Can You Keep a Secret?

Show your customers how to develop Internet privacy policies before real problems arise.

On one side are frustrated marketers with a slew of technology for cookie planting, invisible GIFs, and Web log analysis, hoping that the next breakthrough in customer insight will shake revenues out of the doldrums. On the other side is a consumer base growing increasingly edgy about invasions of digital privacy, both perceived and real.

With a hash of government and industry initiatives in this country lining up to complement and contradict each other, and Canada and the European Union already enacting more comprehensive codes of conduct, privacy is no longer simply a matter of posting a cookie-cutter policy. Yet its still not easy to see exactly what will drive consistent, coordinated standards for consumer privacy.

Demand alone seems unlikely to carry the day. Despite pockets of outcry over low points such as Toysmart.coms aborted sale of its customer database and DoubleClicks perhaps overly ambitious campaign to unify online and offline customer profiles, public pushback has not given rise to an Internet-wide privacy agenda. Part of that is a lack of money talking.

"Consumers havent shown themselves willing to pay for privacy," says Arabella Hallawell, Gartner Group senior analyst, which she says is only compounded by the stigma of serving the market in the first place—early adopters are perceived to have something to hide. "People who want to be anonymous on the Net are often not the most savory people."

Everything To Hide

At best, privacy has been a sideline feature for some of the larger names in personal Internet security, and a value-added proposition for solution providers. Citing low subscription rates, Montreals ZeroKnowledge recently abandoned its Freedom Network pseudonym browsing system in favor of more conventional desktop privacy and security software. The writing was on the wall for some time. Before the shutdown, Toronto, Canada-based communications integrator Conexys bundled the Freedom pseudonym browsing system from Montreal-based ZeroKnowledge in its portal, but noted that it was it is far from the key feature that drives customers to sign the dotted line.

"Our client base tends to be highly sophisticated executives and mobile professionals who really value their communication tools," says Joanne Jarrell, the companys marketing director. "I dont see it being a core business for us, but its something that will position us properly for those [privacy-minded] executives."

Whether they are willing to pay to make a difference or not, consumer privacy choices can have a real impact on a corporations bottom line. Yankee Group VP of Internet media research Kevin Noonan, an advertising industry veteran who defines himself as "a real socialist when it comes to data," charges that some Web site operators make up to half of their revenue on renting customer data and log file analysis, although he declined to name names.

While marketers publicly speak at great lengths about wanting to respect customer privacy above all, there is also a great deal of frustration over newfound resistance to decades-old practices that typically met with little organized resistance in the offline world.

Among some marketing minds, a transaction between customer and producer implies permission for equal and essentially unfettered attempts to learn more about the other side. Contrary to its intention, such attitudes usually only provide more grist for the pro-privacy mill.

Heightened awareness has led to an intricate dance between marketing and online data. Indeed, marketing service bureaus now spin themselves as privacy intermediaries. Optas Inc. of Wakefield, Mass., which specializes in the pharmaceutical industry, describes the new order as "bubble marketing" to reflect the precarious nature of consumer confidence in anothers ability to collect and share sensitive information about them.

In keeping with this theory, Optas positions itself not as a cold calculator of propensity-to-buy for the latest drug, but as a secure conduit that allows ostensibly trusted health sites to pass offers to consumers based only on aggregated information.

"The pharmaceutical companies get the zip code and demographics but the Web site has full control over the privacy of the relationship and control what level of detail gets passed back," says Optas marketing VP Paul Buta. "The organization that has the trusted relationship ultimately has to have tools to protect the trusted relationship."

In that, at least, both sides of the issue are in agreement. "If youre going to hold personal information, the burden is on you, not the consumer, to protect that information," says Austin Hill, executive VP of ZeroKnowledge Systems.

Still, key questions remain. How much data needs to be disclosed to provide service? And at what point does data disclosure merely serve to grease the marketing machines?

"Depending on the forum, if somebody is asking for very personal advice, you might be uncomfortable giving out information without knowing who youre talking to," concedes Hill. "However, if youre at a party and having a conversation with someone, do you ask to see their drivers license? People need to have that kind of choice, especially when conversations are being archived."

Even without looking for third-party vendor relationships, larger corporations still typically have an impressive array of data sharing options at their disposal, and such relationships tend to come under less scrutiny even from privacy advocates. "When you give up data, its implicit that its shared across the whole company…especially in the customer service department, they have everything on you," says Noonan.

Yet the conglomerates with the largest market research departments often have disparate, non-obvious subsidiaries, and there is virtually no requirement that a company discloses which of its subsidiaries and divisions will have access to consumer data.

