Private Data: Handle With Care

U.S. companies don't realize how easy they've had it when it comes to gathering consumer data until they start doing business in other parts of the world-particularly Europe.

U.S. companies dont realize how easy theyve had it when it comes to gathering consumer data until they start doing business in other parts of the world—particularly Europe.

The European Unions tough privacy laws could make it hard for those companies to collect, manage and export information about European customers. The laws, for example, require companies collecting information about individuals to satisfy each of the 15 countries in the EU that they are securing the information, giving individuals the chance to opt out and meeting other country-specific requirements. Although there have been few high-profile instances of European countries aggressively enforcing the privacy laws against U.S-based enterprises, experts say enforcement could begin as soon as this summer. That means companies deploying ambitious global CRM (customer relationship management) strategies could be forced to rethink their initiatives, particularly if they rely on personal customer information.

Financial services companies will likely have the hardest time passing the sort of consumer data they consider most useful—addresses, credit history, job history—across country borders, according to Sue Handman, national solutions practice director for RCG Information Technology Inc., in Edison, N.J. While other types of companies can sign a so-called Safe Harbor agreement allowing them to avoid negotiating individually with each EU country on privacy, financial services companies are not eligible for the Safe Harbor deal, which was put into place in November of last year following negotiations between the U.S. Department of Commerce and the EU. EU and Bush administration officials are still haggling over just what privacy regulations should apply to financial services companies.

In the meantime, if a financial services company such as General Electric Capital Corp., in Stamford, Conn., wants to import consumer data from Europe to use for analysis, said Chief Technology Officer Shaun Coyne, it will have to handle the data with care. Before dropping the idea of exporting consumer information, GE Capital, for example, considered stripping the data of any personal identifiers, such as names and addresses. Stripping the data of personal identifiers can render the data worthless, Handman said.

Its also time-consuming and an extra cost burden, Coyne said.

Other types of companies should have an easier time passing data that isnt so sensitive across country borders, experts say. Companies doing business with other companies—rather than consumers—in Europe wont have to worry much about the EU privacy directive. Thats because it applies only to personal information about individuals.

Similarly, non-financial services companies exporting personal information such as a consumers airplane seat preference or favorite types of consumer activities shouldnt have much to worry about, Handman said. Thats because those companies can sign up for Safe Harbor status. Still, its unclear how much Safe Harbor will encourage nonfinancial companies to collect customer data as part of global CRM initiatives. So far, very few U.S. companies have signed on for the deal.

"Its too soon to tell what kind of bearing Safe Harbor may have on global CRM," said Esteban Kolosky, an analyst with Gartner Inc., in Stamford. "Unfortunately, no company will feel much improvement anytime soon. Maybe five years from now, though."