THE PRIVACY ISSUE CATCHES UP WITH DIRECT MARKETERS OH, NO: WAIT UNTIL the privacy lobby hears about this.
Internet Information Services of Billings, MT is offering a product called Cyber Investigator’s Assistant (CIA). An unsolicited e-mail declares that CIA can help you locate Social Security and license plate numbers, unlisted phone numbers and other information – on anyone. “Find that girl you met in traffic,” it says. “Discover dirty secrets about your in-laws.”
What does one get for $19.95? A piece of software that the DIRECT team was unable to open. Internet Information Services is not listed in directory assistance, and Billings police said that the return address is a mail drop. But if the ad copy can be taken at face value, the CIA product violates all existing privacy guidelines, and could draw unwanted attention to an already beleaguered industry.
“When people see ads like that it truly communicates to them that every piece of information about them is available and is not protected even though you have laws like the Driver’s Privacy Protection Act and the Fair Credit Reporting Act,” says Marty Abrams, vice president of information policy and privacy for Experian, Orange, CA.
But the outcry will be even worse if privacy advocates pick up on this line that says, “Send anonymous e-mail completely untraceable.” For privacy problems are always compounded when e-mail and the Internet are involved.
While there have been some widely-publicized debacles in the offline direct marketing world, they do not receive a fraction of the attention paid to those that occur in the online world. The slightest price adjustment or deviation from a stated privacy policy attracts national headlines drawing ever more scrutiny from concerned consumers, politicians and privacy advocates.
“It’s a little bit like going hunting with nuclear weapons,” says Jason Catlett, president of Junkbusters Corp., a privacy advocacy firm, of the Internet’s power. “You can do a lot more damage now than before.”
And this means that executives are often caught off guard by the hostile public reaction they get. Seemingly innocent actions like the sale of a mailing list in a bankruptcy auction (a relatively routine occurrence in the old-time direct marketing business) becomes a major scandal when online firms are involved.
For example, little attention was paid when the old Behaviorbank database was sold during bankruptcy proceedings several years ago (despite the fact that it contained survey data on millions who suffered from maladies like baldness, incontinence, Alzheimer’s disease and Parkinson’s). But when Toysmart.com failed last summer and tried to sell its database in direct conflict with its privacy statement, the Federal Trade Commission sued the online toy retailer to prevent the sale. An action followed by a similar request coordinated by thirty-nine states.
Similarly, Abacus received little attention from privacy advocates as a stand-alone database company. Then it merged with DoubleClick, and the latter announced plans to marry anonymous online data with detailed offline purchase behavior supplied by Abacus.
The DoubleClick finally backed off.
“We were surprised,” says Josh Isay a spokesman for DoubleClick. “What we were planning to do was done all the time in the offline world. But we recognized that this is a new medium and we need to move with the industry as a whole. We’ve learned from the experience.”
Sharing of data, even for analysis, also appears to be a no-no.
After two class action lawsuits and a media blitz, online toy retailer Toysrus.com terminated its relationship with data-analysis firm Coremetrics. Court documents stated that Coremetrics was allegedly tracking and compiling customer information and site browsing activity at Toyrus.com and giving that information to third parties in violation of the Toysrus.com privacy policy.
Many executives fear that this intense scrutiny will eventually hurt traditional direct marketing.
Congressman Joe Barton (R-TX), sees the two mediums as distinctly different. “We don’t hear too many concerns about direct mail,” he says.
As for the Internet, he is one of a growing number of politicians that has indicated plans to make it tougher for direct marketers to do business.
Barton, along with Congressman Edward Markey (D-MA), plans to introduce a comprehensive model privacy bill in the spring that would include an opt-in model for online data collection, notice about the use of cookies and the right to opt-out.
“If we’re lucky we’ll get it passed next fall,” Barton says. “Most marketers are responsibly working with trade groups to come up with guidelines. But the problem is there’s always some entrepreneur that doesn’t want to play by the rules so we need federal statutes.”
Barton equates online data collection to a friendly form of trespassing. “It’s like putting an ad in the newspaper that says, `I’m going to leave my house unlocked and you can come in and check out what’s in my closets and refrigerator to see what I’m going to be eating for dinner,” he says.
In frequent focus group meetings he conducts for women, age 35 to 55, Internet privacy is of significant concern. “Women are petrified about Internet privacy,” Barton says. “They’re afraid of being stalked, tracked and spied on.”
Barton’s personal experiences have also fueled his efforts to push through legislation. In one instance, he began receiving e-mail promotions from casinos worldwide after he played a few hands of poker in a free America Online poker room.
