Performance Indicator

By Edward Cone

The Value of Trust Through Privacy

Privacy is a very big deal in the hotel business, so elemental to the customer experience that every hotel room comes equipped with a card to hang on the doorknob asking for more of it. Service is expected to be welcoming but discreet.

For Tim Harvey, chief information officer at Hilton Hotels Corp., the same view extends to information privacy.

Many companies regard customer information privacy in terms of cost and compliance, at best, and at worst as something to be sold to the highest bidder.

Harvey, who's been with the $3.8 billion, Beverly Hills-based hotelier since 1999, sees it as a positive value to the business he supports. "Privacy is a core requirement, a part of our philosophy," he says. "We think privacy is an advantage in the marketplace."

Like many companies, Hilton collects plenty of personal information from its customers and uses it to market its eight hotel brands through loyalty programs, promotions and the like. But the company is careful to allow customers at its more than 2,200 hotels to opt out of its identity-based campaigns.

The payoff goes beyond customer satisfaction to improved data quality and more successful marketing, says Harvey.

"The more they trust you, the better the information you can get from them, and thus the more they opt in to programs," he adds.

"Good privacy policy provides an advantage in customer service—it's one of the things a customer trusts us to do beyond providing secure accommodations. Consumer trust is the basis of our business. Most of our brands achieve market-share premiums—more occupancy at higher rates than the local market competitive set—and we believe customer trust in our brands accounts for those premiums."

The concept of trust as a business opportunity, and information privacy as a key element in establishing trust, fits comfortably into Hilton's corporate culture.

"Guest service is paramount in the hospitality industry, and we are constantly aware of the business value of maintaining these relationships, as we develop and use technology," Harvey says.

The same understanding prevails in other businesses where customer trust is essential, including financial-services companies such as Bank of America Corp. (which, in its marketing materials, assures customers that it exceeds regulatory standards on data privacy), and at firms such as Intel Corp. that do a high volume of online sales.

Next Page: Connecting the dots between information privacy and profits.

Privacy And Profits

Meanwhile, a growing body of research is connecting the dots between information privacy and profits.

"The value proposition, the benefit for companies that manage information well and really respect the privacy rights of the customer, includes a better relationship with the customer," says privacy consultant Larry Ponemon. The companies he has studied mirror Hilton's experience.

"You get a better quality of information from customers who are willing to give it to you, thereby increasing the quality of marketing and outreach for the whole company."

Numbers are still scarce in this emerging field of study, but Ponemon found in one analysis that marketing programs performed more than 20 percent better when higher-quality customer information was made available.

"You churn fewer customers, and some may even pay a premium for a relationship they trust. This is not just about being ethical, or responding to regulatory imperatives. It's really about being a good business."

Yet according to a study by his Ponemon Institute, a Tucson, Ariz., think tank devoted to privacy issues, barely a third of large companies in the U.S. call privacy "an important part" of their "brand or marketplace image."

Rather than seeing privacy as an economic opportunity or as an active strategic goal, many companies regard a rigorous information privacy policy as something they have to do in order to satisfy regulators and marketing plans.

And even at companies that do see the business value of privacy, it can be hard for the CIO to take an active role in promulgating a customer-friendly privacy policy.

While Harvey plays an integral role in Hilton's privacy strategy, many information technology leaders find themselves reacting to the dictates of legal and marketing teams without gaining a spot at the table where key decisions are made.

"There are few companies where the CIO has real influence on privacy issues," says Venkatesh "Venky" Shankar, a professor of marketing at Texas A&M University's Mays Business School. Shankar has worked with researchers at the Massachusetts Institute of Technology, the University of California at Berkeley and Northeastern University on the business value of privacy and trust, and he is currently engaged in a long-term project to determine the return on investment that can be expected from spending to enhance trust.

One key finding: Privacy issues influence 20 percent or more of overall consumer trust of retail Web sites, with privacy relatively more important in industries such as travel and finance. To become part of the process, he says, the CIO has to work with the other key executive functions involved in privacy policy.

That's not an easy task, given the inherent limitations in the job descriptions of most CIOs.

"They don't really own this issue or determine the direction," says Allen Westin, professor emeritus at Columbia University and head of a nonprofit group called Privacy & American Business.

