Personal tools

culnan.html

CFP'91 Culnan

The Lessons of the Lotus MarketPlace: Implications for Consumer Privacy in the 1990's

Mary J. Culnan

School of Business Administration
Georgetown University
Washington, D.C. 20057

mculnan@guvax.georgetown.edu

On April 10, 1990, Lotus Development Corporation proudly announced its plans to release the Lotus MarketPlace: Households. According to the trade press, MarketPlace was expected to revolutionize the list industry by making names, addresses, demographic and prior purchase behavior data for 120 million U.S. consumers available on a CD-ROM. The product was a joint venture between Equifax, one of the country's largest credit bureaus, and Lotus, a major player in the computer software industry. Equifax supplied the data from its Consumer Marketing Database while Lotus developed the software for the Macintosh desktop computer. A second version of MarketPlace for the IBM PC was on the drawing board. On January 23, 1991, Equifax and Lotus issued a joint press release stating that they were canceling the project. The statement indicated that the decision resulted from consumer concerns and "the substantial, unexpected additional costs required to fully address consumer privacy issues." The thesis of this paper is that the lessons of the Lotus MarketPlace can provide some important insights for everyone who is concerned about consumer privacy issues in the United States.

Background

Two features of the Lotus MarketPlace were responsible for mobilizing the opposition which led to its cancellation: the contents of the database and the desktop technology platform. First and foremost, consumers objected to the secondary use of identifiable personal information without their consent. Here, individual credit reports provided the basis of the MarketPlace data. According to a report in the Privacy Times, Equifax initially took the position that it had no plans to notify consumers that personal data from their credit reports would be used in a new direct marketing product, MarketPlace (1). As a result, a fundamental privacy principle, that personal information collected for one purpose should not be used for other purposes without the consent of the individual, was violated. This principle is a cornerstone of the 1973 "Code of Fair Information Practices" which serves as the basis for most U.S. privacy legislation.

Second, as a distributed desktop application, MarketPlace lacked many of the controls currently in place for a centralized database stored on a mainframe computer and managed by a mailing list broker. Reputable brokers screen requests to rent their lists and often request a sample mailing piece before allowing a list to be rented. They often seed the list with decoy names prior to its release in order to monitor how the names on the rented lists are subsequently used.

Similar controls were not feasible for MarketPlace because the end- user actually owned the database and therefore controlled its use. For example, the end-user could build lists using any combination of the available selection criteria. MarketPlace also allowed the end- user to export names and addresses from the lists they built to a separate file for unrestricted future use.It was therefore unlikely that MarketPlace use could be reliably monitored using decoy names. Privacy advocates viewed the upcoming release of MarketPlace as opening the floodgates. They expressed concern that each new lookalike product would of necessity provide access to more detailed personal information than the last in order to compete successfully with MarketPlace for market share.

Against this backdrop, what lessons can we learn from the Lotus MarketPlace? In retrospect, I believe that at least three distinct perspectives, the perspectives of the consumer, the corporation, and the "electronic lobbyist," are necessary to understand what happened with MarketPlace. After assessing the MarketPlace experience from these three perspectives, the paper will develop some conclusions regarding the need for a new partnership between consumers and companies which balances their respective interests.

The Consumer Perspective: "How Did They Get My Name?"

One important lesson from the Lotus MarketPlace is that consumers clearly want to control who has the right to access their personal information. The ability of a large company to collect and sell personal data clearly surprised and shocked most consumers when they learned about MarketPlace, resulting in a storm of complaints. When given the opportunity to have their names removed from the database, more than 30,000 individuals exercised the option to "opt out." The strength and the tenor of the opposition clearly caught both Lotus and Equifax off-guard.

The Corporate Perspective: "What's the Big Deal?"

In its public statements, Lotus continued to argue that the MarketPlace was only providing small businesses with a means to access the same information that was already available to larger firms. In fact, lists based on personal data have been widely available for sometime. TRW Target Marketing Services, Polk and its subsidiary National Demographics and Lifestyles (NDL), Acxiom Integrated Marketing Systems or any of a host of other companies in the list industry could each have replaced Equifax as the data supplier for MarketPlace.