Legislation There are thousands of bills pending at the state level that address various forms of privacy. Two of significance were introduced during this session at the federal level. One, the Unsolicited Electronic Mail Act, is designed to protect consumers and Internet service providers from unsolicited commercial e-mail. It was passed by the house by a vote of 427-1, and has moved to the Senate. And, Senator John McCain’s (R-AZ) Consumer Internet Privacy Enhancement Act, would protect consumer privacy on the Internet.
While neither of those bills contains an opt-in measure, some observers that Internet marketers will jump on the legislative band wagon to push through an opt-in policy, workable for them, but damaging to their offline counterparts.
“The new kids on the block are discovering that they’re in hot water and they will sell their ancestors down the river because it doesn’t affect them,” says Tim Litle, chairman of Order Trust Inc. and a member of the DMA’s board and privacy task force. “Acceptable regulation to the Internet guys will contain aspects that really make it difficult or impossible for traditional direct marketers to operate as they have in the past and in a way that people generally accept. If the Internet guys agree to opt-in then the likelihood that traditional direct marketers will be under pressure to have opt in programs will be quite great.”
Evan Hendricks, the editor and publisher of Privacy Times, agrees that a consensus is forming in favor of opt in for online marketing. He adds that a testament to the growing concern that marketers should get consumer’s permission before using their information is the increase in the number of Internet marketers developing and adopting a variety of opt-in models.
“These companies are setting a standard and its shows where we’re going,” Hendricks says. “A lot of traditional direct marketers have simply been able to buy people’s information without having to worry about getting consent and that’s a big change.”
Hendricks also that believes any opt-in legislation would ultimately be applied offline.
(Not all Internet marketers push for opt in. For example,
America Online Inc., Dulles, VA, supported an opt-out model last month in testimony before a Senate panel chaired by Senator McCain during discussion on privacy bills.
Worse yet, many wonder what would happen if online standards of judgment were applied to some slippery practices displayed by offline DMers and their data suppliers, some of which have entered the realm of legend. Take the somewhat moldy case of the Behaviorbank file during the 1990s. Housewives who had shared intimate details about their household product purchases and health could not have foreseen that the owner of the list, Computerized Marketing Technologies, would end up in bankruptcy, that a copy of the file would be handed off to the printer Webcraft as collateral, and that the master list would end up for grabs as an asset during a bankruptcy auction.
But those were hardly the abnormalities involved with the sale. In the end, the file was sold to Metromail Corp. for $6.2 million, but not before the sale was challenged before a judge by Donnelley Marketing, a competitor of Metromail’s.
And why? Because, as alleged in court, names from Donnelley’s own Shareforce survey program had ended up in the Behaviorbank database. Donnelley tightened up its data-sharing arrangements following this episode.
Worse yet, the buyer of the file, Metromail, soon had major privacy problems of its own. In 1994, it was pilloried in the Wall Street Journal and other media for using voter-registration data from restricted states to enhance its consumer database, and for misleading consumers when it called them to verify their ages by telling them the purpose was to survey them about ice cream. Later, the firm was trashed by privacy advocates for the fact that a sub-contractor used prison inmates to keyboard data, and for renting out children’s names, no questions asked, to a reporter using the name of Robert Allen (convicted murderer of 14 year-old Polly Klaas). The furor finally died down when Metromail was acquired by Experian, which observes strict privacy policies.
Imagine, too, if the long history of the DAK industries, Inc. mailing list was exposed to the same level of scrutiny as DoubleClick’s actions or non actions. DAK went bankrupt in 1994, and the file was sold in an auction. DAK founder Drew Kaplan still has a copy of the list, as does current owner David Brill, an employee of Venture Direct. Last summer, Brill backed off a plan to append e-mail addresses to the file on a test basis. A version of the list is also being marketed by List Authority.
One also to question the sanity of a DM executive who would assign direct marketing work to prison inmates. Earlier this year, a Utah inmate, making telemarketing calls for small video marketer SandStar Family Entertainment, solicited the home address of an unsuspecting young Texas girl. He then wrote her a letter asking if she’d like a boyfriend. The ensuring fire storm prompted the state to drop the state-run program involving five call centers and 130 inmates.
Self-Regulation All of which leads to the question: Is industry self regulation working?
Privacy advocate Evan Hendricks says that self regulation could never be wide spread enough to be effective and that privacy policies will never fully comply with the Federal Trade Commissions’ required elements of privacy protection in its Fair Information Practice Principles: access, notice, choice and security.
