ONLINE PRIVACY AND THE INTERNET MARKETPLACEIntroductionIn recent years two facts have become increasingly clear. One, online transactions are growing rapidly as the Internet becomes the new marketplace for the consumer and two, consumers are becoming wary of participating because of privacy concerns. A number of studies have shown that privacy is one of the top concerns of Internet users. The industry acknowledges that in order to translate "browsing into buying" the privacy issue will need to be addressed in a comprehensive fashion. The government too, has become fully immersed in this debate. In fact, observers predict that 2001 is likely to see some pending privacy bills being passed into law. The question, of course, is how this issue will be addressed in a credible and comprehensive way without eroding the commercial benefits of the Internet and the privacy rights of consumers. In others words, can the Internet afford to be "democratic" and still rise to its full commercial potential? This paper discusses some key issues in the "privacy world". What are the concerns of consumers and how are they being met? Can the trend to gather personalized data for targeted marketing accommodate privacy concerns? What are the different positions adopted by the government, industry and independent observers? What is the best way to enforce privacy - self-regulation or legislation? While the paper will attempt to address these questions, it is beyond the scope of this paper to provide specific solutions to the complicated issue of online privacy. The ultimate aim of this paper is to provide an overview of some of the issues mentioned above and to acknowledge that privacy concerns need to be addressed effectively in the near future. Personalization and PrivacyInadequate privacy policies and impact on consumer confidenceA number of polls and studies have shown that privacy concerns have become widespread among consumers. Last year, Forrester Research surveyed 100,000 online consumers and found that 67 percent were "very" or "extremely" concerned about online privacy. More specifically, consumers are concerned about the use of personal information that Web sites collect online. In 1998, the Federal Trade Commission (FTC) articulated four basic principles to guide a Web site's privacy policies:
For example, the annual "Surfer Beware" report from the Electronic Privacy Information Center (EPIC), pointed out that from the 100 sites they surveyed, 18 did not display any type of privacy policy, while 35 had profile-based advertisers such as Doubleclick operating on their sites. The report also pointed out that of 100 sites surveyed by EPIC, 24 had "opt in or opt out" data collection procedures in place, but that information about policies was "deeply buried" within the site or worded in a way that was confusing to the user. Similar research by IDC points out that many Web sites do not inform their customers of the role played by third party ad-serving companies. For instance, companies such as Flycast provide advertisements onto a network of Web sites, automatically downloading cookies on the computers of users of those sites. "Cookies" technology enables Web sites to collect information about online activities and store it for future use. The IDC report also states that in the sample of 56 most heavily trafficked Web sites, 96 percent acknowledged that they used cookies but only 32 percent tell users what cookies do; and 83 percent use third-party ad-serving companies but only 26 percent disclose the use of these companies. These numbers hardly suggest that adequate "notice" is given to the customer. Most firms surveyed did provide "access" to this personal information. However, while collecting more detailed clickstream data and purchase histories, they did give customers the ability to turn off such features at the site level. Privacy-conscious visitors must then either turn off cookies manually on their Web site browser or use anonymous Web-browsing services. It is quite clear what the above research findings indicate. While concern amongst users regarding privacy policies has grown, a large number of Web sites are either not adhering to the four basic guidelines outlined by the FTC, or are providing inconsistent and incomplete privacy policies. The next logical question is whether or not these privacy "concerns" actually impact user/consumer behavior and whether this concern translates into less buying on-line? Here again there is research that indicates that privacy concerns do influence behavior. A "Business Case" for more effective privacy policiesPrior to the holiday season last year, Forrester Research collaborated with Vividence, a provider of Web- experience evaluations, to conduct a special evaluation sampling 400 buyers from the Vividence Tester Community to evaluate their attitudes towards privacy and assess the privacy policy of various toy sites. The study concluded that 41 per cent of Web buyers in the sample usually read policies of sites that they visit for the first time. The more satisfied they were with the site's policy the more likely they were to shop at the site. 41 per cent also said "enough is enough" about a site they had a relationship with and contacted the site to be removed from their data base, indicating that if dissatisfied they would not return to that site. Similarly, the IDC survey noted that 44 percent of those who know about services such as TRUSTe and BBB Online spent more that $500 on the Internet during the last six months prior to the survey. Only 33% of those unfamiliar with those organizations had spent as much. Clearly, big online spenders notice and pay attention to the privacy seal. The survey also showed that privacy concerns have been significant enough that two out of three online buyers chose not to make a purchase from an Internet store more than once in the last six months. The