May 29, 2007
With 30% of the online population wary of giving out their personal information due to privacy concerns and 51% not trusting search engines to keep their search data secret, it’s an understatement to say that privacy is still a hot-button issue -- for consumers and marketers alike.
We talked to a former Federal Trade Commissioner and a privacy expert about collecting cookie data, ways to build consumer trust and five privacy failures. Plus, three marketers' policies you should emulate.
“If you are a premier brand, you have to not only say that, ‘We stand for quality. We stand for service.’ But also, ‘We stand for privacy principles. We share data in *these* types of situations. We handle data with *this* level of care,’ ” explains privacy expert Alan Chapell, President, Chapell & Associates, who founded the privacy program at Jupiter Research.
With technology constantly changing and shifting marketing practices, it's not getting easier to define the rules of the road when it comes to ecommerce privacy -- especially when consumer advocates and the online community appear to still be out-of-synch.
The biggest difference today is marketers’ ability to deliver targeted behavioral ads to consumers without collecting personally identifiable information, says Christine Varney, who served as a Federal Trade Commission in the Clinton administration and is now a Partner with Hogan & Hartson, where she counsels brands, such as eBay, MySpace, Zango, DoubleClick and AOL.
“You need to deliver targeted ads in a privacy-friendly matter,” says Varney. “The good news is that marketers are getting smarter about their tactics. The bad news is that people are still screwing up and not being as straightforward as they need to be about what information they are collecting.”
Varney and Chapell offered six strategies for marketers to follow:
-> Strategy #1. Set standard across all channels
Not enough big-name brands have multichannel privacy policies. Privacy issues should be consistent in ecommerce, catalog, mobile, point-of-purchase retail and call center operations.
So, is anyone getting it right? Chapell mentioned Best Buy, Hewlett-Packard and Procter & Gamble as three companies doing well at creating singular privacy policies (see links to their policies below).
-> Strategy #2. Costs and disclosures
Yes, it costs money to run a good privacy program. Costs are determined by many factors, including:
o What kind of data you collect and from how many sources
o How many third parties touch the data
o How automated the collection process is
o How sensitive the data is (different security measures for Social Security numbers than non-person-identifiable data, such as cookie data)
o How many platforms you offer the data on
o How many jurisdictions you operate in globally
“It’s a challenge to get implemented in an organization because it’s not a revenue-generator,” Chapell says. “But you need to source the ROI for privacy by looking at the risk-reward of it.”
Three other concerns:
- Data that doesn’t cost much probably is not worth much -- certainly not worth the cost of getting in trouble with regulators. “Big brands cannot afford to use substandard data partners,” Chapell says. “While it’s truly cool that people working out of their garage can compete with the big guys, it is also true that if you are larger you are going to draw the attention of the regulators far, far quicker.”
- Advertisers must be sure that their partners comply, too. Have someone on your staff routinely visit partner sites to watch practices and receive their newsletters. Whenever possible, upgrade your back-end technology so that your marketing efforts are delivered third party as little as possible. It simply gives you greater control over your brand identity.
For instance, gaming site Zango, which went thorough an FTC investigation recently and received counsel from Varney, quit allowing the downloading of their software from a third-party site. The messages always come from their server now. “It’s really cut down on confusion,” Varney says. “Now, there’s implicit instructions at Zango that helps people remove the software.”
- Think the whole “Big Brother” thing is overrated? Look no further than what’s happening between DirectRevenue LLC and New York Attorney General Andrew Cuomo. In a trial that was initially about spyware distribution, Cuomo’s office -- along with the FTC -- have argued that DirectRevenue’s advertisers have benefited from the company’s “misleading software.”
“Advertisers need to understand that at least in New York state, the attorney general will go after them if their marketing partners are not using the highest standards of consumer protection,” Varney says.
-> Strategy #3. Cookie permission
Privacy experts say, “Be consumer-friendly. Obtain more permission on ALL the data you collect.” Yet, merchants are collecting anonymous cookie data at an increasing rate in five out of seven retail categories this year compared to 2006, according to recent MarketingSherpa data.
This is why marketers need to explain to consumers what they're doing and give them as many choices as reasonably possible.
“If I sign up for an email that’s going to give me the daily weather forecast in my neighborhood, you’d better tell me if you plan on putting a cookie in that email and tracking me around the Internet and delivering me targeted behavioral advertising.” Varney warns.
-> Strategy #4. Give more control to consumers
Over the next six to 18 months, Chapell says, organizations in the behavioral targeting space -- even if all they are doing is collecting information from cookies -- need to implement what he called “layered notice regimes.” These will increasingly provide some level of access so customers will know what information has been collected about them.
The layered notice regimes will be similar to online accounts in which the customer can log in and see what has been collected about them.
-> Strategy #5. Follow-through system
Certified programs and security seals are nice, as are privacy statements. But you need to have a follow-through system in place and constantly evolve the policy. For instance, a Web 2.0 community’s policy from a couple of years ago probably doesn’t deal with widgets. In short, the programs are certifying a shrinking portion of the pie.
-> Strategy #6. Five privacy failures
We understand that some of these failures have been touched on already, but they’re worth repeating:
o Failure to understand how your actions might affect others in the business ecosystem
o Failure to adequately vet and monitor your business partners’ practices
o Failure to offer enough choice in how you interact with your customers and how much information you collect on them
o Failure to integrate privacy across multiple channels. Once again, privacy cannot be silo’d from the rest of your organization
Correction: In the original version of this article, we incorrectly stated that Alan Chapell recommends that online advertisers provide consumers with notice (via a pop-up message) each time they place a cookie on a consumer's computer. Chapell's statement was misinterpreted. We regret any confusion that this may have caused, and the article has been corrected.
Alan Chapell and Christine Varney spoke at the San Francisco ad:tech conference. For more information on upcoming conferences, go to http://www.ad-tech.com.
Useful links related to this article
Direct Marketing Association - ethical practices for marketers and anti-ID-theft guidance:
FTC’s privacy page:
Interactive Advertising Bureau - e-mail marketing and lead generation standards:
International Association of Privacy Professionals:
Network Advertising Initiative:
Chapell & Associates:
Hogan & Hartson: