Implementing P3P, users could choose to visit only Web sites that promise not to track their movements or to collect personal information. Or they could decide to go to Web sites that collect personal information, like their name and address, but only if that company promises not to share that information with anyone else. The browser will take care of notifying them of each site’s policy and let them decide whether they want to opt in or out. With Microsoft and Netscape being involved in those efforts, expect the next iteration of web browsers to be P3P-compliant.
The CDT has endorsed P3P as a step in the right direction. While it stops short of saying that it is the be all end all of privacy, the CDT praised P3P as an “important opportunity to make progress in building greater privacy protections in the Web experience of the average user.”
The Federal Trade Commission, which up until recently had a laissez-faire attitude towards such data gathering has now recommended that Congress enact legislation to ensure a minimum level of privacy protection for online consumers, establishing basic standards of practice for the collection of information online. The recommendation includes four basic areas of protection:
- Notice: Web sites would be required to post a privacy notice telling consumers what data they gather, how they collect it, how they plan to use it and who has access to it.
- Choice: users should have the right to decide how their information would be used beyond a transaction.
- Access: Web sites would be forced to give consumer a chance to access the information that has been gathered about them and make modifications including deletions and corrections.
- Security: Web sites would be required to take steps to protect the privacy of users in order to ensure that data would not leak out unknowingly to other sources.
These suggestions mirror the 1998 European Directive on Data Protection, which was enacted to control the use of personal information gathered on European citizens. It has already been put into law by eight of the fifteen European Union countries. Originally, the European directive does not allow American companies to gather any data on European consumers because there is a lack of protection for personal data in the United States. However, discussions between the European Union and the US department of commerce are currently under way to allow American companies some protection. Passage of the FTC recommendation into law would insure compliance and alignment between European law and American law, which would facilitate global e-commerce.
However, there are a number of issues to look at. The FTC suggestions came as the result of a recent study the commission did, which showed that only 20% of the sites they surveyed did not fail in at least one of those four areas.
I would recommend to the readers of this newsletter that they examine their own internal policy on data gathering in order to comply with such rule. I may not be a rabid consumer data privacy advocate but I believe that these rules make sense for several reasons. Our business, as Internet builders and managers, is to ensure the highest level of customer services on our web site. Data protection is a new area of customer service that we need to concern ourselves with (the FTC is a political organization and I’m sure that they have some internal pollster telling them that consumers want to see their data protected). Web sites who pioneer data protection and develop strong rules internally will benefit greatly as consumers will feel more comfortable in their dealings with them. Beyond that, data protection is one of the fundamental pillars on which expansion into foreign markets lies. When I was working at Boo.com, one of the things that we worked on diligently was compliance with the many European data laws. As a result, we ended up following the European Directive on data gathering relatively quickly (however, I was surprised to see that Boo had allegedly sold its customers list to FashionMall as part of its divestiture, leaving a huge question mark on the legality of the matter).
As a quick reference point, here are a few questions that web site operators should ask themselves:
- Do we give consumers a chance to opt-out of that data gathering? If not, can we? If so, do we provide the necessary tools to do so (web-forms or email address)?
- Do we give users a chance to correct personal information we have gathered about them and select whether they want us to use it in the future? Do we cover every scenario under which that personal information will be used?
- Have we audited our site to make sure that the information is stored securely?
Let me address each of those points in more details.
Opting out or correcting data
: Most web sites keep the consumer data in a separate database or set of database tables. As part of good netizen behavior, companies should create a user name and password for every user who decides to give them data. Among some of the tools you would provide to that user are: a form where the data they have submitted is listed and where they can make corrections. Furthermore, a second page should be offered to allow users to opt out of different marketing options (for example, a user could choose to opt into receiving snail mail special offers but not email ones). However, as part of these opt-out options, you should add some value to your data. If a consumer is willing to give you their snail mail address for marketing purpose, you could offer them certain special discounts on products. This could include discounts within your own store as well as on other web sites (example: imagine your online electronics store wants to share data about users who have recently bought a stereo system with a web site that offers music CDs for sale. As a way to entice customers to agree to your selling their name to another web site, they could receive a discount on CDs on that other web site).
: The recent news about hotmail passing email addresses in the URL field showed that user data can sometimes leak out without your planning on it. Instead of passing such precise identifier, user a customer ID in the URL field. That ID remains unknown to outside web sites but allows you to personalize the user’s experience. A check of all the personalization features on your site should reveal such problems. Fix them before the news goes out. I had noticed the email address in a URL problem with Hotmail and sent them an email about three weeks ago but never heard back from them. Last week, I read about it on the front page of Cnet’s News.com. I’m not sure of whether my email went to the wrong person at Hotmail or to a mailbox that did not get read much but my feeling about seeing this pop up on the front page of a leading tech news site made me feel that data handling at Hotmail was sloppy at best.
Either way you handle it, the data privacy debate will not stop. You can choose to bury your head in the sand but ultimately, it will have to be dealt with. Why not lead the charge and ensure that you are in compliance before you are forced to do so?