In March 2000, the Information Technology Association of America, or ITAA (www.itaa.org) sent a letter to William Daley, the US Secretary of Commerce. In it, the business and technology organization essentially advised the Department of Commerce to think twice about adopting new measures that would protect the rights of consumers who shop on the Internet. The letter noted that stricter regulations on Net advertising could force many Web-site operators to offer their services on a subscription-only basis. “Internet participation could become unaffordable to many middle- and low-income Americans,” wrote ITAA president Harris N. Miller.
Apparently, the ITAA felt compelled to write the letter after word got out that officials at the Commerce Department and the Federal Trade Commission were considering placing new restrictions on Internet advertisers. In the letter, the ITAA also told Secretary Daley that the industry’s own regulatory practices, combined with existing laws and technology innovations, such as the Platform for Privacy Preferences, would be sufficient to protect a consumers’ right to privacy.
Of course, any time an industry group says it’s best left regulating itself, red flags go off in Washington, DC. Indeed, despite the ITAA’s pre-emptive strike, it appears that Congress will soon pass some kind of legislation increasing privacy protection for online shoppers. In March 2000, Congress called a meeting with E-commerce industry heads to explore new E-privacy guidelines. Members of the House and Senate have also set up a task force and bipartisan caucus to examine the issue, and both parties have recently introduced a slew of Internet privacy bills. Arguably the most stringent is Sen. Robert Torricelli’s (D-NJ) plan that would make it unlawful for companies to place a user profile text file on a consumer’s hard drive without permission. “The fundamental right to privacy should not be sacrificed to the Information Age,” Torricelli said in a statement.
At the same time, many privacy advocates want to see some kind of federal watchdog agency — the E-commerce equivalent of the Environmental Protection Agency — empowered to bring privacy violators to heel. “We need a resource within the federal government that wouldn’t be subject to the vagaries of the legislative process,” argues Simson Garfinkel, author of Database Nation, a book on privacy in the 21st century.
Ironic as it seems, the recent flap over Internet privacy presents an inviting opportunity for savvy managers at E-commerce operators. The fact is that corporate managers who develop comprehensive E-commerce privacy policies — and make them clear to consumers — have a real chance to win over customers.
Indeed, some surveys indicate that privacy is the number one concern of Internet shoppers. “I predict that consumers will seek out sites where they feel safe,” says Randy Covill, a senior analyst for E-commerce applications and strategy with Boston-based AMR Research. “What we’re looking at with the privacy debate is an opportunity for E-commerce companies to be explicit about their privacy policies, to use them to competitive advantage.” In the end, the company that understands that the customer is not only always right, but always has rights, will win the loyalty of online shoppers.
Tempting
Despite the brouhaha over Internet privacy violations, corporate executives remain intent on getting to know their online customers. Can’t blame them. Consumers will spend anywhere from $20 billion to $40 billion shopping over the Internet in 2000, depending on which survey you look at. Forrester Research, a technology and Internet research firm, predicts that number will top $180 billion by 2004. While that’s still only about 7 percent of the projected total for all retail sales, it’s nevertheless a sizable market.
And seen from the perspective of the great cash register in the sky, consumer profiling is a terrific way to win some of that 7 percent. If CEOs talk about their passion for customers, customer profiling can turn that passion into hard cash. Not surprisingly, customer relationship management (CRM) is about the hottest topic on the conference circuit these days. “Personalization on the Net will continue to grow, because the demand for it is there,” argues Barton Goldenberg, president of the CRM-industry consulting organization ISM.
Essentially, CRM software from heavyweights like Siebel Systems (www.siebel.com), IBM (www.ibm.com), Oracle (www.oracle.com), Baan (www.baan.com), and PeopleSoft (www.peoplesoft.com) enables companies to sift through consumer data, extracting such nuggets as who their online customers are and what they want.
