Get a handle
on the privacy wild card
February 28, 2000
BY MICHAEL KRAUSS
and Time Warner merge. One long-term benefit is the power generated
by Web access combined with detailed information about millions
of customers. But there's a wild card risk as well: Fears about
individual privacy might preclude the merged companies from optimizing
those merged assets.
a hot topic, though not, as yet, a major show-stopper today. Going
forward, however, concerns about individual privacy and customer
information misuse could seriously impede interactive marketing's
progress. Marketers need to pay attention and follow the rules,
keep an eye on their customers' sensitivities and use good judgment.
The good news is that, thanks to some ground breaking cases, interactive
marketers appear to be self-regulating effectively and have retained
the confidence of government regulatory and privacy advocate groups.
The bad news
is things could turn around pretty fast, and with some significant-and
first Internet privacy enforcement act the Federal Trade commission
undertook several years ago involving the GeoCities community
site (since mergerged with Yahoo!. It was a learning experience
on all sides.
FTC was investigating a number of different Internet organizations
at the time. They were trying to figure out the Internet,"
recalls Internet legal expert Bart Lazar, partner at Chicago-based
law firm Seyfarth, Shaw, Fairweather & Geraldson, which represented
GeoCities in the matter. GeoCities was one of the first community
sites on the Web, Lazar points out, and one of the online community
sites it fostered was geared toward children.
FTC was concerned that GeoCities might allow children to become
members of GeoCities communities and post personal information
without parental involvement," Lazar say. For its part, GeoCities
also was anxious to find out where the Internet privacy boundaries
The FTC did
take issue with a transfer of some children's personal information
to a direct-marketing company partly owned by GeoCities; the question
was whether it was considered an internal information transfer
or whether GeoCities was sharing children's information with a
third-party marketer-something GeoCities had pledged to parents
it would not do.
As part of
the research for the case, Lazar examined the privacy policies
of several other Web organizations-including government agencies
and associations with children's sections-and determined that
GeoCities policies were not unusual at the time. But rather than
litigate, GeoCities signed a consent order in June 1998, something
the FTC did not make public right away.
agency did announce the consent order that summer-in August, two
day after GeoCities' IPO.
stock dropped approximately a third just after the IPO" because
of the FTC's announcement, Lazar adds.
consequence, indeed. So what may be some of the surprise privacy
issues affecting the AOL-Time Warner deal?
Part of the
Web's power is that it enables us to market to segments of one.
For example, the folks at CDNow can "watch" as I order
CDs by The Police, Rolling Stones and Led Zeppelin and send me
an e-mail or instant message offering a special price on a Pearl
Jam anthology. While some might see this as a thoughtful convenience
and service, others might consider it intrusive.
is the Web's ability to carry a message to a larger target market
than was ever before possible. In the past, marketers segmented
their audiences based on factors such as demographics, psychographics
and needs. With the advent of retail grocery scanner data in the
1980s, we marketers gained our first real access to behavioral
data telling us who was buying our products, using complex statistical
algorithms to identify the profiles of our best targets.
We now can
merge data gleaned from online transactions with information about
personal preferences, combine that with demographic information
and top it off with "clickstream" data (literally what
buyers click on and where when on-line) to gain a powerful individual-buyer
profile. If I have scale-a lot of individual buyers' profiles
across a network-as AOL, Yahoo! and Amazon do, I have a powerful,
enormously valuable asset.
perceived or real faux pas in the use of that data-a decision
that upsets customers, government regulators or privacy watchdog
groups-could transform that asset into a pile of useless computer
records almost overnight.
business argument for having a well-defined and sophisticated
privacy program and a privacy czar or compliance executive.
A strong privacy
effort should include five basic elements:
State privacy practices prominently and clearly on the site
in terms customers can understand. Make sure consumers know
you are collecting and using information before they give it
Make sure customers actively consent to sharing information:
Use "I accept" or "I decline" buttons that
give buyers control. And remember, the FTC says only individuals
over the age of 13 can give their consent; for young children,
you need verifiable parental consent before you collect information.
After collecting data, you should give the customer constant
and complete access to the information you have on them. Keep
your doors open to the consumer, even after the first point
of information collection.
Keep customer information out of unauthorized individuals' hands.
Have passwords and other security systems for collecting and
transmitting information and warehousing data. Make sure only
authorized individuals can access the customer-information database.
The teeth of your privacy system. Have clear policies; state
them as part of your employee handbook; put them online and
take meaningful action if someone violates security practices.
If violations occur, treat them as you would other confidentiality
breaches, which may mean termination or even reporting the violation
to government authorities. (Consult your corporate counsel in
The last is, I think, the most important pillar of a privacy program.
to Robert Allan, the privacy-compliance executive at NetZero (and
previously the privacy-compliance executive at GeoCities), "My
role is to look at all the things that are currently operating
and at any new products that we're developing or new technology
we're considering, and make sure what we're actually doing internally
matches up with what our privacy statement promises."
marketer and company doing business on the Web should have a privacy
compliance executive reporting right to the CEO. It's the best
way to make sure the public is well-served and the company's information
assets are well-protected.
I hope Steve
Case at AOL Time Warner has a good privacy czsar. If not, he better
call Bart Lazar or Robert Allan.
is a partner with Diamond Technology Partners in Chicago.
He can be reached at firstname.lastname@example.org.