Personally Identifiable Information (PII) is the core concept underpinning all discussions of information privacy, and a fundamental definition in related legal statutes. The idea of PII is simple enough: information that can be used, by itself, to identify an actual person. However, creating a simple, specific definition of PII is elusive because most personal information can become personally identifiable if combined with other information.

Despite the inherently ill-defined nature of PII, legal statutes still attempt to define it for the record. This usually amounts to a short list of obvious examples and a disclaimer to the effect that “any information could be PII if combined with other information in the right way” (see the recent decision by the California Supreme Court which concluded that ZIP codes are PII).

In the digital environment, even the slightest scrap of information can be plugged into an online search engine which usually leads to further information and with a little work, can eventually lead to an identifiable person. In this context then, all personal information must be assumed to have the capacity to identify someone. Hence, instead of talking about PII, we should be talking about the more general concept of Personal Information (PI), which I would define as: “any information pertaining to a person.” As it stands now, “identifiability” as a special data attribute is an essentially meaningless concept.

A good example of the increasing irrelevance of the concept of “identifiability” occurs in the proposed updates to the European Union Data Protection Agreement released in early 2012. These updates aim to improve the protection of an individual’s “personal data,” which is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life.” This is a significant departure from the previous statutes which aimed to protect an individual’s personally identifiable information.

Unlike legal statutes, most people don’t make a distinction between PI and PII when they are sharing their information, particularly in the context of a transaction. What matters is that they provided the information and expect that it will be handled and secured properly. Arguably, consumers are more concerned with security than privacy when it comes to their personal information, and become irate if they feel they have been misled or deceived by companies that hold their data.

Society in general is becoming desensitized to the downside of divulging personal information and the constant trickle of high-profile data breaches is eroding the consumer’s expectation of ironclad security. In such an environment, perception can be a company’s biggest ally: if customers believe that their personal information is being handled responsibly, they are more likely to be loyal to the brand. The catch is that reality must match customer perceptions; otherwise they will feel betrayed or deceived and any privacy/security violation, no matter how small, will seem significant to them.

As was widely publicized, Google recently ran afoul of consumer perceptions when it consolidated its numerous privacy policies into one global policy. Previously, Google had been managing several policies for its various products, which was undoubtedly a cumbersome process. Creating one policy to cover all products would definitely make things easier for Google and, in theory, could also be good for customers, given that they would now have one policy to reference instead of one policy for each Google product they were using. However, instead of receiving praise from its customers, Google stirred up lingering suspicions about its intentions to aggregate, exploit, and abuse people’s personal information. Ironically, Google’s openness about its privacy policies may have set the stage for consumer backlash. Advertising separate privacy policies led people to believe that Google had no desire to aggregate data across products, yet consolidating privacy policies contradicted that belief.

Like most people out there, the court system does not seem too concerned with the concept of “identifiability” in litigation involving personal information. In fact, lawsuits regarding privacy issues are usually based upon allegations of deceptive trade practices. An allegation of deceptive trade practices rarely allows for a private right of action (i.e., an individual cannot sue for damages by themselves) and plaintiffs must usually prove actual harm has occurred as a result of the deceptive practice to have any hope of winning in court.

Although the law may reference PII, even if plaintiffs successfully argue that a company mishandled or misused personal information, the courts are reluctant to award damages unless clear financial or reputational harm resulted from the misuse. Proving actual harm is difficult to do in most circumstances, unless financial information was compromised and resulted in provable financial losses. In fact, more harm is usually done to the company’s reputation than to the plaintiff’s in such cases.

An excellent example comes from a recent court case in Massachusetts. The overview is simple: a customer alleged that a company violated privacy statutes because they collected her ZIP code as part of a credit card transaction. In this case, the court decided that the ZIP code did qualify as PII and that collecting it as part of the credit card transaction did violate a specific provision of state law. However, despite these conclusions, the case was dismissed because no actual injury or harm could be proven. The details can be found here.

It shouldn’t be surprising that positive perception is important in maintaining a good privacy relationship with your customers. It is well known that honesty and good customer service create positive experiences for customers, which in turn help drive sales. These principles can be applied to information handling as well.

A classic example of customer service trumping privacy concerns comes from internet retailer Amazon. Search for “Amazon privacy violations” online and you’ll find a slew of stories detailing alleged privacy violations spanning a decade or more. Yet despite these incidents, Amazon consistently ranks high on indices of customer satisfaction. Good customer experiences generate trust in consumers’ minds, and as long as their experience continues to be positive, that trust is very hard to compromise.

Of course not every company is an enormous internet retailer with extensive resources to devote to customer satisfaction, but there are some simple things any company can do to manage perceptions when dealing with consumer data:

• Avoid lengthy and confusing privacy policies. A fine-print privacy tome does little to create an atmosphere of honesty and trust and in fact leads people to believe they’re being deceived in some way. There is little ROI in crafting a convoluted privacy policy that was written to absolve responsibility under relevant statutes and is only visible as a hyperlink.
• Feature the notice with the action; don’t rely on your privacy policy alone. Create simple, short privacy disclaimers related to the specific data being collected and the action being taken. Post these at appropriate spots on websites, mobile apps, or during data collection. Customers can always go to the privacy policy, but this shows that you think about privacy and use at every step in the process, not just in a privacy policy buried in the site. This is really about creating trust with a well-crafted marketing strategy that is integrated through all aspects of the business.
• On a related note, only collect the information that you actually need to conduct your business or communicate with your customers. Collecting additional data “just in case” is not only prohibited in some jurisdictions, but it may deteriorate customer trust.
• Insist that data security arrangements are documented and properly implemented; good security locks down information that could cause actual harm if mishandled. Do not merely leave it up to a network administrator or database admin to figure out security arrangements for data collection.
• Take the time to draft a good response plan for handling the situation if something goes wrong. Few things destroy customer trust like a hasty, panicked, or ill-conceived response to a crisis situation. In theory, if you have a good security plan, then any “incidents” shouldn’t be a result of negligence on your part and managing a response is really just managing consumer perception and retaining trust.

It’s no secret that privacy and security are hot topics in the world of integrated marketing. The ability to use data to provide personalized and targeted communication to customers is one of the keys to increasing marketing ROI. However, if the consumer’s wishes aren’t honored or their trust is taken lightly, marketers are going to see very short term results from their targeting efforts, regardless of the legal implications.

For nearly 20 years, Catalysis has specialized in the digital integration of award-winning marketing campaigns that drive connected, measurable results. Our clients include Microsoft, Moss Adams, Banner Mattress, Thunder Valley Casino, BabyLegs, and WineBid.

For more information, contact info@catalysis.com or visit our website at www.catalysis.com.

 

The information contained in this publication is general and is for informational purposes only. Catalysis makes no warranties, express or implied, in this material.