CRM software helps brokerage Charles Schwab (www.schwab.com), for example, sort online customers by how much money they have in their accounts or how often they trade. Amazon.com (www.amazon.com) uses CRM applications to figure out which books customers might like. And some clothing retailers can even rely on CRM software to locate customers most likely to buy blue shirts on sale. By forming a collective memory of customer preferences, corporate managers say, they can offer better service.
But the increasing sophistication of CRM technology is also causing real problems. Massive data warehouses crammed with detailed customer information are tempting companies to slice and dice information into ever finer parts, to exploit the information by using it in ways the customer doesn’t know about, or to distribute it to third parties.
Consumers flat out don’t like that. According to Forrester Research, 80 percent of Internet users support a policy that prohibits the sale of data to third parties.
Even managers at some E-commerce companies have misgivings about online customer profiling. “As a marketer, there’s a lot of value in speaking to customers about things they’re interested in, and in using databases to collect that information,” acknowledges Michael Hinshaw, CEO of Verida Internet Corp. (www.verida.com), a business-to-business E-commerce company. “But as a consumer, I worry about someone having too much access to the kind of personal information that’s beneficial to marketers.”
Without careful analysis of the risks of gathering and disseminating customer information, companies could quickly find themselves in hot water — with both regulators and consumers. Observes Beth Givens, project director of the San Diego-based advocacy group Privacy Rights Clearinghouse (www.privacyrights.org), “Consumers don’t like the idea of some unknown entity coming to their computer, placing a cookie there, and possibly sharing information about them with some other unknown entity.”
Not Exactly Girl Scout Cookies
You don’t have to tell that to DoubleClick (www.doubleclick.net). In early 2000, the Silicon Alley-based online marketing company came under virulent attack from consumers and privacy advocates for its practice of placing cookies on surfer’s computers. (A cookie is a text file of user data that helps E-tailers personalize Web pages for specific users, as well as identify an online customer’s shopping habits. A cookie resides in browser memory, but when the browser is closed, the information is written to a file on the user’s hard drive.)
DoubleClick added fuel to the fire by announcing plans to merge with direct-mail-list company Abacus Direct. Reports circulated that DoubleClick intended to match online user profiles with real-life names and addresses culled from direct-mail catalog sales.
When the news leaked out, privacy proponents went ballistic. “DoubleClick betrayed its trust,” insists Garfinkel. “It created a privacy policy saying users would never be identifiable. A company that betrays its own privacy policy poisons the well for everyone.” Under pressure from consumers, advocates, and legislators, DoubleClick CEO Kevin O’Connor backed off on March 2, 2000, admitting he’d miscalculated. “I made a mistake by planning to merge names with anonymous user activity across Web sites in the absence of government and industry privacy standards,” he said in a statement.
But DoubleClick isn’t alone under scrutiny. The Federal Trade Commission is reportedly looking into several ebusinesses, including Amazon’s Alexa Internet division (www.alexa.com), which monitors Net surfers’ visits. (Amazon has also been slapped with lawsuits alleging that Alexa has intercepted personal data and passed it on to Amazon and others.) In November 1999, America Online (www.aol.com) also peeved privacy advocates by requiring users who had already asked to be removed (or opted out) from AOL’s marketing messages to “restate their preferences” — forcing them to opt out again.
Consumer advocates have responded to reports like these with a call for new privacy-protection laws. And the public seems to support such a move. According to a survey conducted by the Graphics, Visualization and Usability Center at the Georgia Institute of Technology (www.cc.gatech.edu/gvu/), 70 percent of respondents agreed that new privacy protection laws should be enacted. “The notion of having your consumer profile tracked is scary,” says Givens. Even DoubleClick’s O’Connor is now calling for “a clear set of guidelines” to protect privacy on the Internet.
As of now, those guidelines don’t exist. The Online Privacy Alliance (www.privacyalliance.org), a coalition of more than 90 global companies and associations, encourages corporations to devise Internet privacy policies. The alliance, which includes AT&T, Microsoft, and Netscape, has established some guidelines to help companies shape their policies. But consumer advocates say the coalition’s recommendations don’t go far enough.
