Kissmetrics and a variety of its clients have been center stage in the news lately for tracking unique visitor behaviour, despite a user clearing their cookies. Shortly after the story broke, a number of high profile clients removed Kissmetrics tracking, arguably “throwing them under the bus” in the process. Now, Kissmetrics and more than twenty of its customers are facing a class action lawsuit, claiming the tracking violates privacy laws. However, there was a similar lawsuit in 2009 over the use of “zombie cookies”, with some of the same businesses named as defendants.
This got me thinking, and into a rather lengthy debate/rant/conversation with fellow industry member Lee Isensee, which helped to shape (and refine somewhat!) a few thoughts around the responsibilities of the organisation tracking vs. the vendor providing tracking capabilities. While I find myself defensive of vendors and organisations that are being respectful of customers privacy, in line with the WAA Code of Ethics, the real question is:
Whose responsibility is it to protect consumer privacy – the business using the tracking, or the vendor providing a solution or product?
I can’t help but think – if you, as a company:
- Choose a method of tracking that (many argue) violates users’ privacy and wishes
- Don’t disclose the level of detail being collected, or how it will be used
- Face legal action as a result of that tracking, and settle by agreeing not to use that technology again
- Later, face accusations of similar tracking (similarly intentioned, though the mechanics perhaps differ)
- But sever ties with the vendor, essentially blaming them, while claiming your company takes user privacy seriously
What conclusion is there to draw from that? Does it suggest that you, as a business, want to do that kind of tracking, and seek out vendors who provide those capabilities? (It’s a little hard to argue the “but we didn’t know” defense if you’ve faced legal action for this type of thing before.)
If that’s the case (and I understand this is a little difficult in the current climate) why not stand by this kind of tracking, disclose the approach and method, and explain the consumer benefits of it? Why claim to be privacy conscious and blame the vendor when your company has a major privacy backlash. You’ve previously chosen to engage in this kind of tracking (and faced the repercussions!) before? What leads you to do so again?
So if a business is inclined to this kind of tracking, what is the responsibility of the vendor providing it? Do they own a customer’s implentation (post initial engagement) or chosen use of the data? Do they owe a duty to the customers of their clients? What legal duty do they owe? Do they owe a duty to allow opt-out? Or is that in the hands of the company doing the tracking? What ethical duty do we impose? (And how far does that go? To the vendors that support the vendor? Ah, forget it. I’m hearing an Adam Carolla “slippery slope” rant starting as it is.)
I’d argue there’s one level of responsibility, that falls squarely to the company itself. A business decides what kind of tracking to do, and which vendors to use. They owe a duty to their customers. If a vendor is found to use “unsavoury” practices, actively recommending those practices in collusion with the business and disregards industry accepted practices, isn’t it the responsibility of the business to have thoroughly evaluated the vendor?
Something along the lines of: we don’t sue gun companies for homicides. The analytics vendor sells the gun, the implementation is the bullet, the business is the person holding the gun … who ultimately made the choice to shoot the customer?¹
Am I way off base? Where do you think this responsibility lies?
¹ I can’t take the credit for all of this. Thanks Lee for boiling it down to a simple analogy.
I believe there are lines of responsibility that need to be drawn in online privacy just like have been worked out in other areas. I like your gun analogy, and I would add to it that there are laws governing the practices of each group in that community to ensure the safety, and in this case the privacy, of the public. So in other words, I don’t think the question is which party is fully responsible for ensuring public privacy, but all parties play a part that makes sense for what they have control over. For example, vendors should not offer questionable technologies. It seems like the issue as usual with new technologies is that we haven’t yet worked out all the standards. And I understand that so far we are an industry still in between self regulation and being fully government regulated. Like most in our industry, I favor self regulation, but we have to act faster to set standards before the government ends up dicating what happens here as already has started in Europe. I hope we can get on top of this soon.
I actually think this is “both”…(AND any third parties that are providing selection/implementation/management services). I was a bit disheartened a few weeks ago while in a steamy city for the weekend when I broached this subject with a vendor () whose response was, “Not us! It’s up to the company that implements. They can turn us on or off however and wherever they need to, and it’s up to them to do so!”
