Facebook fracas: Were Admiral’s social data plans inappropriate – or innovative?

The news that Facebook has blocked Admiral Insurance from profiling users for insurance discounts and quotes has caused quite a stir, with the story dragging up familiar controversies surrounding customer privacy.

Admiral Insurance was planning to utilise personal Facebook data when calculating the cost of car insurance policies for its customers.

As part of a trial, the insurance firm was planning to request new motorists’ permission to look at their Facebook activity to judge whether they are a low-risk driver. Those deemed low risk would then be offered a discount.

Admiral would have used an algorithm to establish how safe a driver is, monitoring social activity to seek out indicators of conscientiousness and organisation, which are apparently, traits of a “safe” driver, or traits of an “unsafe” driver, which include flags for overconfidence including the use of certain words or over-punctuation.

Unsurprisingly, there has been a backlash from some.

“Facebook – so often lamented when it comes to the privacy of its own users – has come to the rescue of young British car drivers it seems,” notes Lee Munson, security researcher at Comparitech.com. “When insurance firm Admiral decided snooping on prospective new customers’ social feeds was a good way of tailoring quotes for new drivers, Zuckerberg’s company said ‘no dice’ on the grounds that it was a gross invasion of its users’ privacy. Too right too!

“While personalised quotes are a good thing for those otherwise painted with a brush tarnished by a minority of speed merchants and drunken maniacs, the social activities of many teens could easily give the mistaken impression that they fit one or both stereotypes to the tee - even though most sensible adults know youngsters’ online comments are often fabricated or embellished for the purposes of looking ‘cool’.

“Not only that, the online invasiveness exhibited by some companies is just downright creepy, isn’t it? Whatever next? Vetting of potential employees against their tweets and posts!?”

Dom Mellin, senior media planner at Hunterlodge Advertising, adds: “Facebook is perhaps an unlikely hero when it comes to data protection – not many consumers look to them as a bastion of caring about their rights. However, the stance they have taken in opposition against Admiral’s latest campaign makes them the hero and Admiral the villain in my eyes.

“I think Facebook have done their brand a great service on this one. The tech giant has blocked it, saying it’s ‘intrusive’ – which you can’t really argue with. Maybe Admiral would have more joy going bigger picture by just analysing how active people are on their smartphone during the morning commute?”

Divided opinion

But the reaction has been far from universal. Reflecting this conflict, Lizzie Benton, content marketing manager at Datify, notes: "As a user of Facebook, it's a positive sign that they are taking data protection seriously, especially as many of us put so much of our personal details onto Facebook. However, as Facebook insights can help consumers get the products and content they want, it's a shame that Admiral’s attempts at trying to be innovative have fallen".”

The CMO of social media monitoring Brandwatch, Will McInnes, agrees that the insurance provider’s approach was innovative, and indicative of a wider trend.

The scheme was aimed at first time buyers, a new generation that has grown up in a world of social media and public sharing, and is far more open to broadcasting the intimate details of their lives.

“Data from social platforms can give insight-hungry brands a previously untapped opportunity to intelligently understand their customers’ thoughts, motivations and behaviour in new ways. News that Admiral Insurance was set to use insights derived from Facebook to analyse the personalities of car owners, and therefore determine the cost of their insurance policies, is interesting. Within the sector this is immediately an industry-leading example of the application of social data.

“Every day, sophisticated brands are making decisions using social data - often anonymised and aggregated - to better understand consumers. So while this one initiative from Admiral Insurance has been blocked, the promise of providing better products and services based on actually knowing more about real consumers through appropriately managed social data is a huge opportunity.”

Indeed, there has even been a surprising show of support for the insurance firm, perhaps a reflection on the growing acceptance of social monitoring as a practice, and particularly where there has been transparency and permission has been sought.

“Whilst Facebook’s decision to block Admiral’s technology is in line with its publicly shared data policy, it does ask tough questions about how much control users should have of their own data,” notes Jerry Daykin, global digital partner at Carat.

“The ‘firstcarquote’ scheme was aimed at first time buyers, a new generation that has grown up in a world of social media and public sharing, and is far more open to broadcasting the intimate details of their lives. Assuming they understood the trade-off here (sharing their personal interests for an opportunity to save money), shouldn’t they have the chance to do so? The challenge is that they may be unaware of what plans Admiral has to use this data in future, or may not like it quite so much when its premium doesn’t go down.”

If the data gathering and analysis is transparent and with consent it is hard to justify the blocking unless Facebook is reconsidering its responsibility as a data guardian.

Carolyn Bertin who is a leading IT and data protection lawyer at Keystone Law, adds: “Admiral was being transparent about its planned data gathering and analysis of Facebook profiles and posts and with what it plans to do with that data once it has it. There are a host of apps that gather data that individuals publish on the likes of Facebook and Twitter which is then passed on to organisations seeking to get feedback on their offerings. It is not always transparent.

