The furor in Hong Kong over the recent Octopus Card scandal – in which it was found to be selling customer data to third parties – has died down following the resignation of CEO Prudence Chan and the promise by the government to review its current laws regarding privacy and handling of customer data.
But the core issue is far from settled, not least because Octopus is just the latest example of companies struggling with the fact that they are sitting on a marketing goldmine of customer data that is difficult to monetize without betraying the trust of the customers who generated that goldmine in the first place.
At heart, the Octopus scandal is really just another version of the numerous Facebook controversies over allowing third parties to access user data for marketing purposes. On the bright side, at least Ms Chan didn’t try to argue – as Facebook CEO Mark Zuckerberg and Google chief Eric Schmidt have done – that privacy is practically dead anyway.
On the other hand, Octopus did maintain between apologies that technically it broke no laws and everything was disclosed in the fine print of the rewards program that generated the sold data. That did little to make outraged users feel better about the whole thing, and why would it?
This is a an issue that’s only going to get bigger as more and more service providers become tempted to monetize customer data, whether for subsidizing free services with advertising or creating new ad channels for extra revenues.
In the contactless payment sector alone, Frost & Sullivan says that contactless smartcard shipments in Asia-Pac alone will grow from 590 million last year to almost 2 billion by 2016. Those figures include electronic passports and mobile devices using NFC technology, which is another key point – the customer data protection issue isn’t limited to smartcards and social networking sites.
Indeed, in the wake of the Octopus investigation, six banks were found to have sold customer data to third parties, and local TV news reports claim that at least three of Hong Kong’s mobile operators have done the same. Like Octopus, all reportedly claimed that they hadn’t broken any rules or laws.
Whether new laws or amendments will fix that may depend on the nature of the “fix”. BT chief security technology officer Bruce Schneier makes a good case on his personal blog for legislation that addresses the problem by giving consumers more legal control over their data, which would limit the ability of companies to claim that simply providing a disclaimer or an opt-out feature is all the protection consumers need, and that it’s the user’s responsibility to dig for it.
In the meantime, service providers need to rethink their own privacy schemes and make it easier for customers to opt in and out of services where their data will be made available to others. As I’ve written before regarding Facebook’s privacy policies, it’s not what you do, it’s how you do it. Customers don’t respond well to legal loopholes and “deploy first, apologize later” tactics, and the more companies use those arguments as justification when they get caught selling customer data, legally or otherwise, the more customers are going to resent it.