A Little Too Personal

Think about it.

You're browsing through your mail and come across an oversize postcard from your health club. Printed across the back in large text you read: “Hi there, Chris! The last time you were here, you weighed in at 183 lbs. Can we make an appointment for you with a personal trainer?”

The mail carrier and your neighbors might get a laugh out of it. But would you? And there's a lesson here for every direct marketer.

Personalization lifts response. But it's easy to cross the line.

Just because data is available doesn't mean it should be used in this way. Overly personal communications can be regarded as a threat to privacy or even raise concerns about identity theft.

Database mining and printing technologies allow for creating highly personalized marketing based on information from a variety of sources, including customer records, stated customer preferences or data purchased from third-party vendors.

However, there's growing public concern about misuse of data.

The Federal Trade Commission held public hearings last year to discuss so-called behavioral advertising. This involves automatically tracking Internet users in order to gather personal information about them — like the Web sites they visit, their online purchases, even their participation in chat groups.

Data collected in this way has been used for targeted online advertising. But consumer watchdog groups claim the practice is an invasion of privacy when consumers aren't told they're being monitored and aren't provided a simple and effective way to opt out.

To date, the FTC has made efforts only to strike a balance between privacy rights and advertisers' needs to provide information about desirable products and services. It has issued self-regulatory guidelines, advising marketers to take special care in the collection, handling, storage and disposal of sensitive customer information.

Apart from legislation like HIPAA (the Health Insurance Portability and Accountability Act) and the Gramm Leach Bliley Act (which regulates the financial services industry), the government doesn't define or limit exactly what kind of data is hands-off for marketers.

How much personalization is too much? In its report, the FTC identified several highly sensitive areas of information:

• Medical data. This includes information on chronic health conditions, medical history, genetic makeup, insurance, prescription drugs and related purchases.

• Financial information. Data concerning bank accounts, personal income, investments, credit rating, income tax and the like.

• Personal identifiers. Covers Social Security, credit card, driver's license and even telephone numbers; physical descriptors like height, body weight, eye color or clothing sizes.

• Any material directed to a minor.

• Individual sexual preference or orientation.

What are you supposed to do? The FTC has developed useful (and not too burdensome) guidelines for handling this type of information:

• Take stock

  Gather the sensitive data you have on file in a centralized database and on individual computers, disks, CDs and in hard-copy files. It's not always easy to locate — credit card data and other personal details can be found in sales or human resources databases, and maybe in the accounting or payroll system.

• Scale down

  How much of this information do you really need to do business? How long do you need to keep it? Legal requirements may dictate long-term archiving of some data, but businesses may be storing customer credit card numbers well past the account expiration dates, or sales histories for customers they haven't seen for years.

• Lock it

  Keep hard copy files and removable digital storage like CDs, disks and drives in locked file cabinets and offices. Firms that operate with computers linked to a central database can establish a hierarchy of who needs exactly what data and use software applications to block access to anyone else. Complex password protocols are also useful for stand-alone or laptop computers. Take care, too, in leaving computers unattended with data displayed on the screens.

• Ditch it

  If personal information on customers, employees and suppliers isn't actively in use, destroy it. This means shredding, burning or pulverizing paper documents and overwriting digital storage media (you can't just hit the delete button).

• Plan ahead

  There are good reasons for protecting customer information. One is that it creates good will. But it also helps you avoid legal liability. Grant a trusted employee the authority to establish and enforce security procedures and provide active executive support. Develop a written security policy detailing how every member of your organization should handle sensitive information, and a clear plan for dealing with a situation like a computer system breech. Decide beforehand who may need to be notified and how — and this can include your customers. Investigate every complaint or reported violation immediately to help determine vulnerabilities and correct them.

Any type of personalized marketing message can be regarded as intrusive when it's inappropriate or uses data obtained without the consumer's knowledge. But even businesses under stringent government regulation have the right to offer their products. The key is relevance. If the information doesn't directly tie into your overall message, don't use it.

By sticking to the basics, you can gain all the benefits of personalization and still respect your customers' rights to privacy. You can use general information customers provide — like gender, age, and geographic location — to improve response. This also will eliminate the need to mine the database too deeply and risk triggering privacy alarms.

Personalization works. Just keep those critical privacy issues top of mind.

DAVID HENKEL (dhenkel@J-QUIN.com) is president of Johnson and Quin, a provider of direct mail printing and production services.