Get a handle on the privacy wild card

February 28, 2000


AOL and Time Warner merge. One long-term benefit is the power generated by Web access combined with detailed information about millions of customers. But there's a wild card risk as well: Fears about individual privacy might preclude the merged companies from optimizing those merged assets.

Privacy is a hot topic, though not, as yet, a major show-stopper today. Going forward, however, concerns about individual privacy and customer information misuse could seriously impede interactive marketing's progress. Marketers need to pay attention and follow the rules, keep an eye on their customers' sensitivities and use good judgment. The good news is that, thanks to some ground breaking cases, interactive marketers appear to be self-regulating effectively and have retained the confidence of government regulatory and privacy advocate groups.

The bad news is things could turn around pretty fast, and with some significant-and sometimes unforeseeable-consequences.

Consider the first Internet privacy enforcement act the Federal Trade commission undertook several years ago involving the GeoCities community site (since mergerged with Yahoo!. It was a learning experience on all sides.

"The FTC was investigating a number of different Internet organizations at the time. They were trying to figure out the Internet," recalls Internet legal expert Bart Lazar, partner at Chicago-based law firm Seyfarth, Shaw, Fairweather & Geraldson, which represented GeoCities in the matter. GeoCities was one of the first community sites on the Web, Lazar points out, and one of the online community sites it fostered was geared toward children.

"The FTC was concerned that GeoCities might allow children to become members of GeoCities communities and post personal information without parental involvement," Lazar say. For its part, GeoCities also was anxious to find out where the Internet privacy boundaries were.

The FTC did take issue with a transfer of some children's personal information to a direct-marketing company partly owned by GeoCities; the question was whether it was considered an internal information transfer or whether GeoCities was sharing children's information with a third-party marketer-something GeoCities had pledged to parents it would not do.

As part of the research for the case, Lazar examined the privacy policies of several other Web organizations-including government agencies and associations with children's sections-and determined that GeoCities policies were not unusual at the time. But rather than litigate, GeoCities signed a consent order in June 1998, something the FTC did not make public right away.

The federal agency did announce the consent order that summer-in August, two day after GeoCities' IPO.

"GeoCities stock dropped approximately a third just after the IPO" because of the FTC's announcement, Lazar adds.

An unintended consequence, indeed. So what may be some of the surprise privacy issues affecting the AOL-Time Warner deal?

Part of the Web's power is that it enables us to market to segments of one. For example, the folks at CDNow can "watch" as I order CDs by The Police, Rolling Stones and Led Zeppelin and send me an e-mail or instant message offering a special price on a Pearl Jam anthology. While some might see this as a thoughtful convenience and service, others might consider it intrusive.

And there is the Web's ability to carry a message to a larger target market than was ever before possible. In the past, marketers segmented their audiences based on factors such as demographics, psychographics and needs. With the advent of retail grocery scanner data in the 1980s, we marketers gained our first real access to behavioral data telling us who was buying our products, using complex statistical algorithms to identify the profiles of our best targets.

We now can merge data gleaned from online transactions with information about personal preferences, combine that with demographic information and top it off with "clickstream" data (literally what buyers click on and where when on-line) to gain a powerful individual-buyer profile. If I have scale-a lot of individual buyers' profiles across a network-as AOL, Yahoo! and Amazon do, I have a powerful, enormously valuable asset.

However, a perceived or real faux pas in the use of that data-a decision that upsets customers, government regulators or privacy watchdog groups-could transform that asset into a pile of useless computer records almost overnight.

That's the business argument for having a well-defined and sophisticated privacy program and a privacy czar or compliance executive.

A strong privacy effort should include five basic elements:

  • Notice: State privacy practices prominently and clearly on the site in terms customers can understand. Make sure consumers know you are collecting and using information before they give it to you.
  • Consent: Make sure customers actively consent to sharing information: Use "I accept" or "I decline" buttons that give buyers control. And remember, the FTC says only individuals over the age of 13 can give their consent; for young children, you need verifiable parental consent before you collect information.
  • Access: After collecting data, you should give the customer constant and complete access to the information you have on them. Keep your doors open to the consumer, even after the first point of information collection.
  • Security: Keep customer information out of unauthorized individuals' hands. Have passwords and other security systems for collecting and transmitting information and warehousing data. Make sure only authorized individuals can access the customer-information database.
  • Enforcement: The teeth of your privacy system. Have clear policies; state them as part of your employee handbook; put them online and take meaningful action if someone violates security practices. If violations occur, treat them as you would other confidentiality breaches, which may mean termination or even reporting the violation to government authorities. (Consult your corporate counsel in these matters.)

The last is, I think, the most important pillar of a privacy program.

According to Robert Allan, the privacy-compliance executive at NetZero (and previously the privacy-compliance executive at GeoCities), "My role is to look at all the things that are currently operating and at any new products that we're developing or new technology we're considering, and make sure what we're actually doing internally matches up with what our privacy statement promises."

Every Web marketer and company doing business on the Web should have a privacy compliance executive reporting right to the CEO. It's the best way to make sure the public is well-served and the company's information assets are well-protected.

I hope Steve Case at AOL Time Warner has a good privacy czsar. If not, he better call Bart Lazar or Robert Allan.

Michael Krauss is a partner with Diamond Technology Partners in Chicago.
He can be reached at








 ©2004 Marion Consulting Partners