Web Firms Up Ante on Privacy Regulation

While the U.S. Congress debates proposed Internet privacy laws, a tech industry group announced Wednesday that it hasissued a set of self-regulatory guidelines in a bid to ward offfederal intervention.

Although the PersonalizationConsortium said the standards provide a set of “best practices” that businesses can follow “to ensure consumer confidence in their privacy policies,” privacy advocates and legislators are wary of allowing the industry to regulate itself.

The Wakefield, Massachusetts-based trade group counts among its founding members online advertising giant DoubleClick, ad technology firm 24/7 Media, application and portal developer BroadVisionand American Airlines. The group said it is also developing guidelines for conducting independent privacy audits, which it hopes will become industry-wide protocol.

“Our intent with these principles and the auditing guidelines is twofold:first, to provide an instructional template to help companies devise andcommunicate their own privacy policies, and second, to enable them to followa set of verifiable auditing guidelines when commissioning a third-partyaudit,” said consortium co-chair Don Peppers.

Red Flags

Although online businesses have long touted the benefits of personalization,which allows firms to zero in on consumers’ interests through everythingfrom targeted advertising to shopping recommendations, privacy advocateshave raised red flags about the amount of information that must be gatheredfrom users in order for the technology to be effective.

Privacy advocates also have questioned the use of personal data collected online for other purposes and the potential for the sale of such data without the knowledge or consent of the affected consumers.

The consortium, however, said it believes that its guidelines will allow it to more clearly identify the fine line between privacy invasion and digitalcustomization.

Follow Me

The new standards require participating members to:

• Provide “clear and conspicuous” notice to consumers about their datacollection practices, including what individual or household information isretained and the duration of time it is kept, whether consumer informationis combined with data from multiple sources, and whether the informationwill be disclosed to other parties.
• Collect only the amount of individual and household data necessary toperform a specified set of tasks that are consistent with privacy notices.
• Protect consumer information by implementing “appropriate securitymethods and technologies,” as well as by limiting employee and contractor accessto personal data.
• Offer consumers the ability to opt out of data collection and sharingpractices.
• Obtain “express and informed” consent before sharing certain “sensitive”consumer information.
• Provide users with “reasonable” access to personal data, allow users tocorrect or delete information and make a good-faith effort to ensure thatcollected data is accurate.

In addition, the consortium said it will require all of its members tosubmit to an annual privacy audit in which a third-partyreviewer will assess whether companies are complying with the privacy guidelines. The Personalization Consortium plans to announce specific audit guidelines and procedures later this spring.

Multiple Standards

According to Andrew Shen, a policy analyst with the Electronic Privacy Information Center, there are already a number of industry guidelines in place, including an advertising trade group’s set of Web privacy guidelines that were approved by the U.S. Federal Trade Commission (FTC).

“What we really need is an environment that allows for a predictable level of protection. It doesn’t make sense for a consumer to look at a Web site and not be aware of what privacy guidelines apply, the Web site’s or a third-party advertiser’s,” Shen told the E-Commerce Times.

“Many consumers are not even aware of the collection of private data, which is often invisible to the consumer,” Shen said.

Hot Spots

Over the past year, the issue of Internet privacy has ignited a firestorm ofcontroversy, with DoubleClick often bearing the brunt of the criticism.

However, the advertising company was able to put its primary legal problem behind it last week when the FTC closed a year-long probe into DoubleClick’s data collection and handling practices. The agency concluded that the firm did not violate its own privacy policy or engage indeceptive trade practices.

The investigation, which initially came to light in February, was triggeredwhen the ad company revealed plans to integrate online tracking data withoffline personal information — such as individual names, addresses andshopping patterns — taken from the extensive catalogs of Abacus DirectCorp., a direct marketing services company that DoubleClick acquired in1999. DoubleClick later said it would not integrate the data.

Heading for Showdown

Meanwhile, the newly seated U.S. Congress is gearing up for a showdown over online privacy. A batch of Netprivacy bills have been introduced since the beginning of the year, provingthat the issue — which has been a source of controversy within the techworld for months — is now politically potent as well.

Earlier this week, legislation was re-introduced in the Senate that aims tosafeguard online users from “spyware” software that covertly tracks shopping and surfing habits of online consumers. Anothermeasure proposed in the U.S. House of Representatives last week calls forWeb sites to notify visitors about how personal data, such as telephonenumbers and ZIP codes, is being used. That proposed law would allow visitors to limit such use.