On the one hand, it’s easy to say, “Look, company, if you’re rolling this out on your site, you damn well better understand all of the ins and outs of what it’s doing and make sure it’s all kosher.” How may companies do you work with where the decision makers actually even understand the difference between 1st party and 3rd party cookies (much less Flash cookies)? The decision makers — the people who need to know where/when to pull in the Legal department, often — don’t have the bandwidth/skills/interest to go deep into what’s going on under the hood. So, they’ve got to place their trust somewhere, and “trusting the vendor (who has hundreds of clients who have to grapple with the same issues)” is a reasonable tactic. It’s not risk-free — the company is still going to be on the hook — but it’s a reasonable risk. IF you have faith in the vendor.
Equate it to SOX compliance — it’s not like CEOs are actually doing the financial accounting work, but they’re on the hook for the accuracy of the quarterly statements.
Agencies like yours and mine can also claim, “Not our problem,” but we sit somewhere in between — more exposure to the situation, more understanding of the underlying technology. So, some responsibility to educate and advise, IMHO.
Nice post (and v. timely as well). I have been following the KissMetrics issue closely, as I am both a fan of the work that Hiten and his team are doing, and curious about how the metrics community will respond.
I think in a perfect world, the business should be accountable for the technology they choose to acquire. Unfortunately, it’s not possible because of the rapid evolution of the digital technology space.
In your gun metaphor, the shooter should be the one at fault; everyone knows how a gun works and what it does, and the gun hasn’t evolved significantly in 100 years.
Literally every month in digital measurement there are not just new tools, but whole new categories of tools designed around measuring and optimizing the business. An executive is very likely unable to keep up with trends in both technology and privacy.
Lastly, whenever I think about privacy debates in WA, I click on an Analytics Forum post from Jim Sterne from waaaay back in 2008. I still think his approach to cookies (especially the new school zombie cookie) is spot on:
Thank you Michele for letting me chime in on the post but there are a couple points that I would love clarity and/or expand upon.
Those comments ended up turning into pages, so here is my blog post in reply.
Pingback: Stop looking for the scapegoat | OMLee, marketing madness
Thought provoking post and I like your gun analogy. I would argue slightly differently though.
I think in the main Kissmetrics are at fault because it is ultimately their decision to take the control away from the user (note that’s not the customer but the customers visitors). I am not saying they deserve the negative press or the lawsuit – they don’t because they haven’t done anything wrong really, as you say they just designed the “gun” but on the other hand as gun designers they should’ve known better than to potentially arm people with automatic weapons.
As far as the KISS customer is concerned firing the gun is being able to draw insights from their data as fast as possible to earn them as much ROI as possible. I am 100% sure that KISSmetrics sales teams would have said that privacy of the user is guaranteed. And they would not be lying as anonymous tracking is the way KISS works.
However KISS have hamstrung the user by removing their control – at least this is what I understand from the ETag technology they had deployed.
It basically took away the ability of the user to say “No, I don’t want to be aimed at even if it is only a blank target you’re aiming towards, I don’t even want to be in the shooting range.”
That’s the first issue and I would lay that blame at Kissmetrics door.
Now to the second.
As you already know I find the whole argument a big farce anyway. ETags are still relatively harmless when compared to for instance credit card information companies hold on you, or CCTV tracking in every major city but as the Wired researcher pointed out there is the “possibility” that the technology could’ve been misused. However unlikely it was possible that KISSmetrics customers could have got together and compared notes about individuals and identified them.
Now could I blame KISS for that? not really, I feel it was a design flaw or oversight rather than anything they intended to do. It’s like designing an automatic gun that only fires a single shot by design. It can be modified by someone who knows how to disable the safeguards that stop weapons firing on automatic.
I would then put the blame here with the customer as you suggest because they would then be aiming the gun at real people rather than blank targets.
As I’ve discussed elsewhere the issue here is PII and I’ve now seen 3 vendors that have possibly unknowingly compromised the safeguards they think are in place due to the way their technology works.
The issue is a legal one. I agree with the code of ethics and support it but as I’ve argued before, I believe we need to make that a legal approach not simply something vendors and businesses can ignore (KISSmetrics interestingly haven’t signed the code of ethics).
Until we get unambiguous legal protection of PII we will always run into this problem. The problem is that the guys writing the laws are not experts in the field and will likely put blanket bans on things like cookies which is why we have to get involved. I think that the WAA should be the folks that do it and should invest some of our membership money on helping the various bodies draft laws that make sense.