Data, Privacy, and the Consumer

If you live in Hong Kong, and you are used to receiving daily calls from eager telesales executives hoping to sign you up for the latest hair re-growth or slimming treatments, or the cheapest long distance calling plan for eight countries you have never been to, let alone know anybody living there worth talking to, then things must be eerily quiet right now. The phones simply do not ring.

For this we can thank (or blame, depending on which side of the fence you sit) none other than Octopus Rewards and the latest privacy and personal data scandal to wash up on the shores of the fragrant harbour.

In only a matter of days, politicians and the local media had tried, sentenced, and executed Octopus in public after it was revealed that the company was (shock, horror) sharing consumer data with its rewards partners. However, in the frenzied media storm that followed, consumer crusaders and self-appointed guardians of Hong Kong’s morality overlooked a few simple facts: Octopus actually did nothing that breached the Personal Data (Privacy) Ordinance. Nor did it do anything else illegal, or come to that, immoral. No data was sold (it was rented in the same way the direct marketing industry worldwide has been doing for almost half a century), nor was any data shared without the consent of the data subject – the consumers who are the members of the rewards scheme.

In fact, the only thing that Octopus was guilty of was poor communication about its activities after the fact. And for that heads rightly rolled.

So what are the facts?

Octopus Rewards is a loyalty programme like any other. You use your Octopus Card to travel or buy sundries, and if you have signed up to the rewards programme you can enjoy benefits of money-off coupons and exclusive offers on products and services from partners. Through the online registration process to become a member, you must confirm your willingness to participate in the programme, and with that, you are asked to give your consent for your data to be shared to ensure that the offers are relevant and targeted for you. No. 2 point-can’t-even-read-with-a-magnifying-glass type here, but a clear and conspicuous 10 point type paragraph that even used the language recommended by the Office of the Privacy Commissioner. At least until it was taken down by Octopus pending a review.

So, nothing illegal or immoral took place. A relationship built on the usual give and take of a loyalty programme – one with more than 2.3 million registered users all happy to be part of the direct marketing ecosystem, collecting rewards points every day. Except, that is, for the one or two who complained to the Privacy Commissioner’s office. About what exactly, nobody is quite sure.

However, in the wake of this scandal, and the public humiliation of its managing director, the wider direct marketing industry has been labeled a dark and illicit world. It has been decimated by the court of public opinion, and the fear of consumer backlash, and investigations by the Office of the Privacy Commissioner.

A letter sent by the newly appointed Privacy Commissioner Allan Chiang on August 17, to a number of direct marketing practitioners and associations, including the Hong Kong Direct Marketing Association, urged organisations to ensure that their operations and their relationships with their clients were compliant with the Personal Data (Privacy) Ordinance. This triggered similar messages being sent from the Hong Kong Monetary Authority and other regulatory bodies. These communications instantly sent shock waves through the direct marketing world, and organisations from banks and credit card providers, to insurers and travel companies that were all once liberal with their direct marketing activities in an effort to attract customers and up sell to existing ones, ceased almost all activities. No outbound calls, no direct mail shots, nothing. But why?

Well, for the large majority it was not because they were actually doing anything illegal, or even in the grey areas of the law, but simply because senior management had very little transparency as to what was happening at this very tactical level, and could not guarantee that all was ‘in order’.

While without a doubt telemarketing best practices in Hong Kong do in general need to be tightened (if not in response to legal requirements, then at least in an effort to focus on relevance and value of the communications to the consumer), this knee jerk reaction to the thought of corporate governance nightmares has sadly seen hundreds lose their jobs at reputable third-party service providers. And more will follow, simply because of a lack of transparency and knowledge within these large consumer focused organisations – organisations that really should know better.

The Personal Data (Privacy) Ordinance was established in December 1996. It should be nothing new to marketers that rely on consumer data and analytics to promote their products and service. At a very-readable 44 pages long, the Ordinance covers six key principles and these can simply be summarised by three words: Notice, transparency, and choice.

Notice: Say what you are collecting and how it will be used. Make it clear, concise and above all conspicuous.

Transparency: Say ‘what you do’ and ‘do what you say’. Don’t say you will send weekly communications around insurance products and you send daily promotions for credit cards and the latest travel packages to Japan.

Choice: Always give the consumer the right to choose – most importantly the right to choose to unsubscribe to your messages through any and all channels, as well as the right to access the data you hold on them.

Marketers around the globe have been involved in the sharing and rental of consumer lists for decades, but under this current ‘consumer privacy’ spotlight, it is those that are less than transparent about their activities (which in many cases are 100 percent legal) that are feeling the heat. Those organisations that operate with full and conspicuous disclosure, that clearly operate with ‘notice, transparency and choice’, with corporate officers who understand local and international privacy and data legislation, and management teams who know exactly what activities are taking place within their organisation, will continue to flourish.

Believe me, we work with them every day. And their focus on true customer relationships and anticipated communications that are timely and relevant to the consumer’s needs are driving financial success daily.

It just goes to show that it really is true: It ain’t what you do; it’s the way that you do it. That’s what gets results…

Related reading