The digital future of customer experience: managing key risks - Consumer Law

Traditional models of customer care are being challenged by the impacts of COVID-19 and the opportunities presented by digital and data-driven transformation.

Many organisations have looked for cost savings by establishing customer service teams offshore. For some, however, service continuity - particularly during widespread COVID-19 lockdowns in foreign jurisdictions - and cultural differences have prompted a return to Australian-based services.

It is also timely for businesses to consider how artificial intelligence (AI) and digital solutions can deliver resilient, instant, convenient, proactive and personalised services throughout the customer journey.

How can businesses manage key risks while transforming the customer experience?

1. Delivering resilient services

The pandemic has forced businesses to focus on the resilience of outsourced customer service arrangements. While technology provides a great opportunity to automate and streamline some customer interactions, there will always been a need for advanced and complex queries to be managed by humans.

Managing risks: The risks associated with COVID-19 or similar outbreaks are now reasonably foreseeable and must be prudently managed by businesses. As discussed in our earlier article, this includes:

implementing processes to manage broad-based remote working, including physical and electronic security, and supervision;
testing business continuity arrangements (including stress-testing the relevant technology and telecommunications networks) to address any deficiencies when not in a 'crisis' scenario;
considering opportunities to source services from multiple providers in different geographic locations;
planning a tiered structure of governance and controls that can be engaged in different conditions; and
ensuring contracts for outsourced services include variables and options for different contingencies, including 'worst case' scenarios.

2. Delivering instant services

Businesses want to be responsive to customers' requests, inquiries and complaints. This means being available to the customer on-demand and reducing wait times. Many businesses are now adopting online bots, which are available 24-7 and can respond to customers in real time.

As bots' natural language processing capabilities evolve, online chatbots will be able to handle a growing range of situations. Voice bots might even be used to make or receive customer calls.

Managing risks: Traditional and automated forms of customer care share many common risks. For example, like humans, bots need to be courteous and provide accurate information.

While these risks are traditionally managed by staff training, in automated care, they will be managed via contract with the technology provider. Any contract should include continuous improvement obligations to ensure that bots keep pace with technological improvements in the industry.

Organisations may need to include appropriate disclaimers about the bot's limitations, for example, by notifying the customer that the bot provides computer-generated information that should be checked before proceeding.

Businesses should also consider whether voice bots are appropriate for second language speakers, or if human speakers are more accessible and inclusive. Or indeed, whether voice bots should be provided in languages other than English.

While the law does not yet require an organisation to inform customers when they are interacting with a non-human, the overwhelming consensus is that this is an ethical obligation.¹ Not doing so may have reputational repercussions, particularly in an era of robocall and voice message scams.

3. Delivering convenient services

Managing a single inquiry over multiple channels - such as via telephone, online or social media - is an emerging challenge for business.

Managing risks: A solution that coordinates multi-channel communications will rely on interfaces with numerous communications systems. Interfacing risks, and the terms and conditions of the interfacing service, need to be considered to ensure that the solution is reliable and complies with third party terms.

4. Delivering proactive services

Businesses that proactively rather than reactively support customers will have a competitive edge.

Managing risks: The Spam Act 2003 (Cth) and the Privacy Act 1988 (Cth) both impose obligations on organisations that use a person's information for direct marketing. As support and engagement practices become more sophisticated, determining what kinds of contact constitute 'direct marketing' may become more difficult. Organisations should consider:

what streams of its business may be subject to direct marketing obligations; and
how it will ensure those communications comply with legal requirements, including in relation to consent and offering an easy mechanism to unsubscribe.

5. Delivering personalised services

Personalised customer experiences will maximise customer satisfaction and loyalty. This may include using sentiment analysis to understand and respond to customers' moods, or tailoring unique customer journeys according to a person's wants (or weaknesses).

Personalised solutions depend on troves of detailed and accurate personal information, but this presents compliance risks under the Privacy Act and other information security requirements.

Managing risks: The key risk to manage around personalised services is the collection and use of a customer's personal information. Businesses seeking to personalise the customer experience by collecting personal information should undertake a rigorous privacy impact assessment (PIA), including addressing:

whether individuals' personal information will be disclosed to a data storage or analytics provider;
whether sensitive information can be collected, and how it will be managed;
whether new personal information will be derived from information disclosed by the customer, and how to ensure that this information is accurate and complete;
whether the organisation will collect personal information from a third party, and whether and how data from different sources may be matched;
identifying when an individual's consent is required and how that consent will be sought;²
how the organisation will give customers control through the process; and
how the organisation will keep the personal information secure, and ensure it is destroyed or de-identified when no longer required for a permitted purpose.

Privacy impact assessments

A PIA isn't just about ensuring organisations meet their obligations under the Privacy Act - it should also consider customer expectations and reputational factors.

The Privacy Act is currently undergoing a wide-ranging review, which could include the introduction of GDPR-style regulation of automated decision-making. Businesses should consider and plan for future changes.

Customers may not trust businesses that know 'too much' about them,³ so businesses should offer adequate transparency about their personalisation processes.

Businesses can also promote trust and cater to the customer's personal preferences by providing more granularity in personalisation choices.⁴

Having closely monitored how personalisation is offered on social media platforms, Australia's competition and consumer law regulator, the ACCC, may take a similar interest in personalisation in other sectors. Businesses should be prepared for regulatory attention.

The way forward

Providing resilient, instant, convenient, proactive, and personalised services is competitively advantageous for business, but it is important to anticipate potential legal and regulatory requirements. These should be carefully considered and addressed when developing new processes and when contracting with technology/other service providers.

As businesses look to an increasingly digital and automated future, it's also worth proactively looking at opportunities to re-skill workforces for that future.

Footnotes

¹ See the Department of Industry, Science, Energy and Resource's AI Ethics Principles, available here.
² See the OAIC's latest guidance on when consent is required in the Flight Centre Travel Group (Privacy Determination) [2020] AICmr 57 (25 November 2020).
³ See e.g. Reply All's episode 'Is Facebook Spying on You?' which explores consumers' reluctance to accept any other explanation for personalised advertising other than their perception that Facebook is 'listening' to their conversations.
⁴ The OAIC's Australian Community Attitudes to Privacy Survey 2020 touches on the idea that some people are willing to provide sensitive categories of personal information to trusted organisations in exchange for personalised services.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.