of the Cambridge Analytica data harvesting scandal, when asked if she would consider removing Facebook or constraining her use, admitted, “I’m just too nosy to stay off it” [2].
How Did We Get Here?
Increasingly, companies extract personal information and compile it in ways that their customers had not envisioned—regardless of what was stipulated in the company’s privacy policy. Considerable ethical and legal questions arise, especially in relation to highly sensitive information (e.g., medical history, credit profile, sexual orientation, dating activity) that can be linked with great precision to people’s general personal profile and then used in ways that people neither intend nor ever imagined. Consider a father who received a normally innocuous promotional mailer from Office Max. In what was likely a mail-merging mistake, his name was listed, followed by the identifying designation “daughter killed in car crash” [7]. Even companies with no apparent need for detailed personal information (unlike the data giants like Facebook and Google) are admitting to some issues for consumers, in the wake of seemingly endless reports of data breaches. Around the same time the Cambridge Analytica scandal broke, Panera Bread, Under Armour, Orbitz.com, and Saks Fifth Avenue all reported hacks that compromised millions of customer accounts [8]. Even if consumers are well-versed in cybersecurity, their data self-policing can offer only limited protection and privacy in the modern data-rich environment.
It also is important to remember that data privacy is not just an IT issue. In 2016, one marketing trade organization identified data security and privacy as the top “conundrum” for marketers [9]. Yet existing investigations tend to reinforce the belief that data privacy is not a marketing problem; many articles and books speak to just the technical or legal aspects of privacy. Business strategies designed explicitly to collect personal data, using marketing analytics (i.e., big data), and to monetize these customer data often fail to address the effects on customer relationships or other long-term marketing implications—to their detriment. We strongly believe that marketing should take a more focal position in this discussion, but we also recognize several explanations for the misdirected attention.
Business strategies designed explicitly to collect personal data, using marketing analytics (i.e., big data), and to monetize these customer data often fail to address the effects on customer relationships or other long-term marketing implications—to their detriment.
Somewhat ironically, it may be that companies’ current approaches to data collection and use reflect their own dedicated relationship formation efforts. As customers moved online and took a step away from brick-and-mortar transactions, it became harder for marketers to get to know their patrons without some other access to and sources of personal information. But good marketers must know their customers. In the early retail days, a shopkeeper could keep up with current events and familial happenings by chatting with customers [10]. These nostalgic encounters occur with far less frequency, but marketers’ (and, to some extent, consumers’) desire and need to form relationships is just as strong as ever. Data provide marketers with something of a way to “get to know” their...