Online Privacy Issues

The FaceBook Scandal: FaceBook implemented an advertising platform known as Beacon in November 2007. Beacon has become the subject for the most recent privacy concern. The core issue is that it attached information about what each FaceBook member had purchased online to their profile. It also emailed that information to their friends without approval. Obviously, people don't want everything they've purchased broadcast to those they know (i.e Bob Smith just bought Easy Origami by John Montrol). One month later, FaceBook modified Beacon to require the FaceBook member to approve any shopping data before sending to their network of friends. The FaceBook CEO also publicly apologized.

FaceBook has also been tracking member activities on external sites after they have logged out of FaceBook.com. This information is then being tied back to your FaceBook profile. The complaint is that this practice is not being clearly spelled out in the FaceBook.com privacy policy. This tracking is done through cookie sharing (a data file appended to the user's computer and shared across a network of partner websites). Cookie usage is nothing new. The use of cookies to track users online has been done for many years. While cookie sharing is relatively new, FaceBook could only track user behavior across partner sites (those using the Beacon advertising platform). It is not possible for them to follow visitors with FaceBook cookies to just any website. Beacon is one of many advertising networks (i.e. Specific Media, Double Click, AdWorks, etc.) that track visitor movement within their network of participating websites.

Another example of a privacy issue is when Google first offered GMail. There was quite a bit of concern with the relevance of advertisements based upon the content of emails. The concern is grounded in the fact that email is supposed to be private. GMail users have gotten used to this targeted advertising over time, and it is rarely mentioned.

The issue of ad tracking networks has resurfaced "Privacy" issues once again. The rules for online marketers, however, remain the same. Here are the equations that can cause privacy issues and attract the attention of watchdog groups (in order from least offensive to most offensive):

•     Behavioral Data + Sharing With Third Parties = Privacy Problems  
•     Behavioral Data + Personally Identifiable Information = Privacy Problems  
•     Behavioral Data + Personally Identifiable Information + Sharing With Third Parties = Privacy Problems

Expert Opinion on Privacy

One of the leading pundits in online sales and marketing is Seth Godin. He was vice-president of permission marketing at Yahoo!, has been a columnist for Fast Company and has written: Permission Marketing, The Big Red Fez, eMarketing, Survival Is Not Enough, Unleashing The Ideavirus, Purple Cow, Free Prize Inside, All Marketers Are Liars, The Big Moo, Small Is The New Big, and The Dip. Recently, Seth has responded to the latest controversy surrounding privacy. Here are some of his key points:

• "Most people don't care about privacy. If they did, they wouldn't have credit cards. Your credit card company knows an insane amount about you."
• "What people care about is being surprised. If your credit card company called you up and said, "we've been looking over your records and we see that you've been having an extramarital affair. We'd like to offer you a free coupon for VD testing..." you'd freak out, and for good reason."
• "The irony is that the people who most want privacy are almost certainly the worst possible customers for a search engine. These are the folks who are unlikely to click on ads and most likely to visit the dark corners of the Net. If I were running a web property, I'd work hard to attract the people who least want privacy and want to share their ideas with everyone else."

While you do not want to ignore potential privacy concerns, it is important to keep privacy in perspective. When visitor information is used properly, it can greatly enhance the experience by reducing irrelevant choices without causing embarrassment. It simply requires the marketer to put themselves in the visitor's position.

FTC Proposed Online Behavioral Advertising Privacy Principles

Recently, the FTC published a set of principles to shield the public from unscrupulous Internet practices (Download P859900stmt.pdf). There are four principles and a loose concept for a fifth principle. Here they are:

1. Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose. In my opinion, providing the ability to opt-out of data collection represents a significant economic hurdle to bring the majority of websites into compliance. The other question is whether this should be active or passive. In other words, should the visitor be greeted by this question upon arrival? If you have seen the automotive navigation systems, it would be like requiring the driver to accept responsibility before accessing the system. I think this would bother more people than it would ultimately protect.
2. Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. In my opinion, this is nothing different from the way most companies manage data today.
3. Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.
4. Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff also seeks comment on what constitutes “sensitive data” and whether the use of sensitive data should be prohibited, rather than subject to consumer choice. In my opinion, setting a standard for "sensitive data" is difficult. It is akin to establishing a universal standard for obscenity. This is an old legal challenge as the standard varies from rural to urban environments. As an example, does the purchase of an origami book referenced above constitute "sensitive data"?
5. The FTC is interested in expert opinion about whether tracking data is being used for purposes other than behavioral advertising, and, if so, does it deserve heightened protection.

Privacy Policies

If you elect to attach behavioral data to personally identifiable information (i.e. email address, first name, etc.) or share the information with third parties, it would be prudent to notify all visitors through a privacy policy. I have provided two privacy policy examples below. I suggest the brief version if your intent is to have visitors read and understand your approach. The alternative policy feels more legal, but its length will dramatically reduce the number of visitors who will read and understand. So, the brief policy will make people feel immediately comfortable and reduce or eliminate future objections, the long format is to address their objections after the fact. The important point is that you craft your privacy policy around how you intend to use any information you collect. The old maxim is "say what you'll do, then do what you say."

Suggested Privacy Policy (Brief)

Date Last Revised: [insert date]

We want to understand you, but never intrude. Any information we detect or you provide is used within our organization to make each interaction more convenient and relevant upon arrival.

We will never share your information outside of our organization.

Alternative Privacy Policy (Long Format)

  Date Last Revised: [insert date]

We gather certain types of information about the visitors to the [Your Website URL], and we believe our visitors should fully understand how we obtain and use that information. This Privacy Statement discloses what information we gather and how we use it.
 
  If you have questions or concerns regarding this Privacy Statement, you should contact us though our Contact Us form.

Your Personally Identifiable Information

The submission by you to us of your information, including personally identifiable information (e.g., your name, your address, your e-mail address, your telephone number), may be required in order for you to receive certain services, products or information you request from us. Some personally identifiable information may be required in order to use certain functions of our website (i.e. zip code).
 
In certain locations within our website in which we obtain personally identifiable information from you so that we can send an online brochure or have a representative respond to your request.

Your Zip Code

You may enter your Zip Code on this Web site if we have not correctly detected your location. Providing us your Zip Code enables us to display the nearest location to acquire our products/services. We provide this information for Zip Codes that are within one of the 50 states or the District of Columbia, but not those in other U.S. territories or possessions or for the postal codes of Canada or other countries.
 
When you first provide your Zip Code to us, we serve a "cookie" to you that includes your Zip Code. ("Cookies" are described below.) That cookie permits us to recognize your Zip Code upon your return to our website, without our having to ask you again for your Zip Code.
 
You have the opportunity to change your Zip Code at appropriate times during your visit to our website if you want to get information for a different Zip Code; changing your Zip Code in any application automatically updates your Zip Code cookie.

Other Cookies

 "Cookies" are small data files that many Web sites write to your hard drive when you visit them. A cookie file contains information such as a user ID that a site may use to track the pages you've visited. However, the only personal information a cookie can contain is information you supply yourself. Cookies served by us don't permit us to read data from your hard drive or to read cookie files created by other Web sites.
 
Please note that we do not link the information we store in cookies to any personally identifiable information you submit while on our Web sites or with any third party websites.

Security

 The security of your personal information is important to us. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.
 
If you have any questions about security on our Website, please use our Contact Us form.

Links to Other Web Sites

 Our website contains links to many other Web sites not operated by us, including sites where you can obtain automotive products and services. However, this Privacy Policy only applies to the [Client Website URL] and the information we collect, and we are not responsible for the privacy polices or practices of any other Web sites.

Changes to this Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please check this page periodically for changes. Your continued use of our website following the posting of changes to these terms will mean you accept those changes. Information collected prior to the time any change is posted will be used according to the rules and laws that applied at the time the information was collected.