Business Columns & Blogs

Grocery rewards cards also could be part of larger NSA debate

One of the instructive facets of the ongoing uproar over the National Security Agency collecting truckloads of data about Americans has been the progression of explanations coming from the Obama administration:

We didn’t do it.

We did it but it’s not a big deal.

We did it but everyone does it.

We did it but Bush started it.

We did it but we’re not really looking at any of it.

We did it — but you can trust us with it.

We did it but it’s important for national security.

We did it and if you keep making a fuss about it we’ll go fire some low-level functionary. Or the attorney general. There — happy now?

We did it and we don’t care what you think — we’re not running again.

We did it and you (the media) won’t care a month from now, once the next celebrity scandal or natural disaster hits the headlines.

We did it and the public doesn’t care about privacy — have you seen how much personal information they’ll put on display on Facebook, send via email or entrust to a business they only see on the Internet?

Cynical or realistic those responses they may be, but some of those responses — the last in particular — bear further consideration not just from the American public but from the businesses that count its members as customers and employees.

This is not solely a story about politics or government or national security or the nature or notion of privacy, although it’s all of that. It’s also a story about business, and not just because some businesses now find themselves entangled in suspicion about being the willing supplier of data about its customers.

Nor is it a new story that businesses have been wrestling with privacy and data security issues for decades. Those issues have proliferated and intensified as the means of gathering, storing, disseminating and losing sensitive information become faster, cheaper and easier to use.

But the latest controversy provides, to use an odious phrase, a “teachable moment,” or at least a pause for contemplation by everyone involved.

Businesses store an incredible amount of information about us, likely to a greater degree of detail than government does through, say, your income tax return (which some businesses also have, if, for example, you apply for a loan).

That’s inescapable if you want to participate in modern life and commerce. And it’s not necessarily a bad thing. Businesses need information if they’re to safeguard your money in a bank account and disburse it to those you want to receive it, or to send you merchandise or sell you services, and to do so remotely.

But how much information do they need? Do you know who you’re really supplying it to? What are they doing with the information?

Suppose, for example, you engage in the mundane activity of filling out a card at a restaurant to get a free meal on your birthday. There. Now the business has a record of your name, address, phone number, email address, birthdate. What might one do with that?

They might, for example, use it to send advertisements for their business, or sell the mailing list to someone else for marketing purposes (if you doubt that happens, fill out a card for a special offer or contest some time with a typographical error in your name, then track the mailings, physical and electronic, with that same error that start showing up).

But of course some businesses plainly state that they don’t share such information. Others are in businesses that are required to have written information-privacy policies and to share those with customers.

Not that anyone is actually reading them. Have you ever actually waded through the verbiage in that little pamphlet that occasionally shows up in your credit-card statement? Discover Card’s policy (posted online, and actually one of the better ones for clarity of presentation), advises that it does share personal information to affiliated companies and nonaffiliates for marketing purposes, although customers do have some rights in limiting that sharing.

The point about reading policies gets to the larger issue of whether the public cares. On occasion the public says it does, witness the outrage expressed by some over grocery-store reward, frequent-shopper and customer-loyalty cards. Attaching a customer’s name to a wealth of data about purchasing habits is a marketer’s dream, and a bit more familiarity than some customers are comfortable with. One workaround witnessed at checkout stands (often for customers who don’t have their cards with them and can’t recall what phone number they provided) is for the checkout clerk to grab a blank card application off the stack and wave it past the reader, thus providing the customer the discount without the customer having to provide the information.

But many customers have been perfectly comfortable with providing the information, perhaps because of the reduced prices, perhaps because they don’t feel the requested information poses a risk, perhaps because they cynically conclude (not without reason) that someone already has all that information anyway.

The grocery-card issue has been quiet for a few years, but the latest controversy might be enough to get businesses, customers and consumers to think about information privacy generally. In recent times most of the attention over personal data has been focused on how secure that information is from theft by outsiders. Now it’s time for some pointed questions on just how much, and why, that information is being collected in the first place.