The Privacy Police Strikes

Right now, in the US, two of the most pop­u­lar TV shows are Sur­vivor and Big Brother, Euro­pean imports where peo­ple are will­ingly liv­ing under the watch­ful eyes of TV cam­eras. Think of it as a real-life ver­sion of The Tru­man Show, where TV watch­ers gather to watch some peo­ple like them deal with life. The shows have already swept through Europe, leav­ing out­rage and protest in much of those coun­tries. How­ever, in the US, few groups have protested the shows, most prob­a­bly because the inva­sion of pri­vacy is con­sid­ered less fla­grant in this coun­try than it is in Europe.

At the same time, the World Wide Web Con­sor­tium has intro­duced the P3P, a new stan­dard to facil­i­tate the dis­tri­b­u­tion of a web site’s pri­vacy policy.

Imple­ment­ing P3P, users could choose to visit only Web sites that promise not to track their move­ments or to col­lect per­sonal infor­ma­tion. Or they could decide to go to Web sites that col­lect per­sonal infor­ma­tion, like their name and address, but only if that com­pany promises not to share that infor­ma­tion with any­one else. The browser will take care of noti­fy­ing them of each site’s pol­icy and let them decide whether they want to opt in or out. With Microsoft and Netscape being involved in those efforts, expect the next iter­a­tion of web browsers to be P3P-compliant.

The CDT has endorsed P3P as a step in the right direc­tion. While it stops short of say­ing that it is the be all end all of pri­vacy, the CDT praised P3P as an “impor­tant oppor­tu­nity to make progress in build­ing greater pri­vacy pro­tec­tions in the Web expe­ri­ence of the aver­age user.”

The CDT warns, how­ever, that P3P will not insure that com­pa­nies fol­low pri­vacy pol­icy nor will it ensure data safety in coun­tries where no data pri­vacy law has been enabled. More crit­ics have said that P3P was not the appro­pri­ate answer because it cre­ated a default where com­pa­nies could grab any data and users had to opt out of that gath­er­ing. This, to cer­tain con­sumer pri­vacy advo­cates, is bad because they believe that most peo­ple will not bother with opt­ing out (stud­ies on opt­ing out of any kind of data gath­er­ing have shown few peo­ple polled both­ered to do so, thus giv­ing more con­trol to cor­po­ra­tions). In other words, while con­cerns around the issue are high, most peo­ple don’t want to have to deal with it and calls for increased pro­tec­tion are start­ing to pop up on Main Street as well as in congress.

The Fed­eral Trade Com­mis­sion, which up until recently had a laissez-faire atti­tude towards such data gath­er­ing has now rec­om­mended that Con­gress enact leg­is­la­tion to ensure a min­i­mum level of pri­vacy pro­tec­tion for online con­sumers, estab­lish­ing basic stan­dards of prac­tice for the col­lec­tion of infor­ma­tion online. The rec­om­men­da­tion includes four basic areas of protection:

• Notice: Web sites would be required to post a pri­vacy notice telling con­sumers what data they gather, how they col­lect it, how they plan to use it and who has access to it.
• Choice: users should have the right to decide how their infor­ma­tion would be used beyond a transaction.
• Access: Web sites would be forced to give con­sumer a chance to access the infor­ma­tion that has been gath­ered about them and make mod­i­fi­ca­tions includ­ing dele­tions and corrections.
• Secu­rity: Web sites would be required to take steps to pro­tect the pri­vacy of users in order to ensure that data would not leak out unknow­ingly to other sources.

These sug­ges­tions mir­ror the 1998 Euro­pean Direc­tive on Data Pro­tec­tion, which was enacted to con­trol the use of per­sonal infor­ma­tion gath­ered on Euro­pean cit­i­zens. It has already been put into law by eight of the fif­teen Euro­pean Union coun­tries. Orig­i­nally, the Euro­pean direc­tive does not allow Amer­i­can com­pa­nies to gather any data on Euro­pean con­sumers because there is a lack of pro­tec­tion for per­sonal data in the United States. How­ever, dis­cus­sions between the Euro­pean Union and the US depart­ment of com­merce are cur­rently under way to allow Amer­i­can com­pa­nies some pro­tec­tion. Pas­sage of the FTC rec­om­men­da­tion into law would insure com­pli­ance and align­ment between Euro­pean law and Amer­i­can law, which would facil­i­tate global e-commerce.

How­ever, there are a num­ber of issues to look at. The FTC sug­ges­tions came as the result of a recent study the com­mis­sion did, which showed that only 20% of the sites they sur­veyed did not fail in at least one of those four areas.

