Every time you browse the Internet in search of a new house, text a $10 donation to a charity, respond to an offer to receive more information about the iPad or check the balance of your 401(k) from your smartphone, you demonstrate trust that the information you choose to share will be protected. But, you also know these activities can be tracked and used by marketers to target you based on those behaviors. As the focus of this book is how to use online behavior to build richer engagement experiences, it is important that we address the front-burner issue of privacy.
The online advertising, marketing and publishing industries are engaged in an ever-progressing and broadening debate about the proper handling of Personally Identifiable Information (PII) and the proper use of behaviorally targeted advertising. Here are four key considerations we think all marketers should ponder:
1. STANDARDS AND LAWS ARE CHANGING
ALL THE TIME.
Consumer privacy and preferences concerning marketing are a key concern for companies. There is legislation, such as The Health Insurance Portability and Accountability Act (HIPAA), which attempts to limit the display, purchase, or sale of PII without the individual’s consent. In addition to federal guidelines, such as the U.S. Department of Commerce’s Safe Harbor Privacy Principles, individual states are also weighing in with privacy protection acts and rulings.
The biggest news recently in government attempts to regulate privacy is the Federal Trade Commission’s proposal late in 2010 to develop a “Do Not Track” program, patterned after the “Do Not Call” registry started several years ago to rein in telemarketers. It would allow consumers to completely opt-out of being tracked. While a proposal is not a mandate, FTC chairman Jon Liebowitz said the “Do Not Track” proposal is offering best practices to companies.” The proposal also demonstrated that Liebowitz was serious when he said, at a July hearing, that the government can “use the bully pulpit” to convince the private sector to self-regulate.
At this writing, the federal government is also considering a bill that was proposed by Representatives Bobby Rush (D-Ill.) and Rick Boucher (D-Va.) in the House—however, since Boucher was defeated in the mid-terms, it’s unclear what the fate of the bill is. Senator John Kerry (D-Mass.), is also pursuing online privacy legislation to complement those efforts. It should be noted, however, that Democrats are not the only ones to take up the privacy cause. Just one day after the election, Rep. Joe L. Barton (R-Tex.), said that Internet privacy legislation may be a legislative priority in the next Congress.7
Razorfish is watching two areas in the proposed legislation closely:
- A provision that puts an 18-month “expiration date” on customer data, which could have a chilling effect on loyalty and relationship marketing programs.
- That the Boucher bill does not differentiate between PII and anonymous identifiers like IP addresses or cookies that do not require the release of PII. The Interactive Advertising Bureau (IAB), a key industry group, shares this concern.
The industry has been taking note—and taking steps to self-regulate—for some time now. Galvanized by the focus the FTC and Congress have been putting on the use of tracking cookies to aid behavioral targeting, the U.S. advertising industry formed the Network Advertising Initiative (NAI) in 1999, a coalition of 35 leading online marketing companies committed to reinforcing responsible business and data management practices and standards. The NAI has made consumer education a top priority. Its latest initiative, the Advertising Option Icon, is a link for consumers to a disclosure statement on any site that engages in behavioral targeting. The program, launched in October, has support from all of the major advertising trade groups, from the 4As to the Association of National Advertisers.
Today’s social networks provide new sources of rich consumer data, and marketers are constantly looking for social graph overlays to other behavioral data. Despite legitimate concerns over the collection and use of online data, we want to stress that the data collected by Rapleaf for use in the Razorfish Links process is publicly available, including things like Twitter and Facebook profiles. Anyone who wanted to could find this data online.
2. TRANSPARENCY AND DISCLOSURE ARE CRITICAL — GIVING CONSUMERS NOTICE AND THE ABILITY TO OPT OUT ARE
Despite the public angst over privacy, many consumers do not read privacy policies thoroughly before agreeing to them. Gamestation demonstrated this in an April Fool’s Day prank, adding this clause to its terms of service: “By placing an order via this website on the first day of the fourth month of the year 2010 Anno Domini, you agree to Us a non-transferable option to claim, for now and forever more, your immortal soul.” Even though Gamestation provided an opt-out link—and gave anyone who opted out an $8 voucher—only 12 percent of users opted out, while 7,500 users agreed to sell their soul!
3. CAREFUL HANDLING OF PRIVACY DATA IS CHALLENGING—AND CAN BE EXPENSIVE—BUT IT MUST BE DONE.
Where PII should physically reside within a company is a very important question. If a company chooses to store information in-house, it will often face the need to meet standards and the associated cost to achieve compliance. This can have a huge financial impact, which makes storing this information in a certified cloud storage facility a much more viable option.
Consider for a moment government agencies that find themselves in a particularly challenging position—mandated simultaneously to widely disseminate and strongly protect the information they collect. They are an excellent source for best practices, even for private industry. Here are some interesting examples of best practices from each agency’s handling of PII. In general, the regulations, mandates and related guidance boil down to:
- Know what PII you collect and all the places it is stored and used.
- Reduce the collection and storage of PII wherever you can.
- Control access to PII no matter where or how it is accessed.
- Encrypt all PII both when it is “at rest” (in storage) and “in motion” (being transmitted).
- Consistently monitor PII for privacy breaches and notify affected groups as soon as possible.
All five are sound practices that regulation will either force companies to deal with or will be dealt with through industry self-regulation.
4. PERMISSION OR CONSENSUAL MARKETING REALLY
From Facebook to Gmail to Amazon, consumers’ willingness to trade their data and online behavior for a more personalized experience is all over the place, depending on what is at stake: I don’t understand it. I hate it. I get it. I love it.
Consumers seem to be thinking, “I love it when Amazon.com recommends a new book based on my interests—but I still hate it when Facebook tells the world about my recent break-up.”
While companies have privacy policies, consumers do not. Consumers are often not aware of—or frankly, that interested in—what privacy policies contain, as Gamestation proved. The consumer approach is much more pragmatic:
- They need to see what they get from allowing companies to track and store their information.
- They need to trust the company with their information, so companies must be transparent about their practices and respect the data.
- They need to feel somewhat in control of their information.
Make no mistake—customers are in charge these days. They can filter you out, search anonymously, blog about their recent experiences with you and broadcast to their professional network online that you and your services should be avoided.
In short, ultimately the consumer decides when it is time to engage. It’s what your mother always told you—listening is more important than talking. So next time, ask them for permission before you speak.
PRIVACY: A MOVING TARGET MARKETERS HAVE TO HIT
As the above illustrates, the issues concerning online privacy are not static. Potential legislation, consumer attitudes, and in-house policies about use of data are under constant scrutiny and changing all the time. Thus, what we present here is merely a look at where things stand now. A year from now, legislation may have been enacted, industry leaders may have taken new self-regulatory actions, or maybe—but doubtfully—nothing much will have changed. We recommend the following sources to keep track of privacy issue.
- DMA Privacy Center
- Interactive Advertising Bureau
- Laboratory for International Data Privacy at Carnegie Mellon University
- The Office of Information Policy US Department of Justice
- HIPAA—United States Department of Health and Human Services, Office for Civil Rights, Web page on medical privacy
- California privacy laws—California Office of Privacy Protection
- Privacy in the Information Age, by Fred H. Cate. (Brookings Institution Press, 1997)
- Information Ethics: Privacy and Intellectual Property, by Lee A. Freeman and A. Graham Peace. (Information Science Publishing, 2004)