Photo by Nejron

How much personalization is too much?

This story originally ran in The Parallax on January 25, 2019, and was written by Dan Tynan.

In 2012, when Target used data analytics to identify customers who were expecting a baby, then mailed them coupons for maternity clothing and nursery furniture, it inadvertently revealed a teenage girl’s pregnancy to her parents.

Back then, the revelation caused an uproar. Today, that kind of artificial intelligence-assisted profiling is rapidly becoming routine. Personalization is the new mantra of marketers. And most people are perfectly OK with that.

According to a 2018 survey by Accenture Interactive, 91 percent of consumers said they’d prefer to shop with brands that know their preferences and offer personal recommendations. Three-fourths of them said they wanted brands to deliver a curated experience. And only 27 percent complained about companies being too invasive.

Personalization can be a boon. It’s helpful when Amazon.com remembers past purchases so you can easily reorder them. It’s a plus when Netflix recommends shows you want to binge on. And you may appreciate receiving a personally curated box of clothing from StitchFix.

But how much personalization is too much? And how do you control what happens to this highly personal information? The answers aren’t always clear.

How marketers get to you

For decades, marketers have relied on generic personas to customize their advertising: He’s a stay-at-home dad who watches basketball and drives a minivan; she’s a mother who shops at Whole Foods and goes running on weekends.

Now, thanks to the data explosion generated by Internet-connected devices, and the ability to rapidly analyze this tsunami of information using AI, marketers are on the cusp of crafting offers specific to individual consumers, at scale.

“One-to-one marketing is really the holy grail,” says Patrick Tripp, vice president of product strategy for RedPoint Global, which offers a customer data platform to help brands personalize their marketing campaigns. “Not simply knowing your name, background, or interests, but also recommending the right path of personalized experiences, delivered at the right moment.”

By analyzing data from smart appliances, fitness trackers, and grocery purchases, for example, a marketer could figure out that you’re trying to avoid gluten. In response, it might recommend a wheat-free pasta recipe or a fat-burning exercise regimen, Tripp says.

The challenge is doing it in a way that’s helpful but not creepy.

“Marketers need to be explicit about how they ask consumers for permission and capture data, but implicit about how they’re actually delivering these experiences,” he says. “There are subtle ways to recommend products that are in line with the clues you’ve been giving but aren’t invasive.”

Where’s the data coming from?

But this level of personalization requires lots of data—much of it collected, aggregated, and shared without most users ever being aware of it. In addition to information they collect in the course of doing business with you, many brands also augment your profiles with data acquired from third-party brokers and web-tracking companies.

December 2017 study by web browser privacy add-on maker Ghostery found that three out of four web pages contain some kind of tracking technology, and one in six sites use them to collect and share personal information. (Trackers for the biggest collectors of personal info, Google and Facebook, were respectively found on 60 percent and 27 percent of all sites surveyed.) Some trackers can uniquely identify individuals, such as when a URL request contains the user’s email address, says Jeremy Tillman, Ghostery’s director of product.

The information can get very personal. For example, he says, if you search a site like MayoClinic.org for information about HIV, or schedule an appointment with a clinician, that information could be shared among other companies that use the same tracking technology.

A recent report by Privacy International revealed that 20 popular Android apps—including those by Kayak, Spotify, TripAdvisor, and Yelp—are automatically transmitting data to Facebook, even if their users don’t have a Facebook account.

“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors, and routines, some of which can reveal special-category data, including information about people’s health or religion,” the report notes.

What could go wrong?

Any large collection of data is vulnerable to breaches and serves as a rich target for malicious actors, notes Paul Bischoff, a privacy advocate for Comparitech. The more personal the information, the more valuable it is. Companies may also share this data indiscriminately—as Facebook did when it allowed Cambridge Analytica to access personal data related to 87 million of its members, he adds.

“The same information used to personalize apps and websites can also be used to target you with political ads, and in more extreme cases can be used for harassment or discrimination,” Bischoff says.

And if a company goes out of business or is acquired, that highly personal data is almost always an asset that can be sold or transferred.

Personalization can also come back to bite you in the wallet. Life insurance giant John Hancock will soon require your Fitbit data, for example, to determine how much it charges you for coverage. Orbitz and Hotel Tonight already show different prices for flights and hotels, respectively, depending on the kind of device you use or the location of your phone. One-to-one personalized pricing is the next logical step, writes Neil Howe, a demographer and author credited with coining the term “millennials.”

What can you do?

If you’d rather not get personalization-themed offers from brands—or at least have more control over the data used to generate them—your options are pretty limited.

The Ghostery browser extension allows you to manage and block tracking technologies on each website. Android users can reset the unique advertising ID number on their phones, which essentially erases your previous tracking history and starts over. Google and Facebook let you opt out of seeing personalized ads, though they’ll continue to track you.

And while even Silicon Valley giants Amazon, Apple, and Google support some kind of overarching federal privacy regulation, it’s unlikely to go as far as GDPR’s “right to be forgotten,” which gives consumers control over the data companies generate about them.

“I definitely think we’ll see regulation in the US and other places beyond the European Union,” says Mike Herrick, senior vice president of Urban Airship, which helps brands engage with their customers using first-party data. “The key thing about GDPR is that it takes a privacy-by-design approach. Every company should be getting in front of that, being thoughtful about the data they use, and avoid doing anything sketchy.”

For now, though, the price of privacy remains eternal vigilance, Bischoff says.

“Any time you get a new device, sign up for a new account, or install a new app, take a moment to adjust your privacy settings,” he advises. “Often, it’s possible to opt out of a lot of data collection schemes, but most people never bother to do it.”

ABOUT THE AUTHOR

The Parallax

The Parallax is a tech security and privacy news blog founded by cybersecurity journalist Seth Rosenblatt, with contributions from a roster of nearly 50 industry experts, researchers, and reporters.