I would rec­om­mend to the read­ers of this newslet­ter that they exam­ine their own inter­nal pol­icy on data gath­er­ing in order to com­ply with such rule. I may not be a rabid con­sumer data pri­vacy advo­cate but I believe that these rules make sense for sev­eral rea­sons. Our busi­ness, as Inter­net builders and man­agers, is to ensure the high­est level of cus­tomer ser­vices on our web site. Data pro­tec­tion is a new area of cus­tomer ser­vice that we need to con­cern our­selves with (the FTC is a polit­i­cal orga­ni­za­tion and I’m sure that they have some inter­nal poll­ster telling them that con­sumers want to see their data pro­tected). Web sites who pio­neer data pro­tec­tion and develop strong rules inter­nally will ben­e­fit greatly as con­sumers will feel more com­fort­able in their deal­ings with them. Beyond that, data pro­tec­tion is one of the fun­da­men­tal pil­lars on which expan­sion into for­eign mar­kets lies. When I was work­ing at Boo.com, one of the things that we worked on dili­gently was com­pli­ance with the many Euro­pean data laws. As a result, we ended up fol­low­ing the Euro­pean Direc­tive on data gath­er­ing rel­a­tively quickly (how­ever, I was sur­prised to see that Boo had allegedly sold its cus­tomers list to Fash­ion­Mall as part of its divesti­ture, leav­ing a huge ques­tion mark on the legal­ity of the matter).

As a quick ref­er­ence point, here are a few ques­tions that web site oper­a­tors should ask themselves:

• Do we have a pri­vacy pol­icy and is it posted?
• Does it pro­vide infor­ma­tion on every piece of data we col­lect? (for exam­ple, a num­ber of pri­vacy poli­cies do not cover use of cook­ies, server logs, or emails send to an address on the site)
• Do we give con­sumers a chance to opt-out of that data gath­er­ing? If not, can we? If so, do we pro­vide the nec­es­sary tools to do so (web-forms or email address)?
• Do we give users a chance to cor­rect per­sonal infor­ma­tion we have gath­ered about them and select whether they want us to use it in the future? Do we cover every sce­nario under which that per­sonal infor­ma­tion will be used?
• Have we audited our site to make sure that the infor­ma­tion is stored securely?

Let me address each of those points in more details.

Pri­vacy policies

: the first thing in draft­ing a pri­vacy pol­icy is to involve the lawyers (I know that may sound stu­pid but I know of a cou­ple of cor­po­rate web sites where that job was left up to the web­mas­ter). While the lawyers are involved, how­ever, a good pri­vacy pol­icy should be easy to under­stand so skip a lot of the legalese and explain your pol­icy in plain Eng­lish (think of it as a mar­ket­ing piece: the mes­sage you are send­ing here is “we under­stand your con­cerns about pri­vacy and here is how we are answer­ing them”).

Opt­ing out or cor­rect­ing data

: Most web sites keep the con­sumer data in a sep­a­rate data­base or set of data­base tables. As part of good neti­zen behav­ior, com­pa­nies should cre­ate a user name and pass­word for every user who decides to give them data. Among some of the tools you would pro­vide to that user are: a form where the data they have sub­mit­ted is listed and where they can make cor­rec­tions. Fur­ther­more, a sec­ond page should be offered to allow users to opt out of dif­fer­ent mar­ket­ing options (for exam­ple, a user could choose to opt into receiv­ing snail mail spe­cial offers but not email ones). How­ever, as part of these opt-out options, you should add some value to your data. If a con­sumer is will­ing to give you their snail mail address for mar­ket­ing pur­pose, you could offer them cer­tain spe­cial dis­counts on prod­ucts. This could include dis­counts within your own store as well as on other web sites (exam­ple: imag­ine your online elec­tron­ics store wants to share data about users who have recently bought a stereo sys­tem with a web site that offers music CDs for sale. As a way to entice cus­tomers to agree to your sell­ing their name to another web site, they could receive a dis­count on CDs on that other web site).

Data audit

: The recent news about hot­mail pass­ing email addresses in the URL field showed that user data can some­times leak out with­out your plan­ning on it. Instead of pass­ing such pre­cise iden­ti­fier, user a cus­tomer ID in the URL field. That ID remains unknown to out­side web sites but allows you to per­son­al­ize the user’s expe­ri­ence. A check of all the per­son­al­iza­tion fea­tures on your site should reveal such prob­lems. Fix them before the news goes out. I had noticed the email address in a URL prob­lem with Hot­mail and sent them an email about three weeks ago but never heard back from them. Last week, I read about it on the front page of Cnet’s News.com. I’m not sure of whether my email went to the wrong per­son at Hot­mail or to a mail­box that did not get read much but my feel­ing about see­ing this pop up on the front page of a lead­ing tech news site made me feel that data han­dling at Hot­mail was sloppy at best.

Either way you han­dle it, the data pri­vacy debate will not stop. You can choose to bury your head in the sand but ulti­mately, it will have to be dealt with. Why not lead the charge and ensure that you are in com­pli­ance before you are forced to do so?