Many businesses – including other entities that need to reach out to groups of target audiences – often consider market research as an essential component of their marketing plan. Findings from such research are regularly used to dictate strategy, inform resource allocation and help brands understand and connect with their target audience in myriad ways. The practice of collecting data from users of a product or a brand for the purpose of learning about usage and attitude of consumers is almost a century-old practice.

Generally speaking, there are three stakeholder groups that are involved in the data collection and use process – the user or consumer, the research firm and other businesses or organisations that purport to use the findings of the research undertaken. An implicit understanding, which is sometimes made explicit by contracts signed among the stakeholder groups in this data collection, analyses and reporting process, is the promise to protect the data collected and the user or consumer – we use these two terms alternately – identity by the research firm.

The users of a product or brand who consent to provide information about their consumption patterns usually put their faith in the firm collecting the data and expect that their individual identity and sensitive personal information will be protected. The consumers are often assured that the findings will be reported at an aggregate and that their individual identities will not be disclosed to other entities. Usually, there are certain norms of storage and usage of data that are expected to be followed by these companies. Similarly, users may also be observed by data collection agencies, but the implicit promise – or the norm – of data usage remains the same.

While all of the above started out in a world where users usually had to explicitly provide consent and participate in the data collection process – which is still the case in the context of offline data collection – the digital channels and the enthusiastic embracing of these channels by most of us across the world has made granular data collection on consumers a seamless and unobtrusive process for firms in general.

Companies that exist only in the virtual domain necessitate users to undertake activities on their websites for the purpose of fulfilling the brand and company promise. On many occasions, as on various social networking websites, the brand promise is that of allowing unprecedented reach and connections that have been made possible by the use and adoption of information and communication technology by the firm and the user.

Today, with a plethora of tools and methodologies at the disposal of these firms that operate in the virtual domain and are often referred to as pure-play firms, these businesses can dip into a large ecosystem of methodologies and tools to obtain an increasingly comprehensive view of the user by capturing each click made, archiving each word ever written and noting each image posted on their websites. Companies can now use semiotics, social listening and communications to understand how consumers interact with media and brand messages. Such companies include virtual social networks and e-commerce firms.

Time for new norms

The essential change that has occurred in the domain of data collection is the movement from overt to the covert tracking of individual behaviour. So the question that needs to be raised and examined is whether the changing data collection methods mean that the norms governing the use of data by companies need to change.

In the context of use of information technology by businesses for the purpose of interacting with their users, understanding the motivations that drive normative behaviour around data use is of particular interest to company stakeholders and to society in general.

On human behaviour, Immanuel Kant speaks of three kinds of rules of normative behaviour: rules of skill, rules of prudence and categorical rules. Rules of skill are concerned with the extent of dexterity of carrying out certain tasks to achieve specific ends – for example, learning to use software requires the learner to follow and adhere to certain specific guidelines. Rules of prudence are concerned with judgments for achieving targets that most people are likely to accept as being worthwhile, like the use of environmentally sustainable use of technology. Categorical rules are often concerned with choices where the ends themselves may be questioned, such as the advocates of digital piracy who may have opposing views to those of companies that produce licensed software.

Normative behaviour may also be guided by obedience, compliance and conformity. Adherence to norms may be voluntary, where it is governed by expectations of conformity, or may be mandatory, where compliance or obedience is a requirement. For example, while there may be definitive ways of operating the specific software, where rules of skill may require compliance or obedience and hence may be mandated, there is no definitive judgment on whether a company should or should not use data without the explicit consent of their users. The latter situation demonstrates rules of prudence or categorical rules that are usually governed by conformity and hence, are voluntary.

My own research suggests that most users and consumers of virtual social networking websites and e-commerce companies are often aware that these pure-play companies are tracking their activities on the company websites. Are the users disturbed by this Panopticon view of themselves that is afforded to these companies? Maybe a little, but not to an extent that will persuade these users to stop using these company websites – and therefore, the set of possible activities that these websites facilitate.

However, what consumers are often not aware of is the collection and use of this data by companies other than the owners of these websites – a group of companies that often come to be referred to as 'third-party companies' or simply 'partners'. The technology-intensive nature of the data collection process often makes it impossible for the user to detect who is tracking their personal data. Often these companies together – that is, the owner websites and partner companies – are responsible for sharing the data collected on consumers and making them available to other client organisations that may now use this data for the purpose of one-on-one communication with the user. Certainly, this is a use of data that the user had not agreed to.

It appears that the norms that businesses follow regarding data collection and use of the data about virtual users are somewhat different from those regarding offline user activities. The norms guiding the collection and use of data in the pre-internet era usually depended on rules of prudence and conformity to the established norms by businesses, mostly driven by self-regulation.

Though theoretically a data collection agency in the pre-internet era – as well as data collected offline today – could certainly share the collected data with partner companies, the sharing and dissemination of that data posed significant challenges. The data usually was collected in the traditional pen-and-paper format and provided insights about the consumer only in terms of the questions asked of the consumer. The post-internet era enables the collection and use of data in a soft format, and the insights that may be gleaned about the user from this data are often granular – usually, the users are not asked any questions, but unstructured data are collected and data mining techniques are applied to obtain insights about user behaviour. This granular nature of the data makes it very attractive to client organisations that often use these insights about individual users in micro-targeting their messaging and communications.

These realities about data collection and usage about the denizens of the virtual world made quite prominent by the unfolding story about Facebook and their partner organisation Cambridge Analytica, probably indicate that a self-regulatory approach is unlikely to work as well as it is probably desired. A more stringent approach to this issue in terms of compliance with certain rules that may be mandated by regulating authorities are likely required.

The norms guiding the collection and use of data in the pre-internet era – of conformity – is probably something that needs to be reviewed and possibly replaced with a set of practices that are mandated and meticulously audited. While the need for such a requirement is being voiced from many quarters, including the governments of many countries, the processes involved in following the virtual data trail of pure play companies is no easy task.

Moutusy Maity is a professor of marketing management, Indian Institute of Management, Lucknow.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.