evidence cited above makes two things clear. One, consumers care a great deal about their privacy and two, consumers will shop more often if they are assured that their personal information is not misused. More interestingly, if the Web site is taking extra measures to protect information and conveys that effectively through a concrete privacy policy, consumers are likely to spend more on the site. So, apart from concerns about consumer protection, there is a strong business case for protecting consumer privacy. Technology is offering new ways to collect and analyze highly personal information for commercial use, but it is also making the issue of privacy more complicated. For instance, click-and-mortar companies are now buying powerful business intelligence software that promises to give them detailed customer profiles analyzed from large personal and transactional databases. Some of this analysis is outsourced to Application Service Provides (ASPs) raising further questions about potential misuse of data from different parties. IDC estimates that the market for online retailing in the United States this year is approximately $60 billion in 2001. If retailers want to get a share of this market they will have to address the concerns of both veteran as well as new customers because a weak privacy policy may have huge opportunity costs in the competitive world of online retail. In addition, any online business that wants to capture the European markets will have to adhere to more stringent European standards. Privacy and Personalization - Can the two be reconciled?The trends mentioned above also raise the following question: Can privacy policies, achieved by self-regulation or legislation, keep up with this technology and, more importantly, who "owns" this "personal" information once it has been divulged by the user "voluntarily"? So far there have been no easy answers because, while the industry views data collected as a part of the public domain, advocates view this data as intellectual property of the users that must be protected. These divergent views are consequently presented as the "privacy versus personalization" dichotomy when in fact they should be perceived, as IDC analyst Jonathan Gaw puts it, as "flip sides of the same coin." He points out that the appropriate way to view these seemingly contradictory and opposing priorities, of online retailers on the one hand and consumers on the other, is as follows: "Building privacy protection capabilities in advance while the personalization tools are being implemented will give on line retailers flexibility in dealing with potential regulations, instead of having to scramble to retrofit their operations. In the era when online retailers struggle for the slightest competitive advantage, a comprehensive suite of privacy protection tools is also a relatively benign and painless way to generate confidence and loyalty." In other words, companies need to understand that they can market their "privacy sensitivity" to the consumers and improve customer satisfaction, which leads to retention and loyalty in the long run. Mechanisms to protect consumer privacy must be given as much attention as developing technologies, which can collect information. For example XNS, introduced by OneName Corp, is a technological solution for this problem. XNS is an open source platform that acts as an online e-wallet and business card that dynamically updates information even after it has been passed on by the user. However, the most interesting benefits of XNS are its privacy features. XNS promises consumers a spam-free Internet experience and the ability to dictate the terms under which an online firm may use their information. So when a message from an unknown sender arrives and if the user's email provider uses the XNS system, the filter replies with a privacy contract specified by the recipient. Only if the sender agrees to the contract is the message forwarded to the recipient. XNS is a technological solution that both offers online firms a way to keep track of their customers' contact information and at the same time puts consumers in control of their information. Such innovative technological solutions are a welcome trend and must be encouraged. Self-Regulation VS Legislation-Is there a third way?The previous section discussed why it is important, even from a business perspective, for the online industry to protect consumer privacy. It is imperative that the goals of personalization and privacy be accommodated by the industry in a balanced and credible way. Here are where the questions of efficiency, efficacy and implementation of privacy policies come to the forefront. For the last two to three years, the principles of enforcement and accountability, two critical elements of any successful policy, have been subsumed by yet another dichotomous debate- this time titled: "self regulation versus legislation." Self-regulation-a preferred way to address privacy concerns?While the FTC has continually argued that self-regulation is the "most efficient and least intrusive" way to solve this issue, privacy advocacy groups and other consumer groups have called for concrete rules and regulations. It is interesting that industry itself has sent conflicting signals. While endorsing self-regulation as the preferred means to address the concerns they have been wary to overtly oppose federal legislation. Some argue that the reason for this is to avoid several different state laws that might try to regulate them. This section discusses these different views and argues that, similar to the personalization vs. privacy characterization, this debate is also a false dichotomy. Just as privacy tools do not hinder personalization functions, pragmatic legislation may not necessarily be at odds with self-regulation. The Federal Trade Commission (FTC) has issued several reports on online privacy. The