, , , ,

Equifax and the Wrath of Forced Opt-Ins

Equifax Logo

Over the past decade, digital marketing pushed brands towards increasingly aggressive tactics. One such tactic was automatic opt-in. I used to just see these opt-ins for newsletters, but, more recently, I’m seeing this used for sales and add-ons. I assume these marketers want to get more active users, a more engaged audience, and more sales. But in my experience the ends don’t justify the means–in fact, this method isn’t even that effective. In 2017, marketers need to ask, “Is an automatic opt-in the best tactic for my clients?”

What is an Automatic Opt-In?

An automatic opt-in is when a user is added to a newsletter, service, or other interaction without consent. This usually happens when someone signs up for a newsletter, creates a new account on a website, or downloads an app or software. In a nutshell, this tricks users into signing up for things they may or may not want.

Some automatic opt-ins are subtle. For example, someone downloads software and starts the installation process. Next they must navigate their “preferences.” Screens after screen of vaguely worded settings options demand that the person decide on preferences right now. One of these screens may have options for communication preferences, bundled tool bars, or even a change to the preferred browser on the computer. These screens usually have every option selected, so it’s up to the user to notice this and opt-out. Other opt-ins aren’t subtle so much as they’re forced. There are bad apples out there, and some of the most extreme examples typically use app permissions to force the user to opt-in to unspecified services.

What’s So Bad About Automatic Opt-Ins?

An automatic opt-in can help pad numbers on a company’s reports, but it comes with risks. Some of these risks are obvious. For instance, most people don’t like spam, and most marketers prefer to stay out of the spam folder. Automatically signing users up for a newsletter may increase subscription volume, but that rarely translates to an increase in open rates. Instead, it’s likely that more and more customers opt-out of the newsletter. Worse, some people flag it as spam. If enough customers mark an email as spam, then the sender may be blacklisted. As a result, future newsletters go straight to the spam folder.

But, as Equifax recently discovered, there are even greater risks. There is no opt-out for credit reporting services. This is, by far, the most aggressive kind of automatic opt-in. It may look like a great idea when the user base enjoys endless growth, but what happens in the event of a breach? Equifax failing to protect the personal data of over 143 U.S. citizens happens.

Automatic Opt-Ins Can Drive Abandonment & PR Fallout

Most of Equifax’s “customers” affected in this breach are not paying customers. Instead, these users were tricked into opting-in to a service. Equifax’s strategy was to convert these captive users into paying customers. For years, this looked like a bulletproof strategy. After all, what’s easier than selling to a captive audience?

Things ran well until March 2017, when Equifax detected a potential breach. Then they suffered another breach between May and July 2017. An estimated 143 million “customer” accounts were compromised. Losing hundreds of millions of paying customers is one thing, but many of the people impacted were not paying customers.

Equifax clearly recognized this challenge early on. The company saw the risk of users abandoning their services, so they attempted to mitigate those losses. By offering a free year of credit monitoring (provided by Equifax) the company could induce users to opt back in to a system that just exposed private information. This strategy almost worked. But then users started reading the terms and conditions for the free credit monitoring service and noticed an opt-out for legal action. By signing up for the “free” service these same users unknowingly waived their right to sue Equifax in the future.

Sometimes the Pitchforks Come Out

People took their concerns to social media. The media skewered Equifax for failing to keep customer information secure and then trying to trick these same customers into waiving their legal rights and protections. To make matters worse, one of Equifax’s Twitter accounts promoted a phishing site in place of Equifax’s in-house tool. This just made the breach even worse. It’s hard to estimate how much time and money it will take to repair the brand’s image. In fact, that task may be impossible. At the very least, it will be expensive and time consuming, much like when a person must repair their credit and/or recover financial assets due to a security breach of a third-party server.

The Vampire Rule of Marketing

So what can we learn from this extreme example? It’s important to stick to a hard and fast rule for how you interact with your customers. I call it “The Vampire Rule of Marketing.”

Marketers must be invited into the lives of their customers, both online and offline.

The Vampire Rule of Marketing

May I send you emails in the future?

As marketers, at the least we need to ask for an opt-in before we proceed. This can save us a lot of heartache in the long run, and help protect clients from PR disasters. As John Oliver mentioned on Last Week Tonight, in this scenario the average consumer is not the customer. Instead, we are all the products when it comes to the Equifax breach.

How Much Will This Affect Equifax?

You might think this makes Equifax immune from any long-term damage, but that may not be true. The damage from a breach like this tends to linger. Target and Home Depot are still recovering years later. When a consumer tries to get an auto or home loan the bank will probably check their credit. Additionally, the bank may offer that same customer a credit monitoring service. If enough consumers ask “are you going to use Equifax for that?” the banks will notice. If the Equifax brand weakens the bank’s position in a deal, or worse causes the deal to fail, the banks will respond. Equifax still has competitors, so consumer backlash is a very real threat, but it will take a few months before we see the effects.

None of this changes the fact that Equifax had inadequate security, but it still provides an excellent cautionary tale for being too aggressive with opt-ins. If Equifax had followed the Vampire Rule of Marketing it would have at least reduced the size of the logjam in the communications, marketing, and compliance departments.