The results of The Equifax Report on Consumers in the Information Age, a national opinion survey released in early summer 1990, include the finding that the majority of consumers do not object to their names being used on mailing lists if those that oppose this practice could have their names excluded. Preference services which allow consumers to have their names removed from various lists are currently offered by the Direct Marketing Association, Equifax, American Express, the majority of large mail-order catalog firms and others. However, the availability of these services is not common knowledge, and their effectiveness has never been put to a systematic test. My own research found that people, in fact, believe it is difficult for individuals to have their names removed from mailing lists. The Equifax survey further found that the majority of consumers (and direct marketing professionals) believe that individuals have lost all control over how personal information about them is circulated and used by companies.

The second lesson of the Lotus MarketPlace, then, is that consumers do not understand the scope of the mailing list business in the United States, the extent to which personal information is currently collected, merged, sold or exchanged, and the mechanisms that exist for having one's name removed from mailing lists. One comment which was published recently in the RISKS computer conference reinforces this point and is an important message to everyone in the list industry:

"I would venture to say that the uproar is due to the fact that people heard about the Lotus product, whereas they didn't hear about the others. I would be interested to hear about other ways of getting the same information; if we object to Lotus putting together the product, then we should object to other companies doing the same."

Lobbying in the Information Age: "It's a Brand New Ballgame"

Both conventional wisdom (and a substantial body of academic research) suggest that successful public opinion campaigns involve issues which are clearly framed, and are either coupled with a champion or a powerful interest group, or driven by major external events. Traditionally, these lobbying campaigns have been conducted by mail or by telephone. The targeted organizations develop a response based on their ability to identify the group(s) behind the mail and their subsequent assessment of the clout of these groups. Consumer opposition to the Lotus MarketPlace largely defied this conventional wisdom on nearly every dimension. Therefore, the third and perhaps the most interesting lesson of the Lotus MarketPlace is that we have entered the new age of the electronic grassroots lobbyist.

Much of the opposition to MarketPlace was mobilized, individual by individual, on "the net"--public computer networks, bulletin boards and conferences. The public became widely aware of the existence of the Lotus MarketPlace after the Wall Street Journal published John Wilke's story in November 1990. For example, the Wilke story was posted on internal computer conferences at two large firms in the computer industry as a routine news clip. At least one such posting was then forwarded to one of the public conferences. Within a second large firm, the same article was circulated with comments appended urging people to write their members of Congress recommending that steps be taken to prohibit the release of MarketPlace.

For the next two months, individuals continued to circulate these comments, appending their own thoughts, and urging anyone receiving the message to forward it on to everyone they knew. This campaign benefitted from the wide name recognition of Lotus in the computer community and the fact that Lotus executives were accessible through the public networks--Equifax received a fraction of the complaints that Lotus received. Nonetheless, the power of the electronic media to effectively mobilize a national constituency independent of any of the traditional "big money" special interest groups should not be underestimated.

Where Do We Go From Here?

In his introduction to the Equifax survey, Alan Westin articulates his belief that a proper information agreement does not currently exist between the public and the list compilers. When a firm stores an individual's name, address and personal characteristics in a computer database without the individual's knowledge or consent, the individual perceives that a portion of his/her uniqueness has been appropriated. A marketing colleague suggests that this perception is comparable to learning that you are being secretly filmed in the shower. Professor Westin calls for a new partnership between list compilers and record subjects. The lessons of the Lotus MarketPlace provide support for his arguments. But how do we get there?

One clear lesson of the Lotus MarketPlace is that individuals who speak out can effect change. Consumers need to continue to voice their concerns about practices they find objectionable and to vote with their wallets. Patronizing firms which have good privacy practices and boycotting those that don't sends a clear message. When consumers challenge requests for personal information which they believe are inappropriate or unnecessary, or ask specific questions about a firm's recordkeeping practices, they also send a clear message that they want to be active partners with the recordkeepers.

The Direct Marketing Association (DMA) works with its members in the list industry to develop voluntary privacy protection programs. In addition to its mail and telephone preference services, the DMA has developed a set of voluntary guidelines for Personal Information Protection which are consistent with the Code of Fair Information Practices. Consumers should exercise their rights as records subjects under these programs and guidelines, and should report any exceptions to the DMA's Washington office (2).

For organizations which sell or use lists, another lesson of the Lotus MarketPlace is that responsible firms need to do a better job of educating the public. All organizations should inform their data subjects about their recordkeeping practices, provide individuals with a range of options about the subsequent use of personal information, and finally allow each individual to make an informed choice based on the available options. The Lotus MarketPlace also demonstrates that educating the public about the use of new technologies poses a particular set of challenges for first movers.

