The Privacy Pact

By John Frederick Moore

When most users think of online privacy invasions, they think of companies like ubiquitous Internet advertising firm DoubleClick. After the company completed its purchase of direct-marketing firm Abacus Direct last year, it announced plans to build a database of consumer profiles, including names, addresses, purchase histories, and demographic data, which would help Abacus to perfect its target marketing. Privacy groups were up in arms, noting that the ability to track consumers’ movements on line and attach that data to names and addresses represented a violation of privacy.

Doing what DoubleClick proposed required a lot of complex technology – and quite a bit of nerve. DoubleClick’s database depended on the 100 million cookies the company placed on the computer of Internet users, who were not informed that they were receiving such cookies unless their browsers were preset to do so. The move was a reversal of DoubleClick’s previous policy of not associating personal information with cookies.

Now, a small business doesn’t have the technology to pull that off. But small businesses stand to lose the most from the invasive tactics of high profile companies. The kind of highly targeted advertising this type of profiling affords can be invaluable to a small business looking to get the most bang from its advertising and marketing dollars. With consumers growing more wary over privacy, however, small businesses need to walk a fine line between collecting that information and alienating their customers.

In Their Business
As long as they inform customers of their intentions, ‘businesses, theoretically, can collect as much information as they want,’ says Becky Richards, director of compliance and policy at Truste, a non-profit privacy organization. ‘That being said, I don’t know that that’s always the best business practice. If you ask too many questions, people will go to a different Web site.’

The privacy debate is not new. Businesses have collected and shared consumer information for decades (think junk mail). What’s different today is that the Internet has made that practice more transparent to consumers.Even in the case of DoubleClick, the Federal Trade Commission concluded that the company had done nothing wrong, as it did not violate its own privacy policy. That’s an important lesson for small businesses to follow.

‘Generally, the FTC has followed a policy that it’s an unfair and deceptive trade practice for you, as a business, to use information in a way that is different or in violation of your own privacy policy,’ says Joel Rothman, a partner at Boca Raton, Fla.-based law firm Seiden, Alder, Rothman, Petosa & Matthewman. ‘Other than legislation directed at financial institutions, we don’t have any legislation on a national level for a requirement for a privacy policy. The FTC has been urging it, but it hasn’t been passed.’

Although there’s no legal requirement for most businesses to maintain a privacy policy, that doesn’t mean it’s a good idea to forgo one. ‘There’s a good business reason, a good marketing reason, and a good public relations reason to have a privacy policy,’ Rothman says. ‘And even though there’s no federal law, many states have what are called little FTC acts,’ which are patterned after the FTC act but allow private individuals to sue for damages, which the FTC doesn’t allow.’

On the Table
Several online consumer privacy bills are making their way through Congress, but so far the federal government has been reluctant to restrict the types of consumer information companies can collect. The Consumer Internet Privacy Enhancement Act, introduced to Congress in January by Chris Cannon (R-Utah) and Anna Eshoo (D-Calif.), would make it illegal for a commercial Web site to collect personal information unless it provides notice that it’s collecting the information and an opportunity to allow the consumer to limit the use of that information for marketing purposes. It’s similar to the McCain-Kerry bill, introduced last year, and the Online Privacy Protection Act of 2001.

‘A lot of the proposals being introduced in Congress are likely to be different from what ends up being written into law,’ says Andrew Shen, senior policy analyst at the Electronic Privacy Information Center, a Washington-based public interest research center. ‘Most of the bills start from the framework of fair information practices, the basic rubric of how information is collected and used with the goal of making the consumer an active participant in how that information is collected.’ Under many of these bills, Web sites would have to provide notice to consumers; some stipulate that sites ask permission to gather information that is used beyond the original purpose.

There are also international concerns. The Internet is, of course, a global medium, but that doesn’t mean one set of rules applies to privacy. ‘The European Union takes a much stricter approach to privacy than this country,’ Rothman says. ‘There are regulations about what information you can keep and how long you can keep it, plus protections for that information that don’t exist here.’

Customer Truce
Privacy experts note that many customers are willing to disclose such information for better customer service. Visitors to, for example, may appreciate the personal recommendations provided when they go to the site. The 1-Click shopping button wouldn’t be possible if consumers weren’t willing to let Amazon maintain their personal and financial data.

On the one hand, businesses are loath to have any restrictions placed on what types of information they collect. Online tracking allows businesses to provide more personalized services to customers, and it allows them to target their ads to customers who are more likely to be interested in their products or services. But they need to earn consumers’ confidence. Many companies choose to use opt-in promotions, in which promotional e-mail is sent only to consumers who have specifically requested to receive such information.

Opt In/Options
Opt-in companies, such as Opt-In Inc. or Snipermail, maintain lists of people who have agreed to receive solicitations, usually as part of a sweepstakes. Opt-in companies rent e-mail lists to businesses looking to promote their products or services, typically priced at rates per 1,000 e-mails sent.

‘Businesses like to outsource e-mail marketing programs because they tend to provide a good return on investment,’ Rothman says. He cautions, however, that small businesses need to be careful, since they don’t handle the information themselves.

‘The user information is out of your hands, so you have to depend on that company to make sure that they are behaving in a way that is consistent with your own standards,’ Rothman says. ‘You have to depend on the company’s word that it has accumulated this private information in a manner that’s consistent with your own privacy policy. Otherwise, e-mail coming from you to someone else that’s being used contrary to the policy would impact on the business that’s subscribing to the service.’

While customers might prefer an opt-in service, businesses will still want to collect information with as robust online profiling tools as are available.

‘There’s certainly a very clear understanding on the part of sophisticated businesses that they have an obligation to notify their customer base, and in fact it’s good public relations to do so,’ says Virginia Richard, a partner with Winston & Strawn. ‘At the same time, they’re very reluctant to give up what is considered to be a huge marketing advantage.’

Collecting customer information can be an invaluable practice. So be up-front about the information you’re collecting and the purposes for which you intend to use it.

• Truste
Non-profit privacy organization whose third-party oversight ‘seal’ program is designed to alleviate users’ concerns about online privacy.

• Electronic Privacy Information Center
Public interest research center that focuses on privacy issues.

• Opt-In Inc.
Company that rents opt-in e-mail lists to businesses.

• Snipermail
Opt-in e-mail provider.

In his last piece for SBC, John Frederick Moore took a look at search engine listings.

Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.
Previous article
Next article

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.