For some aficionados, it has become a new sport: watching Facebook squirm, wriggle and fall on its sword yet again as it struggles to get its privacy policies right.
At stake: one of the big business questions of our time. With more than 400m users, Facebook is an internet behemoth. However, bringing in an annual income of less than $3 per user, it has feet of clay. Facebook is sitting on a cornucopia of volunteered personal data, but if it can't find a way of turning this into cash, the gold mine might as well not exist.
Facebook is not alone in its personal data/privacy travails, of course. The goal posts are shifting for all organisations on at least five different fronts. Let's take a closer look.
Somewhere along the line - it's not obvious where - we crossed an invisible boundary as transaction data turned into behavioural data. People intuitively understand the former. If I decide to do business with you, then it's clear the resulting data is in some way 'yours' as well as mine; but if you start tracking my every move, using mobile phone GPS data, or what appliances I turn on and off, using smart energy meters, or every website I visit, via behavioural targeting, then suddenly that smacks of stalking.
To the organisation, it is simply doing more of the same: collecting more customer data as it becomes available. However, 'more of the same' has a tendency to trigger phase changes, as when more heat takes water to boiling point. The fact is that most people feel that their behaviour - and therefore their behavioural data - is 'theirs', and cannot belong to organisations. Those who cross this line therefore risk sparking a backlash.
Enter that slippery word 'privacy'. This is an apparently simple concept with multiple and often contradictory connotations, including those of nosiness and snooping, embarrassment, 'the right to know', civil-liberties overtones of Big Brother and, increasingly, a hint of trespass with intent of theft.
When debating privacy, we tend to lurch between these poles with sickening speed. According to some commentators, for example, 'privacy is dead'. Their evidence: the way some people proudly publish online pictures of debauched parties.
Sure, people's boundaries and social norms might be shifting, but that does not mean that our desire for privacy has evaporated. Publicising what you got up to last Friday night is not the same as announcing your banking details to the world. Privacy isn't just about embarrassing revelations. It's about context.
That may sound trite, but the implications are huge. Privacy is a personal setting: it exists in the eye of the beholder. This being the case, it is impossible - repeat, impossible - for an organisation to write an acceptable, watertight privacy policy. Why?
Human complexities
Most organisations work according to an atomic theory of 'the customer'. They assume that 'the customer' is a single, indivisible building block of the relationship. However, within this atom there are numerous particles, each whizzing about doing their own thing: me as father, husband, home-owner, football fan, concerned citizen, business professional, and so on. Each one of these particles enters into different relationships with different people for different purposes in different contexts. A one-size-fits-all, organisation-centric policy can never cope with these complexities.
Now factor in the dog's dinner of identity and identity management. Proving that you are who you say you are is a sine qua non of efficient, effective ecommerce and egovernment. However, organisations' kneejerk approach to the identity challenge has proved counter-productive.
Each organisation imposed its own identity and identification rules and processes on its customers - leaving us, as individuals, drowning in a sea of log-ins, passwords and navigational mazes.
It would be much more convenient and economic for individuals to manage their own identities, using the same, single trusted identifiers to access each and every service. The technology necessary for this to become the reality already exists, but getting from A to B will be gruesome.
Behind this lies an even deeper question: who is the rightful beneficiary of the commercial value of personal data - the organisation that collects it, or the individual who generates it?
If you think that you have a clear answer to this question, consider whether it is the same for transaction data, behavioural data, the profiles individuals upload to services such as LinkedIn or Facebook, the content of their conversations online, or the content of their conversations in the pub and sitting room at home?
Accept change
Finally, as icing on the cake, we have the Delphic inscrutability of consumer behaviour. When it comes to personal data and privacy, what consumers say and do is often inconsistent and contradictory.
Many don't seem to care two hoots. Yet, if we unpick the underlying drivers of this behaviour, it includes many different ingredients, including ignorance, apathy, insouciance born of sophistication, and inertia - each with its own dynamics. The ignorant learn; the apathetic can be jolted into anger in a nanosecond. Habits and expectations change.
In a fast-evolving environment, this suggests that using today's consumer attitudes and behaviour as a guide to tomorrow's acceptable practice is risky. When the goal posts are shifting this quickly, game plans built on the assumption that tomorrow will be the same as today are bound to go wrong. You have to take a punt on where things are heading.
So what should organisations do? They face two common problems. First, most organisations have siloed approaches to data collection, the use of which generates contradictory outcomes and mixed messages. Customer service, for example, uses personal data differently from marketing, with its focus on targeting, which is different again from finance's concern with fraud. Yet all these departments are dealing with the same person. Think of the challenge of integrated marketing, only more so.
Second, most overarching personal data strategies, if they exist at all, are based on past-their-sell-by-date, organisation-centric assumptions - that 'we, the organisation, collect and manage your data'.
In fact, the underlying driver of all the above dilemmas is that individuals are beginning to manage their own data. As a result, divisions of labour are being renegotiated and 'boundary disputes' are flaring as confusion and misunderstanding over who should be doing what and what rights they have, or should have, grows.
What should marketers do to lead the way? Step one is to accept that the world has changed. Superficial tweaks to yesterday's strategies and policies are not enough. We need to negotiate a new 'information contract' with customers.
What should lie at the heart of such an information contract? My hunch is it should start from the point of view of the individual, embracing principles such as 'personal data is the person's'; 'individuals should benefit directly from organisations' use of their data'; that 'privacy is a personal setting' (therefore individuals should have the means to set, and adjust it); and that 'using personal information is not about "permission" but control' (individuals should be able to control what information they share, with whom and for what purposes).
Shifting control
Facebook chief executive Mark Zuckerberg seemed to edge toward this in his latest privacy climb-down. 'More and more people want to share information and as long as they have control over that, I really think this is where the world is going,' he said.
The trouble is that Facebook's actions don't always seem to chime with its words. If, instead of trying to take control of users' data in a quest to deliver audiences to advertisers, it helped users share their information with organisations in ways they controlled, and which helped them reap the commercial value of their data, that $3 revenue per user might quickly rise to $30.
The control issue isn't confined to Facebook, however. It just happens to be the place where the stresses of a tectonic shift in personal/customer data are most visible. The fault lines are universal.
Alan Mitchell is a respected author and a founder of Ctrl-Shift and Mydex.