Kissmetrics and a variety of its clients have been center stage in the news lately for tracking unique visitor behaviour, despite a user clearing their cookies. Shortly after the story broke, a number of high profile clients removed Kissmetrics tracking, arguably “throwing them under the bus” in the process. Now, Kissmetrics and more than twenty of its customers are facing a class action lawsuit, claiming the tracking violates privacy laws. However, there was a similar lawsuit in 2009 over the use of “zombie cookies”, with some of the same businesses named as defendants.
This got me thinking, and into a rather lengthy debate/rant/conversation with fellow industry member Lee Isensee, which helped to shape (and refine somewhat!) a few thoughts around the responsibilities of the organisation tracking vs. the vendor providing tracking capabilities. While I find myself defensive of vendors and organisations that are being respectful of customers privacy, in line with the WAA Code of Ethics, the real question is:
Whose responsibility is it to protect consumer privacy – the business using the tracking, or the vendor providing a solution or product?
I can’t help but think – if you, as a company:
- Choose a method of tracking that (many argue) violates users’ privacy and wishes
- Don’t disclose the level of detail being collected, or how it will be used
- Face legal action as a result of that tracking, and settle by agreeing not to use that technology again
- Later, face accusations of similar tracking (similarly intentioned, though the mechanics perhaps differ)
- But sever ties with the vendor, essentially blaming them, while claiming your company takes user privacy seriously
What conclusion is there to draw from that? Does it suggest that you, as a business, want to do that kind of tracking, and seek out vendors who provide those capabilities? (It’s a little hard to argue the “but we didn’t know” defense if you’ve faced legal action for this type of thing before.)
If that’s the case (and I understand this is a little difficult in the current climate) why not stand by this kind of tracking, disclose the approach and method, and explain the consumer benefits of it? Why claim to be privacy conscious and blame the vendor when your company has a major privacy backlash. You’ve previously chosen to engage in this kind of tracking (and faced the repercussions!) before? What leads you to do so again?
So if a business is inclined to this kind of tracking, what is the responsibility of the vendor providing it? Do they own a customer’s implentation (post initial engagement) or chosen use of the data? Do they owe a duty to the customers of their clients? What legal duty do they owe? Do they owe a duty to allow opt-out? Or is that in the hands of the company doing the tracking? What ethical duty do we impose? (And how far does that go? To the vendors that support the vendor? Ah, forget it. I’m hearing an Adam Carolla “slippery slope” rant starting as it is.)
I’d argue there’s one level of responsibility, that falls squarely to the company itself. A business decides what kind of tracking to do, and which vendors to use. They owe a duty to their customers. If a vendor is found to use “unsavoury” practices, actively recommending those practices in collusion with the business and disregards industry accepted practices, isn’t it the responsibility of the business to have thoroughly evaluated the vendor?
Something along the lines of: we don’t sue gun companies for homicides. The analytics vendor sells the gun, the implementation is the bullet, the business is the person holding the gun … who ultimately made the choice to shoot the customer?¹
Am I way off base? Where do you think this responsibility lies?
¹ I can’t take the credit for all of this. Thanks Lee for boiling it down to a simple analogy.