reports issued in 1998, 1999 and 2000 have one common theme-the FTC is of the view that self-regulation should be the preferred way to address this issue. However, if one follows the specifics of the reports, it becomes increasingly clear that each year the FTC has added new rules while falling short of a comprehensive legislation. The backdrop to these reports has been an increasing amount of media attention given to alleged misuse of personal data in the last three years. In 1998, the Commission issued Privacy Online-A Report to Congress, an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers' online privacy. The report concluded that effective self-regulatory programs had not yet taken hold, but that they were indications that the industry was committed to this agenda. As a result, in July 1998 the Commission "deferred judgment on the need for legislation to protect the online privacy of consumers and instead urged the industry to focus on the development of broad-based and effective self regulatory programs." In the particular area of children's online privacy, however, the FTC recommended that Congress adopt legislation placing parents in control of the online collection and use of personal information. Four months after the 1998 report was issued, Congress enacted the Children Online Privacy Protection Act of 1998. In 1999, the FTC issued a new report, Self-Regulation and Online Privacy. The report assessed the progress made since June 1998 in self-regulation to protect online privacy. The results were contradictory in the sense that although businesses were providing significantly more notice of their practices than they were in 1998, widespread adoption amongst the industry was still far from complete. As the FTC chairman stated, "Despite laudable efforts significant challenges remain." Specifically, the research indicated that although the vast majority of sites, in the Georgetown Internet Privacy Policy Survey (GIPPS) and the Online Privacy Alliance Survey (OPA), collected personal information from consumers, only 10% of the sites in GIPPS and 22% in OPA were implementing all four fair information practices of Notice/Awareness, Choice/Consent, Access/Participation and Security/Integrity. Furthermore, while the FTC acknowledged the emergence of the online privacy seal programs such as TRUSTe and BBBOnLine, it pointed out that only a small minority of commercial Web sites had joined these programs. The report also pointed out that although the surveys showed that many online companies now understood the "business case" for protecting consumer privacy, they showed that the implementation of the fair information practices was not widespread among commercial Web sites. In spite of the above record of self-regulation the FTC still concluded that legislation to address online privacy was premature. Instead it once again endorsed self-regulation by encouraging the industry to educate its members to adopt these information practices. Can Legislation fill the gap?In 2000 there were a number of instances that caused tremendous media fire around the privacy issue. Even President Clinton called for stronger privacy protection for consumers. The biggest event was in January when DoubleClick announced that it was going to merge its online information with Abacus's offline information, a company it had bought in 1999. The company faced criticism from all privacy advocates and consumer groups and in March pulled back from combining consumer surfing-pattern data with offline purchase data but called for government to clarify online data rules. In May 2000, after conducting a host of new surveys the FTC published their third report to Congress: Privacy Online: Fair Information Practices In the Electronic Marketplace. The Commission's 2000 survey went beyond the mere counting of disclosures. This time they analyzed the nature and substance of these privacy disclosures in light of the fair information practices. Two groups of sites were studied: (a) a random sample of 335 Web sites and (b) 91 of the 100 busiest sites. The survey found that only 20% of the Web sites in the random sample that collect personal identifying information implement, at least in part, all the four principles. The 2000 Survey also examined the extent to which industry's self-regulatory enforcement-online privacy seal program-have been adopted. Here, the survey found that less that one-tenth or 8% of the sites in the random sample display a privacy seal. Moreover, less than one half or 45% of the busiest sites selected displayed a seal. Based on the above the FTC concluded, for the first time, that self-regulatory programs fell far short of the desired and recommended that Congress enact legislation that would ensure adequate protection of consumer privacy online. Robert Pitofsky, Chairman of the Trade Commission, stated the following before the Senate: Because self-regulatory initiatives to date fall short of the broad based implementation of effective self-regulatory programs, a majority of the Commission has concluded that such efforts alone cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders. While there will continue to be a major role for industry self regulation in the future, a majority of the Commission recommends that Congress enact legislation that, in conjunction with the continuing self-regulatory programs, will ensure adequate protection of consumer privacy online. It became quite clear after this report that the Internet marketplace would not remain a completely unregulated domain and that legislation would follow in the near future. In July the Federal Trade Commission voted 4-1 to endorse a self-regulatory plan submitted by the Network Advertising Initiative (NAI), a consortium of major Internet advertising companies. The plan would require advertising companies to notify customers of their Internet profiling activities and