“If the data gathering and analysis is transparent and with consent it is hard to justify the blocking unless Facebook is reconsidering its responsibility as a data guardian. Likely it will have to revisit its policies and terms of use to ensure consistency in what those eliciting business of Facebook users are permitted to do with data they gather through Facebook and to ensure it, itself is more transparent about data gathering by advertisers on the site.” 

Customer insight expert Paul Laughlin adds: “Sadly this appears to be another example of today's data barons relying on an old-style command & control mindset. To reach the potential for greater data democracy we need to see a move in corporate culture to greater collaboration and transparency.

“We may never know the rights and wrongs of Admiral's negotiations; whether or not they were naive in failing to contractually lock down access to the required APIs. However, Facebook's behaviour still appears heavy-handed and betrays an arrogance in regard to data ownership that is disappointing. But then perhaps the leopard, who thought it was fair to experiment on its users without permission, has not really changed its spots. 

“It is an interesting object lesson for other firms aiming to create value from social data and data sharing between businesses.”

Social data best practices

While the story has had a mixed response, there is little doubt that the use of social data is still a sensitive one. For this reason, the following steps are recommended for any brand keen to maintain customer confidence in their practices:

• Be transparent about collection and use of data. The ICO has a code of practice to guide organisations with what they should tell people before they collect their data. This concerns privacy notice and fair processing and everything relating to ‘small print’ - which should be less small these days! Remember, if you go beyond people’s expectations or mislead them then not only is there a danger of breaking the law but users won’t trust you again. 
• The data should be processed for appropriate purposes. People put information on the internet for many reasons, and often that reason is purely social. If brands collect that information and use it for their own ends, consumers can get upset because that was not why they posted it. Therefore, one of the fundamental principles of data protection is limiting the purpose for which information is used. Taking the attitude that everyone who puts something online is a potential target just because they have wiped away their privacy rights is not going to work. People won’t accept that.
• Be sensitive to the type of data you are collecting. When it comes to company websites, the law expects the business to provide information so that users can make an informed choice about how much information to share. However, where an organisation is using a social network where users are using it for their own purposes, then things are more complex. Obviously if the social platform offers people a way of keeping things more private or less public then companies need to respect where somebody is deliberately taking steps to ensure that only their friends, for instance, can see something. Another issue to consider is that just because somebody has made some information public, it doesn’t mean that it is OK for a company to use it. Companies should ensure they understand what the privacy settings are, so that they are aware of how to keep things as private as possible where they wish to. However, sometimes people forget and people will divulge information that is perhaps more sensitive than they would want out in the public. Where people make those mistakes, organisations must ensure that they are not exploiting them.
• Keep customer contact in mind. If a company wants to email a customer, there are rules in the ICO's privacy and electronic communications regulation regarding how they can contact them. If, for example, they want to send the customer an email, they can only do so with his/her prior consent or if they have collected it in the course of a burgeoning relationship with the person as a potential customer. Clearly, if they have harvested the email address from his/her Facebook profile, that is not going to fall into either of those categories so an email will be out of bounds. Businesses need to think about how they are going to collect the data from people in such a way that they would expect further contact from the firm. The difficulty of using social media is that the user hasn’t had a direct contact with that company, therefore if they collect the user’s email address it is going to be very difficult for them to use it legally.
• Marketers must clarify which third parties have access to data and also ensure that any information held unnecessarily is disposed of securely.The guidance in the ICO's two codes of practice on privacy notices and collecting information online is generally about being upfront with people. Explain to them what you are doing with their data and make sure that where you give them a choice, it is a meaningful choice - not simply all or nothing such as "either you give us all this data or you can’t use our tool/website". Ultimately, it is about being open with people and saying "we are going to collect this data, we are going to use it for these purposes, and these are the choices you have".

Laughlin concludes: “As more and more firms, from Admiral to TripAdviser are looking at how they might monetise data, firms should remember who's data it is. Hiding behind fine words about protecting privacy does not mask where consumers are being denied decision making power about their own data.

“Hopefully, truly customer-centric organisations can learn from this bad example. People deserve to be educated about the reality of data monetisation in our changing world. Many applications, with permission, will have the potential to make people's lives easier or save them money (for the price of their data).

“Infantilising customers by deciding what is to be allowed is Nanny State thinking. What our industry and society needs instead is clear communication giving people the opportunities and choices of what to allow with their data. I suspect many young drivers would have chosen to share their Facebook data with Admiral in return for cheaper premiums.

“Changing mindsets, to think in terms of customers as more active data owners, also happens to be the mindset to adopt in preparing for GDPR.

“So, let's just reflect that this might be an example where the US tech giant is not embracing the free market and the UK insurer could be the customer champion. Strange times indeed... “