“Self regulation as a national policy for protecting privacy never has worked and never will,” Hendricks says. “Those companies that are self regulating seriously are doing themselves a favor so they can handle information in a way that respects consumer’s privacy, but as a national policy for protecting privacy it won’t work.
He adds that most companies would not be willing to provide an enforcement policy as a remedy to consumers. “No company is going to offer enforcement through a voluntary policy,” Hendricks says.
Tim Litle of Order Trust tends to agree. “The privacy issue has probably passed the ability to control itself with complete self regulation and that’s said by somebody that is really very anxious not to see legislation.”
Litle believes self regulation is working in the traditional direct marketing world but that the online world has been defined by newcomers that unwilling to play by the rules.
He says that many dot-com entrepreneurs disregarded traditional direct marketing standards, casting the industry off as stodgy, slow and irrelevant. Most thought it was unnecessary to post privacy policies, he says.
“They would tend to look down their nose at the traditional direct marketing standards and say `that’s the old way of doing things, they don’t count anymore, our way is right,” Litle says. “Well last March a lot of them learned that wasn’t exactly right.”
Rodney Joffe, founder and chairman of Arizona-based Whitehat.com agrees.
“The traditional direct marketing industry knows right from wrong, adheres to the law and despite some lapses also respects the etiquette of the Internet. At the same time, the world is rife with the marketers who are out to do whatever they can to skirt, bend and break the law. And, unfortunately, while self regulation may work with the first group, the second respects nothing.”
Wireless What’s next? Several observers predict that the spotlight will soon be on the wireless industry.
“If you can track people on some kind of model technology, you’re coming really close to complete surveillance,” says Mary Culnan, professor of management and information technology at Bentley College, Waltham, MA.
Hendricks concurs. “As the industry salivates over the prospect of trying to market to people over their cellular phones, users will not accept spam or unsolicited ads,” he says.
An estimated $4.9 billion is projected as the overall market for providing location data and services by 2004, according to Strategis Group, a Washington research firm.
Trying to stay one step ahead of major problems, the Wireless Advertising Association (WAA), an independent unit of the Internet Advertising Bureau, recently released the first installment in a comprehensive suite of privacy guidelines for WAA members.
The guidelines include prohibiting push advertising and/or content to a subscriber’s wireless mobile device without opt-in permission verified through confirmed opt-in. In addition, subscriber permission can not be transferable to third parties without explicit permission from the subscriber and clear opt-out instructions must be available.
And with all the concern over opt-in versus opt-out and self regulation, experts say the real debate is clear: What do marketers owe their customers?
Experts say such standards as stating a privacy policy and adhering to it, and acting as though the customer is a partner and owner of the data.
U.S. Bankcorp founded out the hard way that privacy policies must be clearly represented – and adhered to. Last year, it settled a lawsuit with 38 states and the District of Columbia, agreeing not to share a customer’s personal financial information with bank affiliates or other businesses without the customer’s consent. In the original suit, Minnesota alleged that the bank violated the Fair Credit Reporting Act and had misrepresented its privacy policy to consumers.
“We’ve seen many cases where brands have been damaged by data information practices that are regarded as unacceptable by consumers,” Catlett says. “But there’s a tragedy there that the industry as a whole is blamed for the worst actors, the only defense against that is to have real standards.”
The Customer Rules The groundswell of newly hired privacy officers is an effort to address such issues.
Front runners like Procter & Gamble are choosing not to differentiate between their online and offline customers when it comes to privacy. The company’s official policy is that the data it has on each consumer is the consumer’s, not P&G’s. (see “Privacy Gamble,” page 127).
Meanwhile, the Direct Marketing Association is formulating plans to launch a multi-million dollar, multi-channel consumer education program, says CEO H. Robert Wientzen.
The campaign will play out over three years with a goal of enhancing consumer awareness about what marketers do. “There is as much misinformation as information,” Wientzen says. “And legislators react to an uninformed public.”
The project is in cooperation with the Privacy Leadership Initiative, a consortium of companies and associations formed last summer. The group includes Procter & Gamble, to IBM, Ford Motor Co, Travelocity.com, E superscript *Trade and AT&T.
Peter Reid, vice president, privacy center of expertise, for NCR Corp., believes that honesty is the best policy.
“We need to be up front about the data we’re collecting and how we’re using it,” he says “If we don’t we’re going to destroy trust, destroy the relationship and be out of business. It’s that simple.”
