Skip to Content Skip to Footer
How Should Marketers Manage Data Privacy?

How Should Marketers Manage Data Privacy?

Kelly D. Martin, Abhishek Borah and Robert W. Palmatier

Privacy eyes

Scholarly Insights: AMA’s digest of the latest findings from marketing’s top researchers

​​Marketer–Customer Data Tensions

Marketers often hear that collecting and using customer data is an effective way to improve returns. They are told they can generate productivity and profit gains that give them a competitive edge. Following this advice, firms spend billions of dollars to capture and leverage customer data. Our research argues that while these efforts can be good for the firm, they can also increase customers’ data vulnerability and/or heighten their perceptions of susceptibility to harm from data privacy. Indeed, data collection efforts can have a dark side, and customers often express negative reactions to these practices. Firms, however, have little insight into the potential ramifications of customer data management efforts or how to prevent negative outcomes. 

Not all customer data applications are created equal. In our research, published in the January 2017 issue of Journal of Marketing, we identify four distinct effects:

  • Data access vulnerability: the firm has access to the customer’s personal data,
  • Data breach vulnerability: the firm suffers a data breach,
  • Spillover vulnerability: a firm’s close rival suffers a data breach,
  • Data manifest vulnerability: a data breach allows customer data to be misused, such as for identity theft.

These distinctions matter because different types of data vulnerability have different effects on a firm. For example, if customers provide their personal information to Home Depot, they experience data access vulnerability; if Home Depot then suffers a data breach, the potential for harm becomes more salient to both its own customers and to Lowe’s customers, even if the customers are not directly affected by data misuse. Marketing applications for customer data use are not likely to go away, so it is important to address the following questions: How can marketers manage customer vulnerability yet continue to leverage the benefits of data? 

A Framework for Understanding Data Privacy

In our article, “Data Privacy: Effects on Customer and Firm Performance,” we examine how data vulnerabilities affect customers and, ultimately, firm performance and suggest ways marketers can reduce negative effects. In three complementary studies, we capture two beneficial practices from the firms’ current privacy policies: transparency and control. These two elements effectively reduce all four types of customer vulnerability, they benefit firm performance, and they may prove to be the antidote to the myriad tensions surrounding customer data privacy. Our research program of experiments, an event study, and a field study with real customers across 15 companies examines all four types of data vulnerability (access, breach, spillover, and manifest) on both customer outcomes and firm stock returns. 

FIGURE: Continuum of Customer Data Vulnerabilities​

Key Findings About Data Privacy

  1. Data Access Vulnerability Customers are more likely to fabricate their personal information (10%), speak negatively about the firm (23%), and switch to a competitor (22%) when a firm simply accesses their personal data. Firms should collect customer information intentionally. If information will not be proactively used and applied, marketers should avoid collecting it. 
  2. Data Breach Vulnerability A data breach reduces the affected firm’s stock value by .29%, averaging losses close to $12 million. For a severe breach (when a large number of are records compromised), this effect is worse. Firms with low transparency have a drop in stock price 1.5 times larger than firms with high transparency. Finally, low control creates negative returns of almost $11 million, whereas firms that offer high control suffer no effect from the breach on stock price. 
  3. Spillover Vulnerability A data breach at a firm’s closest rival decreases that firm’s stock price by .17%, more than $8 million. As severity of the breach increases, it improves the rival firm’s performance. At low severity, the net effect of a data breach by the focal firm on a rival firm is –.7%; at high severity, the net effect reaches +1.7%.
  4. ​Data Manifest Vulnerability Making a firm’s data management policies more transparent and providing customers with control over their data can suppress the negative effects of vulnerability on performance—even in extreme situations in which it is likely that a customer has been the victim of identity theft, fraudulent credit activity, or other data misuses. 

How Should Marketers Approach the Issue of Data Privacy?

Best Practice: High Transparency and High Control

Marketers may need a more tempered approach to managing customer data and analytics. These practices help marketers identify and better understand customers and segments, but they can also create vulnerability. We use actual privacy policies to understand how firms access, manage, and communicate about customer data. Marketers need to know that customers are made aware of data practices in a firm’s privacy policy and that these practices do affect customer behavior. Data privacy practices are important for all firms, considering our findings regarding spillover effects: Even firms that don’t use customer data can suffer serious performance harms when a close competitor has a breach. 


Transparency and control rise to the top as best practices. In combination, these elements effectively mitigate vulnerability-induced harm on firm performance. Specifically, high transparency and control

  • Reduces the spread of negative word of mouth
  • Deters switching, and
  • Suppresses negative stock price effect

Low Transparency and Low Control: The Citigroup Debacle

Consider the following example: Citigroup has a privacy policy that is low on both transparency and control. When it suffered a breach, the damages were staggering, resulting in a loss of $836 million in value. Our analyses show that if Citigroup had employed high-transparency and high-customer-control practices in place, it would have suffered a loss of only about $16 million in stock value. That is, Citigroup might have saved about $820 million had it simply offered its customers high transparency and control.

The Dangers of High Transparency and Low Control 

Importantly, when provided with high transparency but low control, customers perceive more violation and lower trust across all studies. In other words, it is a dangerous practice for firms to tell customers exactly how they will be collecting data but provided them little to no say over those practices. If customers lack control, they are left to worry about the various potential uses of their data—uses that have been made salient by their increased transparency. Knowledge alone has mixed effects as a vulnerability suppressor. Therefore, if firms intend to reveal data use practices to customers, they must provide them with some element of control over the practices. 

Low Transparency and High Control = Uninformed Autonomy

Alternatively, low transparency and high control creates a situation of uninformed autonomy. Customers have the ability to change their preferences, so they respond favorably, but their opt-in and opt-out choices are somewhat blind. These contrasts suggest that providing customers with some level of control is a powerful managerial tool for generating positive firm outcomes. The amount of customer control provided might not need to reach full and total autonomy; rather, some level of perceived control may be sufficient to obtain the desired mitigating effects. By allowing customers to opt-in or out-of various data practices, marketers can promote overall willingness to provide personal information. 

Know Your Competitors’ Data Practices

Finally, marketers need to be mindful of competitors’ data practices. A more severe breach helps rivals through positive competitive effects that overwhelm negative spillover effects. Marketers can avoid long-term harm by adopting proactive data management practices, especially transparency and control, for immediate benefits with their own customers and the ability to guard against privacy failures by competitors. 

Read the Full Article
Kelly D. Martin, Abhishek Borah, and Robert W. Palmatier (2016), “Data Privacy: Effects on Customer and Firm Performance,” Journal of Marketing, 81 (1), 36-58.

Kelly D. Martin is Tinberg “Business for a Better World” University Professor and Professor of Marketing, Colorado State University, USA.

Abhishek Borah is Assistant Professor of Marketing, University of Washington.

Robert W. Palmatier is Professor of Marketing and John C. Narver Chair in Business Administration, University of Washington, USA.