Without mandated standards, many corporate managers are left with some thorny ethical dilemmas. “Our customers struggle with these issues,” concedes Gayle Crowell, president of E.piphany.net (www.epiphany.com), a maker of market-analysis and personalization software, in San Mateo, California. “On one hand, they want to be perceived as the Nordstrom’s of online service, which requires gathering online information about customers. On the other, they’re dealing with an unfamiliar medium, which moves information around fast.”
That inexperience — coupled with a desire to learn more about customers — can lead some companies to step over the line. Even responsible E-tailers are worried that the recent spate of lawsuits, investigations, and all-around bad privacy publicity could cost them business. The truth is, if consumers believe that shopping over the Internet isn’t private, they will go back to the mall. Analysts at one research firm say that only a small percentage of Web users with serious concerns about privacy shop online, while consumers with moderate worries spend 21 percent less than customers who feel at ease shopping online. “There’s growing concern in the E-commerce world,” acknowledges AMR’s Covill. “If consumers fear that when they’re online their privacy will be violated, they will refuse to shop.”
Privacy 101
You don’t have to be a rocket surgeon to know that losing a customer’s confidence means losing the customer’s business. Conversely, companies that quickly adopt strict online privacy rules — and let people know about it — should snare their fair share of customers. “We’ll succeed only if we protect the privacy of our customers,” says Terry Strom, CEO of Cameraworld.com (www.cameraworld.com), a Portland, Oregon-based seller of camera equipment over the Web. “As an industry specialist, we have to be scrupulous about preserving their trust.”
The first step in preserving trust is to develop a strict and inviolable corporate privacy policy. Some believe the policy should be based on the Code of Fair Information Practices (www.epic.org/privacy/consumer/code_fair_info.html), a 30-year old law written by the Health, Education, and Welfare Advisory Committee on Automated Data Systems. According to Garfinkel, “The code does an excellent job distilling what the public sense of fair play is.”
CRM-specialist Goldenberg, on the other hand, says his interpretation of fair play is that consumers must consent to the use of private information. “If information is gathered with prior consent, it’s not wrong,” he says. “But if you violate your privacy policy, you deserve to be hit.”
Many CRM vendors — aware that it’s in their best interest to help customers guard their privacy — are training customers in privacy protection. E.piphany.net’s Crowell, for example, says her company goes out of its way to show its customers how to apply the company’s technology in such a way that they don’t receive unwanted marketing messages.
Meanwhile, some corporate managers at E-commerce companies are still hoping business will pull together to form privacy protection guidelines so that the government won’t have to intervene. “I hope the industry can do its own policing,” says David Fowler, vice president of marketing for Silknet (acquired by Kana, www.kana.com), a Manchester, New Hampshire-based CRM vendor. But ISM president Goldenberg isn’t optimistic. “The sad part is that the private sector doesn’t agree on what constitutes reasonable use of customer information,” he says. “We’re not seeing companies set the standards.”
For their part, privacy advocates say private industry has had time to come up with workable guidelines — and has blown it. They point to the DoubleClick fiasco as proof that it’s time for the government to step in. “DoubleClick’s breaking its own policy illustrates why voluntary privacy policies can’t work,” says Garfinkel.
DoubleClick has tried to make amends. In a statement released in February, company officials announced “the most aggressive Internet privacy policy ever.” That policy included hiring a chief privacy officer to oversee the company’s actions.
Consumer-protection organizations remain skeptical about the company’s efforts to police itself. Says Jason Catlett, head of the privacy-advocacy group Junkbusters (www.junkbusters.com): “DoubleClick’s hiring a chief privacy officer is like Philip Morris saying they have a chief health officer, so smokers shouldn’t worry about cancer.”
Bronwyn Fryer is a freelance writer in Santa Cruz, California.