Imagine being required by law to provide your customers with access to all your information about them. Not just the information that they provided to you, like name and e-mail address, but also information that they passively generated as they used your service, like their transaction history and clickstream through your site. And not just the facts, but also any opinions you have formed, including whether they are a good customer and their estimated lifetime value.
Worried yet? No? Then imagine not just one law, but 50 laws — one in each state — each with subtle differences. Add to that existing federal laws that closely regulate information that you collect about children, health and finances. To top it off, add a series of even more restrictive European regulations.
Worried now? Don’t answer yet, because you also get a “private cause of action,” through which your own customers can bring a class-action suit against you for perceived online privacy violations.
This describes what is at stake in the privacy debate raging in Washington and across the country. The outcome is sure to have far-reaching effects on how the Internet is used as a medium to collect and use personal information, and the Internet marketing industry is standing in the middle of this emerging storm.
Many industry watchers believe that the Federal Trade Commission already has the jurisdiction to regulate online privacy under its Section 5 authority to pursue cases against companies employing “unfair or deceptive” trade practices. This is certainly the case if you post a privacy policy but do not live up to it.
Less clear is whether the FTC has the authority to compel Web sites to post a privacy policy. The FTC believes that it needs an overt mandate for such a thing, and it recently requested that Congress pass a law giving it the explicit authority to regulate online privacy. Most people involved in the Washington debate now expect that Congress will pass such a law but are unsure when it will be passed and how comprehensive it will be.
Forward-thinking companies should embrace the concept of a law protecting consumer privacy. Here are three good reasons why:
• The viability of our companies and the Internet as a medium depends entirely on consumer trust. We need to do whatever it takes to make sure that consumers believe in the medium.
• Industry self-regulatory efforts in the form of seal programs have been admirable and effective. The FTC’s last survey of the top 100 Web sites found that 100 percent have posted privacy policies or have joined seal programs. Unfortunately, these measures are not enough. Less than 20 percent of all Web sites in a random sample actually followed all four of the FTC’s fair information practices. The worst offenders refuse to post policies or join programs unless compelled to do so.
• A privacy law is expected, and it makes more sense to start thinking about one that is effective and livable than it does to oppose the idea based on principle.
A law relating to Internet privacy will no doubt be built on the Fair Information Practice Principles. If you do not know what the FIP principles are, you had better find out fast. These four principles are the basis for the FTC’s regulatory approach to online privacy:
• Notice/awareness. Before you begin collecting any information, according to the FIP principles, you first must give your consumers notice. At a minimum, this means telling users what data you are collecting and what you plan to do with it.
• Choice/consent. Giving your consumers a choice basically means giving them the option to opt in to or opt out of any information-gathering functionalities. The opt-in choice is viewed as a more pro-consumer option because it bears less of a burden in the long run on the consumer.
• Access/participation. This is the most controversial provision. Once consumers know what is being collected about them, providing them with access to that information gives them the power to ensure its accuracy. Furthermore, consumers should be given a means by which they can challenge data they believe to be incorrect.
• Integrity/security. In addition to consumers’ ability to confirm data accuracy, those who collect the information should take measures to protect the security of that data, and to prevent unauthorized access or use.
You can read about the FIP principles online at www.ftc.gov/reports/privacy3/fairinfo.htm.
So what’s a good law? This is something each company must decide for itself, depending on its marketing practices. More than 35 bills before Congress address online privacy, and more than 280 bills on the topic are pending before state legislatures. Each bill is different in important respects.
One particularly sticky issue is the legislative language used around the question of choice. The subtleties here would baffle many professional linguists. Some bills use the innocuous term “choice.” This language allows for so-called opt-out policies by which information is collected by default, but consumers are able to tell sites to stop collecting it.
Other bills use the much more limiting term “informed consent,” which is essentially code for opt in. This language requires that consumers be informed about information collection before it begins and that they give explicit permission in advance of its collection.
Some of the more prominent federal bills include a clause that pre-empts any state laws on the issue of online privacy. This gives the industry one clear set of rules. Given the international scope and influence of the Internet, many believe that state law preemption is a vital provision in any federal privacy legislation.
Unfortunately, since privacy is such an emotional issue for many Americans, there is a powerful urge for state legislatures to address the issue quickly. This further raises the stakes for federal lawmakers to quickly find and settle on a standard that is acceptable to both businesses and consumers before the states beat them to the punch.
Broadly, three enforcement mechanisms are considered in today’s legislation: private cause of action, regulatory enforcement and private enforcement. A private cause of action allows the consumers of any Web service to sue that service for perceived privacy violations. A regulatory approach essentially empowers the FTC to bring about cases if it believes that a company is violating the law. Private enforcement schemes tend to deputize seal programs or other industry regulatory bodies to enforce the federal standards by exempting businesses that participate in them from further governmental scrutiny.
The best way to make sure that privacy laws don’t adversely affect your company is to collect your users’ personal information in accordance with FIP Principles. By paying careful attention to these principles, companies have successfully turned concerns about member privacy into a corporate asset. Members are less concerned about their information. The concept of giving consumers what they want should be foremost in the mind of any good marketer. And as American consumers begin to demand their privacy online, the most successful marketers will give it to them.