give customers a chance to choose whether their profiles could be stored and used by customers. This move by the FTC got varied reactions from the different constituencies. The industry welcomed this agreement. Several members of Congress applauded the NAI developed principles. The advocates, however, objected and argued that this agreement failed to adequately address the issue. The following quote by Marc Rotenberg, president of the Electronic Privacy Information Centre (EPIC) expresses this sentiment clearly: "The FTC agreement seems to say check a box and profile away and leave the industry alone." Privacy advocates have been critical of the FTC all along. According to them, the FTC's approach to this issue has been reactive rather than proactive. They argue that every time there is a well-publicized privacy debacle, such as when Toysmart.com announced its intention to sell the personal information in its database, the FTC steps in. The industry's record has not been clear-cut. Although industry leaders have developed self-regulatory programs like TRUSTe and BBBOnline, there has not been widespread adoption of these seals. This is where the question of enforcement and redress comes into the picture. Neither the FTC nor the industry has been able to design a effective mechanism for redress, if businesses fail to comply with either the four FTC principles or the self-regulatory plans. Limited enforcement by industry-backed seal programs has not been able to gain credibility since they have never taken significant action against their members. Finally, privacy advocates have suggested several creative means to address this issue and also endorsed some privacy protection technology; however, they acknowledge that without a receptive industry environment voluntary adoption of their agenda is unlikely. So where do we go from here? First, it is important for all constituencies - industry, government and advocates - to acknowledge that the self-regulation versus legislation dichotomy no longer defines the privacy issue and that the real point of contention is enforcement. Second, it must be acknowledged that although the aim should be to adopt enforceable standards, self-regulatory and/or legislative, the "open" nature of the Internet marketplace limits the effectiveness of such standards. Third, the fundamental nature of the Internet forces different parties with different motives to acknowledge that only a combination of innovative self-regulatory programs, regulations and technology itself will be able to address this issue speedily and effectively. Once the above factors are taken as given, the debate on this issue may move to a level where the focus is on developing and enforcing effective standards and not defining the issues in a way that suits a particular group's agenda. ConclusionAt the outset that paper raised the following questions: What are the concerns of consumers and how are they being met? Can the trend to gather personalized data for targeted marketing accommodate privacy concerns? What are the different positions adopted by the government, industry and independent observers? What is the best way to enforce privacyself -regulation or legislation? The first two sections of the paper have attempted to address these and the following conclusion can be drawn from the analysis. The concerns of consumers are growing rapidly. There is an expectation of fairness and control over personal information. The trend to gather personalized data is also growing because here is high value for marketers to have detailed customer profiles. There is both a business and a social case to reconcile these trends and an effective privacy policy is the prerequisite if this challenge is to be met. Finally, although the privacy issue is fragile and various interest groups are all pushing towards adoption of technologies and standards, in the long run, solutions that take into account the fast-changing, technology-driven, horizontal, and open nature of this new marketplace will be most effective. An Elytics White PaperSourcesFederal Trade Commission. Privacy Online: A Report to Congress, June 1998. Federal Trade Commission. Privacy Self-Regulation and Online Privacy: A Report to Congress, July 1999. Federal Trade Commission Privacy Online. Fair Information Practices In the Electronic Marketplace, May 2000. Electronic Privacy Information Center. Surfer Beware: Personal Privacy and the Internet, June 1997. Dempsey, James, "Communications Privacy in the Digital Age: Revitalizing the Federal Wiretap Laws to Enhance Privacy." Albany Journal of Science & Technology, Volume 8, Number 1, 1997. O'Neil, Michael, and Dempsey, James, "Critical Infrastructure Protection: Threats to Privacy and other Civil Liberties and Concerns with Government Mandates on Industry." Depaul Business Law Journal, Volume 12, p. 97 (1999/2000) Georgetown Internet Privacy Policy Survey Forrester Brief: Web Buyers Speak Out About Privacy Policies, September 13, 2000 Forrester Brief: Enonymous Takes on Consumer Privacy, October 5, 1999 Forrester Brief: Self-regulation Goes "Poof", March 16, 2000 Gaw, Jonathan, "Online Personalization in an Era of Privacy Enforcement." IDC Bulletin, Document #23249, October 2000. Gaw, Jonathan, "Insider: With the Benefits of Personalization Come the Burdens of Privacy Protection." IDC Flash, Document #23434, May 2000. Gaw, Jonathan, "Insider: Consumer Privacy Tools are Growing Up." IDC Flash, Document # 23172, September 2000. Greenberg, Paul, "FTC Intensifies Online Privacy Scrutiny, E-Commerce Times, March 6, 2000. "Regulators endorse self-regulation in online privacy." CNN.com.technology. URL: cnn.com/2000/TECH/computing/07/27/internet.privacy.ap Contact Elytics Inc, www.elytics.com, 120 Beacon Street, Somerville, MA 02143, 617-492-7760, fax: 617-492-6220, info@elytics.com. |
Previous Article | Table of Contents | Next Article