What Your Company Needs to Know About Potential Online Privacy Regulation

[Part 1 originally published in Colorado Biz on 01.18.11.
Blog post updated on 03.06.11 to include Part 2 of the article.]

The internet is a wonderfully measurable place. Businesses are able to use online data to drive strategy and measure return on investment. However, the wealth of data that makes the online world a prime space for analysis is also leading to consumer concerns over privacy. Facebook privacy controls, data capture, ad targeting and mobile applications have all been the subject of privacy discussions in the media.

A recent survey by USA Today and Gallup suggests that only 35% of respondents believe that “the invasion of privacy involved [in behaviorally targeted online ads] is worth it to allow free access to websites”, with younger respondents (40%) being more willing to accept this than older respondents (31%). However, while only 14% would allow all companies to target ads to them, another 47% would be willing to allow the advertisers they choose to target ads.

With so many concerns out there about data capture and privacy, what is a company to do to ensure their behavior and data practices are not called into question – or made front-page news?

What kind of data does your company use?

First, your company needs to differentiate between types of data capture, understand what you are leveraging, and the current climate around different types of data use.

Understanding the current landscape

Recently, the Federal Trade Commission released their draft report on Consumer Privacy. The FTC’s report distinguished first and third party data capture, with different views as to what consent and regulation should be required for each.

First party data includes web analysis done through tools such as Google Analytics, Webtrends and Adobe Omniture, for the purpose of improving consumers’ online experience and a company’s profitability online. First party data use also includes first-party marketing: a company recommending products or services based on a consumer’s previous purchases. The FTC recommended that this type of data capture not require specific consent, as these are considered commonly accepted business practices.

Third party data capture, however, is considered separately. This includes companies that deal in the buying and selling of information. For example, ad networks who buy and sell data to allow delivery of highly-targeted advertising. The FTC’s main concern regarding third party tracking is not banning the practice, but rather, allowing for informed consumer choice. While the FTC declined to declare opt-in or opt-out as the appropriate method for expressing consumer choice, the FTC did call for a Do Not Track mechanism, enforced through either legislation or industry self-regulation.

Legislative vs. Self-Regulatory approaches

The FTC’s recommendations open the door for potential legislation of online privacy and data capture. However, the Commerce Department has recently recommended self-regulation.

The Commerce Department disfavored prescriptive rules, noting the need for an approach that allows for rapid evolution and innovation, while enhancing trust. The Department called for voluntary but enforceable codes of conduct that promote transparency in data collection and use, and recommended enlisting the “expertise and knowledge of the private sector” in this regard.

The web analytics industry in fact recommended this very thing back in September 2010. A voluntary code of ethics for web analytics practitioners was proposed and drafted by Eric T. Peterson and John Lovett of Web Analytics Demystified, in conjunction with the Web Analytics Association, and a second initiative has begun regarding consumer education.

New medium, same challenges

While online data and privacy may seem new and uncharted territory, this is simply a new medium for similar challenges faced off-line. For example, consumer acceptance of tracking and targeted advertising in exchange for free online content is not too different to accepting grocery store data capture via loyalty cards in exchange for discounts. The difference is that online data capture is a newer, without a well-established procedure for privacy safeguards, and a lack of education about what the benefits or exchanges for tracking may be.

What is required in the industry is two-fold:

  1. Finding the appropriate way (not necessarily legislatively) to establish and regulate those safeguards online; and
  2. Educating consumers about the types of data capture and use, and potential benefits, to allow for informed consent.

How can a company protect itself?

So how can a company protect itself, in light of the current uncertainty around online privacy?

Safeguard consumer privacy as if you are already legislated to.

  1. This has two benefits: If enough companies voluntarily safeguard consumer privacy, legislation may not be needed, leaving flexibility for companies to find the right way to protect privacy within their own business model; and
  2. If legislation does occur in the future, your company should not require major changes to your privacy model to be in line with the requirements.

Follow FTC recommendations and integrate privacy considerations into your company’s daily business practice, by:

  1. Taking reasonable precautions to protect the safety and ensure the accuracy of data;
  2. Only collecting data required for a specific, legitimate business need (rather than capturing data “in case” it can later be monetized); and
  3. Ensuring your data retention periods are reasonable.

For first party data capture and marketing, ensure that you have a plain language, non-legalese privacy policy that allows consumers to understand what data you’re capturing, how you use it, and clearly distinguish your first-party data use from third-party data use.

For any third-party data capture, make your practices transparent (this means not burying information behind legal jargon!) and educate your consumers. Advise what data is being captured, the benefits to the consumer, and provide an easy way to opt out. (A hint: if the only benefits are for your company, and not the consumer, you should expect a high opt-out rate.)

Additional considerations

For companies in business overseas, keep in mind that privacy laws may differ between countries. For example, Europe’s privacy laws are already stricter than the United States, and will potentially receive further overhaul in 2011 to modernize the 1995 Data Protection Directive.

Prepare for the future

Online privacy is not likely to quiet down in the coming months. However, by being proactive and considering consumer privacy in your daily and long-term business strategy, your company can set itself up on the right side of proposed legislative or self-regulation.

Leave a Reply