Hypothetically speaking, it may seem obvious to an AOL Time Warner director that information provided to TIME magazine should also be visible to sister business units such as AOLs online service and New Line Cinema, but a consumer will not necessarily draw the same conclusion. Although some analysts have posited that the technology involved in making consumer data that transparent across an enormous enterprise would be an equally enormous headache, "that could be a passing problem," says Noonan, which means it could become a sore point before long.

Opening the Data Vaults

Much has been said about how United States privacy standards differ significantly from the rest of the world. One of the major differences is the principle of ones right to access and correct the data stored about him or her. Even among firms that cheerfully refrain from data sharing, even going so far as to offer opt-in instead of opt-out, such in-depth access is a rare find. Aside from an obvious desire not to let individuals delete the most juicy and valuable items from their databases, information collectors face a serious challenge—positively identifying someone who, by definition, wishes to remain rather private and anonymous with enough authority to let them make a sensitive change.

Richard Smith, CTO of The Privacy Foundation, a non-profit research organization, ran into this problem the hard way. He discovered that his record with ChoicePoint, a database agency that provides detailed information to government bodies including the FBI, reported that he had died in 1976, might be in jail under a nickname, and had a phantom ex-wife and stepson. His attempts to remove himself from the database were rebuffed.

Rationally, theres no reason to expect information collectors and aggregators to open up their files to individuals for review and correction online, despite—or because of—the fact it would be an extremely convenient way for consumers to review the extent of their data profiles.

Consider the Direct Marketing Associations response to the efficiency of the Internet. Its Mail and Telephone Preference Service opt-out lists traditionally allowed consumers to send a letter of request to have their name placed on a master do-not-contact list provided to DMA member companies. The DMA now offers a Web form as well, which is faster and more convenient for all involved—and comes with a $5 fee. Allegedly, this charge is justified by faster service (although the database is still only updated quarterly, regardless of how the request is submitted), but could also be considered a thinly veiled disincentive to use the one-click convenience of a Web page opt-out.

Coming Up Short

The current market proposals to clean and clear up the privacy question are not living up to expectations. Despite the ubiquitous logos proudly stating compliance on a vast number of popular web destinations, privacy seal programs, which purport to certify and validate the privacy practices of member companies, do less than many realize. Typically, U.S.-based privacy seal organizations hold their recipients to only the barest minimum standard of conduct—by and large, the seals only establish that a company has written a privacy policy using complete sentences.

Organizations such as TRUSTe and BBBOnLine dictate very little about what the privacy policy should say. Instead, they serve primarily to provide some assurance that the text of the privacy policy (whether it provides ironclad privacy, or rampant resale and integration of personal data with myriad outside vendors and data customers) matches a firms actual business practices. Because of the notable lack of substance behind these reassurances, their value as a marketing tool may be short-lived.

"Not only is enforcement questionable, but a company that buries information about third-party data in a slew of legalese is placed on the same level as one that clearly states up-front that it has no intention of transmitting data," writes Zona Research in a June 2001 report, "Internet Privacy: How Businesses are Bridging Troubled Waters."

"In general, those policies dont amount to much more than a 10-page legal document, [which states that] theyre going to take your information and sell it when its in their best interest," says Andy Davis, communications director for Senate Commerce Committee chairman Fritz Hollings (D-SC).

Although some speak with hope in their hearts about the prospects for P3P (Platform for Privacy Preferences Project), which enables a P3P-aware browser to read a supporting Web sites privacy practices and match them against a users stated privacy preferences, there is considerable suspicion that its impact will be minimal. "It doesnt really do too much, it just allows consumers to put in preferences and doesnt really require anything" as far as corporate compliance is concerned, says Hallawell.

Many worry that P3P will prove as impotent as end-user cookie management. "Cookie blockers havent worked because some sites say if youre not going to play with us, were not going to play with you," she says, effectively denying service in part or in whole if a myriad of cookies are not accepted and retained on a users computer.

Even The Privacy Foundations Smith concedes that cookies are far too convenient and prevalent in Web design to eliminate entirely, which—not coincidentally—is why privacy advocates typically scoff at suggestions to exercise their right to shut off the feature.

Legislative Action, Present and Future

To gauge the true extent of public interest and concern over privacy, everyone with a stake in the matter is watching the impact of the Gramm-Leach-Bliley Act, which governs new professional and data practices in the financial services industry. Among other things, the laws require a more concise and consistently presented outline of a firms data practices, including a clearly labeled opt-out procedure.

No one knows yet whether the flurry of privacy policy alerts financial institutions were required to send out by July 1 has soothed or stoked broader consumer concern. If there is any backlash brewing, however, its slow in coming, and Hallawell comments that early reports put opt-out rates stemming from the mandatory announcements below 1 percent.