"The two drivers are the business—marketing and sales—and the lawyers. Marketing filters its plans for permission-based marketing, opt-in or opt-out strategies, through top management. And when the legal people speak authoritatively, they have the trump card—a bank is not going to risk its certification from the Feds. The CIO belongs on the privacy task force, but as an assembler of the technology to support it."

Yet the CIO can do more than just show up for meetings and tweak the plans of others. "The CIO needs to elevate his role to become a business strategist," says Eric Trapp, an associate partner at Accenture, which has released an article titled "The Economic Value of Trust."

Trapp says the CIO should be involved in two-way transactions with the rest of the company, both by learning to better understand the business customer, and by helping to convey to the entire organization the importance of privacy and the ways that it can be supported.

Ponemon says the CIO's role as gatekeeper of information is an increasingly important one in terms of privacy. "The CIO is in an interesting space right now—in a lot of cases they really occupy the position of chief knowledge officer, which was supposed to emerge as a new specialty but really has not done so. So privacy and trust need to fall under the CIO rubric. They can't just be force-fed the idea that privacy is something you have to do, versus something you should do, and we are starting to see that change more in leading companies."

One company cited by Ponemon as profitably privacy-centric: National City Corp., a super-regional Cleveland-based bank that has prospered by wooing retail customers while respecting their personal information.

Next Page: Trust as a performance indicator.

Performance Indicator

Determining the business value of information privacy is not a simple job.

"We need to consider years of data to do it right," says Shankar, who has studied companies such as Intel in his ongoing effort to quantify the relative impact of privacy on trust. He is careful to keep things in perspective.

"Privacy is a necessary condition for building trust, but not in itself a sufficient one," Shankar says.

"We feel there is a strong link between trust and performance. Customer trust is a forward-looking indicator of company performance, not a backward-looking one, like financials. The amount of trust its customers have for a company tells you something about its future."

Other key factors in establishing trust included basic stuff like site reliability and ease of navigation—both within the purview of a CIO—along with perceptions of the overall brand and particular products.

Ponemon has done research on the value proposition of privacy for industries including pharmaceuticals and banking, with an eye to determining metrics for calculating a return on investment in increased privacy.

One study, sponsored by a group of retail banks, looked at the question from three perspectives: customer attrition due to privacy issues; information quality of customers who remain in the system; and overall customer turnover, or churn.

"We found that there is a real economic value to an organization if they manage the privacy relationship well," he says. "For some companies, such as National City, it becomes a competitive advantage."

One of the things the study revealed is that a CIO does the company a favor by making it easy for customers to opt out of particular marketing plans and loyalty clubs, and by making it clear to customers exactly what they are opting out of.

"You need to give the customer the option of being in the system or not," says Ponemon.

Unsurprisingly, companies that do this right typically get more opt-outs, not fewer—but that's a good thing, in his view.

"People tend to opt out because they are very sensitive to privacy," he says. "They would complain if they were unhappy, so you should be glad to have them opt out. They are probably annoyed already." He calls the task of creating the systems to make this easy for both consumers and marketers "a technology challenge, but a must-do."

There is also a cultural challenge within many companies in making the decision not to pursue some business in order to win more—and better—business.

"There is a conscious choice to forego certain marketing techniques by adopting greater privacy rules, in order to enhance customer trust and market more services."

That logic can be a tough sell. Says Ponemon: "The marketing people have as their moral mission the belief that 20 million e-mails are better than 16 million. In this view, fewer opt-outs is a good thing, so they might favor confusing language and tricks to keep people in—when that actually leads to diminishment of effectiveness."

Putting a return on better customer information and improved communication with customers is a developing art.

Ponemon's study showed that marketing campaigns at large retail banks were about 22 percent more successful when they included privacy-enhancing factors such as more flexible opt-out options. The measurable impact on sales showed an increase at one large bank of about $180 million—a small but not insignificant number at such a large company—and an increase in sales at smaller banks on the order of hundreds of thousands of dollars, more than enough to cover the cost of engineering the improved privacy options.

Next Page: Core privacy values.

Core Privacy Values

An early heads-up on privacy issues gave Tim Harvey some momentum as he planned Hilton's system-wide computer network, known as OnQ, which went live last year.

With some 230 Hilton-brand hotels located outside the U.S., the company picked up on the growing importance of customer privacy from its Hilton International Co. affiliate, which faced regulatory changes decreed by the European Union in 1998.

