What Stays in Vegas (38 page)

Certainly, any US effort to limit a firm's ability to collect and share personal data would kick up a fight. “Businesses with which I transact should have every right to talk about me to others, just as I can speak about them, absent contractual limits to the contrary,” says Tom Bell, a Chapman University law school professor who specializes in high-tech issues. “Regulations in this area do not strike me as cost-effective and raise serious First Amendment problems.” Politicians and their campaign teams have a direct stake in the debate as they make increasingly sophisticated use of personal data to target messages to voters.

Some experts advocate a national privacy agency or ombudsman to shed light on how private-sector data practices affect people. “Just like we established a new agency, the Department of Homeland Security, there should be a new agency that helps people evaluate risks: the Department of Risk Assessment, or it could be called Privacy and Risk Assessment,” says George Church, head of the Personal Genome Project. “Privacy itself is not a risk. It impacts on other risks. What are the odds that you will lose your job or never get a date again or have
people spray paint your house because they don't like the way you look in public? Those are the real risks. Privacy is just like an air sock, right? It's telling you which way the wind blows.”

Church, who asks his volunteers to make their medical records and DNA test results available to researchers on the Internet, thinks companies should do more than require a click for customers to show an understanding of the risks. They could require a test, as he does for his volunteers: “I personally think that there should be a similar exam or criterion for everything you sign because 90 percent of what people sign or tick-box or whatever they do is not read and not understood, sometimes intentionally on the part of the agency asking for signatures.”

Shining the Light on Data Hunters

After researching the business of personal data for this book, I am struck not so much by the practices of any one company but by the intimate composite portrait that emerges from aggregating data from many different sources. One tile may not dazzle, but a mosaic of many tiles betrays a compelling and sometimes unexpectedly intimate portrait.

Often, all that a business needs is one or two tiles to piece together the rest of the picture. The cheerful store clerk asking for your ZIP code at checkout adds it along with the name from your credit card to the company's files. From those two pieces of information it can pinpoint your dossier from a data broker and know a lot more than a five-digit ZIP code might suggest.
¹²
Yet sometimes businesses do ask for ZIP codes for legitimate reasons. For example, automated gas pumps typically request ZIP codes with credit and debit cards to verify the user.
¹³

Shopping clues such as subscribing to a premier cable TV package (lots of sitting) and fast food purchases (bad nutrition) may suggest obesity to health care companies or diet promoters. One data broker sells sightings of cars, complete with photo, for $10 a pop.
¹⁴
I looked up a relative's license plate number and found an image of her vehicle parked some months before in front of a medical clinic, potentially
intimate information. Clues from Facebook as simple as “likes” can suggest someone's sexual orientation. One researcher has shown it is theoretically possible to reidentify people who have revealed their innermost sexual secrets in anonymous scientific surveys for the Kinsey Institute.
¹⁵

In composite, all this information that we share does yield deep insights into what makes us tick. “I don't think consumers understand what they want and what they need in regard to online privacy,” says Ted Claypoole, a Charlotte, North Carolina, lawyer who cowrote the book
Protecting Your Internet Identity: Are You Naked Online?
“They love to read Amazon suggesting new books and music to them, but they find it creepy when ‘relevant advertising boxes' follow them around the Internet as they surf. They will widely share the most intimate personal details on social media, but then are genuinely surprised and rattled to think that business, government, enemies, or thieves might somehow use those details.”

Companies and data brokers emphasize they are gathering all this data to better target their goods and services. They just want to sell you stuff or make money selling your data to other marketers. It is worth stressing that many officials at the firms gathering consumer data are smart, hardworking, and well-meaning. I certainly got that impression from the current and past executives at Caesars, at online ad agency Dstillery, and other companies.

“I don't think that the population we are talking about, for the most part, is populated by guys twirling their mustaches planning evil acts against good people,” says Michael Fertik, CEO of
Reputation.com
. “This is not a Manichaean struggle between good and evil. But most people who are interested in this field on either side of the question, on the shades of gray along the spectrum of the question, are good and decent people who want to do good and decent things. . . . The basic goal is to make sure that the right ad reaches the right person, right? And I also do believe that there is no intent to foul someone up in life. But what happens is over time these data points . . . get accumulated and get spread to people and used in ways that even the guys collecting in the first place had no idea they could anticipate.”

The possibility of unintended consequences highlights the reason why all consumers should care about personal data. Your data can and sometimes do get used in a way that is not in your best interest, and can even cause harm. Data brokers and marketers openly acknowledge that some businesses make unscrupulous use of personal data in ways that can damage people professionally or personally. “People have a right to be skeptical because for every person who is trustworthy in the industry there are probably a couple who are doing crazy weird things. That's the scary dark side,” says Acxiom CEO Scott Howe.

A Simple Manifesto

We, the people about whom data is collected, should have a right to know who the data hunters are and what information they gather about us. Even among the vast majority of businesses making legitimate use of personal data for marketing purposes, many fall woefully short when it comes to providing insights into their activities. That is a mistake that will hurt these businesses in the long term. They should be clear about what they are doing, and customers should have a choice about the extent to which they participate. Some data brokers and marketers argue that curtailing their ability to track consumers will cripple the economy and the Internet. Such logic is patently nonsense. People will still want to buy things and consume even if they have a greater say in how others market to them.

Some of the companies and executives in this book, Caesars most prominently, have chosen to be open about how and why they gather personal information and how they use such details. And importantly, they offer benefits in return. The way they crunch the numbers may be complicated, but there is no reason for the basic data-gathering policy to confuse customers. It might be as simple as “If you join our loyalty program, we will collect lots of information about what you do in our properties. And we will buy outside information to better understand you, and, in exchange, reward you with free food, rooms, and other perks.”

Companies should not be allowed to obfuscate with long and dull privacy policies. Many companies collecting data create confusion by hiding behind legalese along the lines of “Company X does not share personal information with any third-party except as permitted by law.” Such notice is akin to a food company printing a nutritional label saying “We include only ingredients as permitted by law.” That gives plenty of leeway to add lots of saturated fat, sugar, salt, or other potentially unhealthy elements into the blend. “Too often we've been victim of ‘I agree.' It's like the thirty pages, online small-print thing; this is buried on page 22 in small letters and you have no idea where your data is going when you fill out the warranty card or something like that,” says Howe. “This should be transparent.”

The “as permitted by law” phrase does not necessarily mean companies promiscuously share your data. It may embody the unscholarly legal term of “covering your ass.” In case things change in the future, they warned you. Other words with limited meaning include privacy texts that say the company only shares data with “third-party companies with which we have a business relationship.” That could mean any company that buys or rents the data: that's a business relationship.

“Our laws should require commercial sites, and maybe others, to be specific about what data is collected, how it is used, and how you can see what the commercial entity is holding about you,” says Ted Claypoole. “Of course, most consumers will not read the privacy policy, but if this data was offered in a consistent and recognizable box—like the nutrition box on food products—then consumers who care can understand and make informed decisions about what happens to their data, and go back to correct inaccuracies later.” Until the time of easy nutrition label–style privacy policies, you can always call up a company and ask what it does with your data. Companies want your business, and alienating people runs counter to that. Often they will let customers opt out of data sharing.

We should understand how the company uses our data and whether and how it shares the information with others. “The information should be used only for the purposes that the customer believes that they are sharing it around,” says Gary Loveman. “So, for example, if
I share information with a casino company, I shouldn't have it used for political campaign purposes, or to raise money for Planned Parenthood.” In the world of casinos much personal data actually ends up staying in Vegas. What gamblers do on the casino floor as recorded by loyalty programs is not shared with others. The casinos know a lot, and they closely guard those insights as an important corporate asset.
¹⁶

Overall, companies should be able to pass what Caesars executive Joshua Kanter sees as the key standard: the Sunshine Test. In other words, if managers embrace practices that would cause discomfort if featured on the front page of a major newspaper, perhaps they should think again about what they are doing. Yet in researching this book, I have found many firms reluctant to talk openly about their data-gathering practices, often adapting a defensive or evasive pose that raises questions about the propriety of what they are doing. In 2014, the Direct Marketing Association, the trade group of data brokers and marketers, went so far as to ban me from attending any future events (the lifetime ban was overturned a few weeks later). My questions and subsequent articles had apparently made some marketing firms uncomfortable. “Our industry is doing a lousy job marketing itself,” says Howe, who surprised me by distancing himself from many of the DMA's views.
¹⁷
“If you do things that are great for customers and you deliver them choice, then those companies are going to win, and folks that survive by tricking consumers, they will eventually die because they become the most hated companies in the world.”

“I do not agree with Mr. Howe—the industry doesn't do a bad job so much as it doesn't do enough of a job,” says JoAnne Monfradi Dunn, president and CEO of data broker Alliant, who also serves as chair of the DMA's board of directors. “As we move from broadcast marketing to customer engagement, it will be even more important for marketers to be part of the national conversation, and to be partners with customers in their brand choices and relationships.”
¹⁸

Occasionally marketers admitted why they did not want to be open about their practices. One marketing executive told me his travel company was beginning to target advertising through browser fingerprinting. This technique recognizes people's browsers not via cookies, which
can be removed, but through a computer's more durable attributes such as what programs are downloaded onto the browser. Then he asked that I not print his or his company's name: “At the end of the day, there isn't really a legal case against it, there isn't really a privacy case against it. It's really a PR thing. What are you going to do when the
Wall Street Journal
decides to write a nasty article about the practice?” he said.

Shifty practices will come to light. Much as the maker of an unsafe vehicle or adulterated food will one day have to face the music, unscrupulous personal data collectors will have to face those whose data they have abused. Advocacy groups, investigative journalists, congressional committees, and the legal system will all play a role in this process. Companies in the ecosystem of personal data can also help. For instance, search companies such as Google could give lower rankings to humiliation sites, and credit card firms could decline to process payment for objectionable businesses (moves they appear to have embraced recently for mug shot websites).

Since many companies supplement what they observe about you with outside dossiers, you should be able to go to the source and see what data brokers know. Companies such as Experian and Epsilon are still reluctant to crack open the vault. “Trust us, we have good policies” is not enough. Data brokers should allow consumers to peek in and amend or delete their files if they want to. In some cases marketers would gain if people corrected mistakes and refined their preferences to receive better targeted ads and offers. In other cases people would remove data or opt out entirely, so the files would become less all-inclusive.