But consumer privacy guerrillas are already earning their stripes on the margins. Noonan admits to keeping a stripped-down laptop on hand exclusively for e-commerce purchases, so that his transactions and interests cant (easily) be connected to any of his other Internet activity or installed software.

Even outside the domain of consumer advocates, suspicion is starting to build that optional industry regulation may fail to materialize.

Noting that roughly half of those organizations it surveyed had no plans for the future to sign on for a privacy seal or privacy consortium membership, Zona reasons that "it is highly unlikely that organizations will actually implement transparent policies and practices on any significant scale." If spending on privacy protection indeed means the higher costs and lower profits marketers bemoan, voluntary participation could be foolish indeed.

Some feel that good privacy can be good business, not just profit-harming lip service. "There are two questions: theres the risk of an enforcement action or a PR nightmare, and theres also long-term sustainability," says Jason Catlett, president of privacy consultancy Junkbusters Corp. of Green Brook, N.J., who suggests a pragmatic look at public sentiment. "If your business model is predicated on practices that are deplored by the public, its not likely to survive."

A full legislative answer is not likely to arrive soon. FTC chairman Timothy Muris recently dismissed calls for new consumer privacy laws, and the commissions formal privacy agenda now calls for tighter enforcement of existing law, such as Gramm-Leach-Bliley. The FTC also intends to use its powers to ensure actual privacy practice matches stated policy under both normal operating conditions and liquidation or merger transactions.

Research firms including Forrester and Gartner now peg the likely introduction of any significant, new privacy legislation in the 2004-2005 timeframe.

Choose Up Sides

That being said, there are indeed companies making a serious investment in boosting the precision, accuracy, and potentially the respectful relevance with which they collect, track, and share customer data. According to Zona Research, it is not uncommon to find companies with billion-dollar revenues slating $25 million per year for their privacy infrastructure in the immediate future.

"The money is in companies that review web site policies on privacy and set up a [privacy] policy for them," says Yankees Noonan. With Gramm-Leach-Bliley in full swing and HIPAA coming into effect before the end of next year, expect those opportunities to grow.

Without additional legislative imperatives, however, building a more efficient marketing database is still likely to draw a bigger crowd than a remarkable privacy solution. Catlett compares the privacy protection niche to the environmental protection business.

"Certainly, there are companies that provide products and services to protect the environment, but theres much more money to make damaging the environment, and companies, if allowed to, will make the decision to do so," he muses.

Despite the resistance from companies worried that an entire way of doing business could be coming to an end, pundits still hope that the taste of the medicine will be the only sting.

"In my mind, one of the most ironic implications of privacy legislation could be forcing companies to really put some money and resources into thinking about what their marketing really is," says John McCarthy, group director of research for Forrester Research.

If most forms of data collection and ensuing contact must be explicitly approved by a customer, "youve got to have a good value proposition if you expect customers to opt-in that could bring a level of discipline that would help organizations around the world," McCarthy says.He advises companies to audit their privacy procedures now, rather than face a court order or major crisis.

Carelessness and red tape may be the biggest threat. "With all the mergers and acquisitions, the real issue is that there is somebody who doesnt know [about a data-sharing arrangement,]" he says. "The deal was done years ago, two acquisitions ago, and there is some auto-renewal clause of third-party sharing that nobody knows about."

Smith is surprised firms are waiting for legislation to tell them to put their data practices in order. "If you look online, [advertising networks] collectively have lost half a billion dollars, so at least in the online world, the more we collect on people the more we can sell is proving wrong," he says.

In data sharing relationships, watch for the other shoe to drop. So far most of the attention has been focused on preventing companies from selling or sharing information collected. Cutting off demand, by creating situations where a consumer can force a company to stop soliciting information about them from other sources, could be the next target. If the hue and cry so far has been deafening, wait until that question is raised. "Youd put direct marketing out of business" if such a rule came to pass, says Noonan—not that he finds that a likely outcome, as he pegs the industrys political clout a notch below the Teamsters.

If, by chance, consumers win most of their victories, the next battleground will be over how that consumers rights change during working hours. The Privacy Foundation estimates that 14 million souls are under some surveillance on the job. Tracking an employees online behavior costs under $10 per year, so as a pragmatic investment against internal espionage or otherwise illicit communication, it seems a small price to pay as a hedge against wrongdoing, but the ensuing databases and profiles will inevitably come under fire as highly sensitive information.

With no end to the debate in sight, be prepared to integrate privacy challenges into business as usual, rather than taking a reactive stance to the legislative proposal of the week. "Those focused on compliance are missing the financial benefits" of finding ways to make privacy part of a customer value proposition, says Eddie Schwartz, senior VP of operations for Waltham, MA-based security consultancy Guardent. "Theres no competition in complying better than someone else."