Increased public concern about privacy provides an opportunity for firms to gain competitive advantage from their privacy policies. But privacy is primarily an ethical issue. Socially responsible organizations do not manufacture defective or dangerous products, cheat their customers, or pollute the environment. Consumer privacy should be made an equal priority. Unfortunately, the Equifax survey found that no more than 25% of executives in privacy-intensive industries want to be a pioneer in adopting company policies that provide new privacy protections. Even many public interest organizations which lobby vigorously for human and civil rights are reluctant to openly disclose their list practices to their supporters for fear of jeopardizing the revenues they receive from selling or exchanging their mailing lists.

National Demographics and Lifestyles recently analyzed the demographics of two groups of consumers who returned product warranty cards. One group had chosen to "opt out"of the NDL database while the other had not exercised this option. Unlike many organizations, NDL offers consumers the opportunity to "opt out" through a check-off on the warranty card itself. NDL's analysis revealed that the individuals who chose to "opt out" did not fit the NDL profile of consumers who are typically responsive to direct mail. This suggests that the primary financial benefits of current practices where the "opt out" notice is buried in the small print (or not given at all) accrue to the firms which make money from the rental of these non-responsive names to other organizations. Rising postal costs may also strike an unintended blow for privacy by finally making it cheaper to remove a name from a list than to mail to prospects who have no interest in the products or services being offered.

Finally, we learned from the Lotus MarketPlace that market forces can work. The product was withdrawn without litigation, legislation or even a single Congressional hearing. Private sector privacy legislation in the United States is characterized by a sectoral approach. The majority of private sector records are not covered by legislation. When laws are enacted, it is usually in response to a specific problem. It is not clear to what extent new privacy legislation will serve the public interest if companies are not committed to privacy as a matter of principle. For example, while the sale of mailing lists based on summarized data from individual credit reports by TRW and Equifax does not violate the letter of the Fair Credit Reporting Act, it clearly violates the spirit of the law. Blockbuster Video's proposal to categorize movie rentals based on a large number of very specific categories and to sell lists based on these categories clearly violated the intent of the Video Privacy Protection Act of 1988 and was even described by DM News, an industry publication, as "skirting" the law.

Conclusion

According to Direct Marketing magazine, the mailing list business in the United States is a $1.23 billion industry. Secondary markets for personal information continue to expand, as detailed knowledge about consumer preferences is increasingly valuable to decision makers in the competitive global environment. New applications for Point-of-Sale systems, relational databases, artificial intelligence, automatic number identification (ANI) and other technologies will continue to result in enhanced capabilities for surveillance, storage, retrieval, analysis and communication of personal information. Consumers, corporations and privacy advocates will need to communicate openly with one another to ensure that these new applications fairly balance the interests of all stakeholders. For some of us, perhaps the lasting lesson of the Lotus MarketPlace is our newly-found optimism that the end of the Lotus MarketPlace marks the beginning of such a dialogue.

(1) It should be noted that Equifax had been selling mailing lists based, in part, on individual credit records prior to its involvement in the MarketPlace project. [ed. This is no longer the case. Equifax announced on 8 August 1991 that it would stop using credit data for direct marketing purposes.]

(2) Director, Ethics & Consumer Affairs, Direct Marketing Association, 1101 Seventeenth Street NW, Suite 900, Washington, D.C. 20036- 4704. (202) 347-1222

Copyright, 1991, Jim Warren & Computer Professionals for Social Responsibility All rights to copy the materials contained herein are reserved, except as hereafter explicitly licensed and permitted for anyone: Anyone may receive, store and distribute copies of this ASCII-format computer textfile in purely magnetic or electronic form, including on computer networks, computer bulletin board systems, computer conferencing systems, free computer diskettes, and host and personal computers, provided and only provided that:

  1. this file, including this notice, is not altered in any manner, and
  2. no profit or payment of any kind is charged for its distribution, other than normal online connect-time fees or the cost of the magnetic media, and
  3. it is not reproduced nor distributed in printed or paper form, nor on CD ROM, nor in any form other than the electronic forms described above without prior written permission from the copyright holder.


Return to CFP'91 Index page.
Return to the CPSR home page.
Send mail to webmaster.
Archived CPSR Information
Created before October 2004
Announcements

Sign up for CPSR announcements emails

Chapters

International Chapters -

> Canada
> Japan
> Peru
> Spain
          more...

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
more...
Why did you join CPSR?

In these times, this is the kind of organization that technology professionals should be a part of.