Customer Data Safety? Enjoy The Ride

A recent story doing the rounds, was that someone picked up a call and kept saying “Hello, hello” without getting any response. By the time he disconnected, his bank account was cleaned out. This seems really far-fetched to me, but it highlights a problem that we face every day; unsolicited calls. 

What is particularly galling, is that some of the biggest culprits are the most respected organisations who would normally adhere to professional and ethical standards, including real estate companies, retail brands, banks, Insurance companies and (yes!) the gatekeepers ‒ the telecom companies themselves. According to a report from Truecaller in 2021 quoted in Wired, India was the fourth highest spammed country among the 20 that they surveyed and of this, one company made (hold your breath) 200 million calls between January and October 2021! Of the calls they tracked, one per cent were spam calls asking for personal details. 

Truecaller crowd sources its data with people voluntarily reporting nuisance calls. But many avoid the hassle of logging a complaint, which means the problem is much bigger.  

According to Indian law, unsolicited calls are not prohibited. In a good initiative, the government has set up a National Customer Preference Registry (NCPR) where you are encouraged to register your own Do Not Disturb rules. But I don’t know how many people know of this, or how effective it is. I tried a few times to register through the 1909 sms number, without success.  

The TRAI has registered 2,50,000 Principal entities with 55,00,000 approved communication templates. For calls there are basic rules like; calls only between 9 a. m. and 9 p.m., callers should first identify themselves and ask if the recipient wants to take the call, the recipient should have given written consent for getting calls, etc. The problem however is the surge in unregistered telemarketers who aggressively push unsolicited messages. Even when a recipient clearly opts out or denies interest, the calls continue, often from different numbers.  

On the face of it, may look like just a nuisance. But there are bigger issues involved. How do these callers get the telephone numbers and names? What other information do they have? 

Telemarketers farm out calls sharing lists of personal information to third party service agents who may not be as strictly regulated. With WFH, these telemarketers could be operating offsite. There are so many possible ways for the information to be passed around.  

Customer data is really valuable. I know when I was a retailer, we constantly pressured our sales staff to collect contact details. But customers need to be concerned about protecting their personal data from being misused, especially where it could cause financial or reputation loss. Equally important is the ease with which data is removed from a data base, when you want this done.  

According to the new Data Protection Law 2022 being mooted, personal information which is in the public domain, can be used for marketing purposes without specific customer approval. There are of course, many ways your personal information could filter into the public domain. So, there is always a fig leaf available to marketers. 

It is good to know that the government is trying to come up with some rules using as a model the European GDPR (General Data Protection Regulation) with its stringent controls for use of private and personal information. Its catalogue of criteria is detailed and if the infringement is found to be intentional, or there is failure to take measures to mitigate damage that occurred, it can render a company liable to pay damages up to Euro 20 million, or four per cent of its total annual turnover of the previous year, whichever is higher. In 2019, Google was hit by French regulators with a fine of Euros 50m for pushing customers to consent to processing their data that they did not understand. 

Our proposed law (The Digital Personal Data Protection Bill 2022), has a maximum penalty for Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (4) of section 9 of this Act, of Rs 250 crores. There are other penalties, which go down to as little as Rs 10,000.  

It isn’t the wild west right now, you can still get protection under existing laws such as the Information Technology Act 2000 as amended by the Information Technology (Amendment) Act 2008, or the Consumer Protection Act 1986, but it isn’t so straightforward. 

The other often ignored problem, is behavioural data being collected without a person’s knowledge or consent. When you look at something on your phone, or talk about it while your phone is listening, or post or scan through social media, aggregators glean the information electronically and create your psychographic profile. This is married to your demographic profile and then used to target digital marketing campaigns, which continuously bombard you. The more accurate the behavioural targeting of these aggregators, the more effective their campaigns and the more money they make. 

These targeted digital marketing campaigns are not just obtrusive, they are also based on sensitive information that’s been collected. While technically the information is anonymised, you end up getting specific marketing messages that you may not want. For example, if a woman happens to be looking at male undergarments for her partner, her device will continue to be flooded with pop up ads, sms messages, emails or other communications, for male undergarments.  

A further refinement is Performance Marketing (based on clicks or sales) which tracks people who are interacting, buying, clicking, or just viewing, products online. Machine learning engines soak up this information and then retarget the same users – ‘you were looking at this, here is another option.’  

There are no controls currently for behaviour based digital marketing and performance marketing.  I guess for now, we just enjoy the ride.  

With over 30 years’ international experience in marketing, managing brands, retail and ecommerce businesses, the writer is a consultant and commentator