"We started discussing the issues, asking ourselves not just what could happen here in terms of regulations, but also what do we want to stand for, what are our core values around privacy," says Harvey.

"The changes in the marketplace helped get us started."

In 2002, Harvey took the lead in creating a new chief privacy officer post at the company.

"The business value of our continuing relationships with our guests and reasonable information policies was not only acknowledged but embraced, even before we had a dedicated privacy role, or articulated privacy values," Harvey says.

But formalizing the job was a recognition of its increasing importance.

The CIO, who reports to Hilton Chief Executive Stephen Bollenbach and sits on the company's executive committee, consulted with top managers from the legal team and other functional areas including brand development, hotel operations and human resources. "We started at the top," he says. Hilton also worked with Accenture to plan its privacy strategy, and looked at the policies of companies like rival Marriott International Inc. and trust-dependent courier FedEx Corp.

Chief Privacy Officer Louise Nelson reports to the legal department; a peer position, Chief Security Officer Tom Daly, reports to Harvey. A steering group called the Privacy and Security Operating Committee, made up of executives from across the business, meets quarterly to make sure privacy and security issues are visible at the top of the company.

"The Economic Value of Trust"

By A. Fano, S. Mathur and B. Shah Accenture Outlook Journal, October 2003.

"Determinants and Role of Trust in E-Business: A Large Scale Empirical Study"
By F. Sultan, G. Urban, V. Shankar and Y. Bart

Web Site
The Ponemon Institute


"The committee depends on the views these top executives have of the business," says Harvey.

"Privacy has not been viewed as a hindrance to what we do, and people are very proactive about outlining the issues."

Such top-level visibility is important because it helps enforce consistent policies across the organization. "Inconsistency is an enemy of privacy," says Ponemon.

"If one part of the organization does it right, but another part does it wrong, the customer only knows that something is wrong. The CIO has to know where the data is, who uses it, who shares it. He can't spend his time fighting fires at the detail level, it has to be integrated at the top."

Next Page: Details matter.

Details Matter

What happens at the detail level matters, too, says Accenture's Eric Trapp. "The CIO's whole organization can understand the customer better by knowing what the business requirements are."

He suggests creating liaisons at multiple levels throughout a company to help integrate IT staff into the business.

"People should not just sit there listening to white noise and coding all day," he adds.

"They should meet with the people they are coding for. Organizations that really understand privacy and security are making that happen."

Hilton's OnQ project created a common support system, proprietary software to handle payroll, reservations and marketing for all of Hilton's brands: Hampton Inns, Homewood Suites, Embassy Suites, Doubletree, Hilton Garden Inns, Hilton and the luxury Conrad brand.

"Personally identifiable information controls were considered a business requirement in design discussions for OnQ system," says Harvey.

"We knew it was the right thing to do for the customer."

With OnQ now providing consistent technology networked across all 2,200 hotels, Hilton can come up with a single, consistent view of every customer—more than 22 million of them a year. The Hilton HHonors loyalty program and centralized reservation capacity are important contributors to the company's growing revenue line and its relations with franchisees. But information on customer history and preferences, including the choice of opting in to the HHonors program, is sensitive stuff.

Still, privacy is a relative bargain. Harvey's staff of about 500 IT professionals spends about $5 million per year, out of a $130 million budget, on privacy and security safeguards such as encryption and identity management.

Hilton is still working on ways to use information about guests who do not join its loyalty program. The systems are in place to contact frequent guests via e-mail, and to prompt staff to welcome them back at check-in, but it's a sticky subject, so not every capability is currently used.

"If someone stays ten times across the Hilton family of hotels, our front-desk people need to know he's a valued customer," says Harvey.

"But just how to communicate with people who haven't opted in is a problem. At this point, we don't do it very well."

Calculating and communicating the business value of customer information privacy also remains a challenge.

Earlier this year, Hilton drew fire from an Internet community called GripeLog for some language in the privacy policy at its Web site, which seemed to give it license to use customer information as it chooses. The wording on the site was soon changed, but Harvey says the timing was a coincidence.

"Little did they know we had been working for a year on it. We never had a philosophy at this company of selling lists. We are still feeling our way along, and balancing our abilities with our vision. But selling customer information is very far from our imperatives for brand success."

This article was originally published on 09-15-2004