Subj: Online Privacy: Perspectives of Progressive Policy Institute From: Shane Ham, Policy Analyst, Progressive Policy Institute, 202-608- 1284, sham@dlcppi.org To: Internet Caucus Advisory Committee DOUBLECLICK AND ONLINE PRIVACY THE RISKS OF OVERREACTION, MARCH 2000 by Shane Ham and Robert D. Atkinson Online privacy is making headlines this month, with the revelation that DoubleClick, a leading provider of banner advertising for some of the most popular sites on the World Wide Web, is now capable of linking an individual’s web surfing history to his or her name, mailing address, and shopping habits. The controversy has created some of the strongest calls yet for legislation to protect consumer privacy online. The Progressive Policy Institute (PPI) believes that online profiling of web users is a valid business model, as long as protections are in place to give web users sufficient notice that profiling is taking place and adequate opportunity to choose not to participate. If Congress gives in to this latest wave of privacy hysteria, advertising revenues to Internet business could be significantly diminished and, as a result, the Internet as we know it—an almost limitless collection of freely accessible sites and services—may be crippled as it struggles to realize its full potential. We believe that if the Internet advertising industry adopts a stringent self-regulatory code, it will address consumer privacy concerns and obviate the need for legislation. DOUBLECLICK AND ABACUS DIRECT: THE FACTS DoubleClick operates as an advertising sales representative and placement service, delivering banner ads to more than 15,000 web sites. As with advertisers in more traditional media, a premium is placed on ads that can be delivered to specific audiences; the television commercials shown during ***Monday Night Football*** are much different than the ones shown during ***Oprah. *** DoubleClick engages in similar targeting, using Internet browser “cookies” to track web users as they visit web sites in the DoubleClick network and building a profile of the users’ interests in order to target the ads more effectively. Until recently, DoubleClick kept these profiles completely anonymous, with no personally identifiable information collected or used. That policy changed in November 1999, when DoubleClick acquired Abacus Direct Corporation. Abacus originally was organized as a cooperative between catalog retailers and direct marketers. The Abacus member companies combine the purchasing histories of their customers into one central database, creating detailed customer profiles—complete with names, addresses, and purchases—from which member companies draw in order to better target their marketing efforts. Abacus delivers to its customers a list of individuals who meet certain criteria, but the personal data is held as proprietary and is never shared with other companies. With the acquisition of Abacus, DoubleClick plans to merge the online web surfing profiles with the purchase history profiles for even more accurate targeting. To do so, they will request that the web sites in their Abacus Online alliance forward personally identifiable information that users might enter when filling out surveys, making purchases, or accessing sites that require registration. DoubleClick will also collect personally identifiable information from their proprietary web sites, such as NetDeals.com. This profile data will be given voluntarily by the user (users have the ability to “opt out” of this data collection) and DoubleClick will not sell or transfer the profiles (i.e., John Smith visits skiing web sites and bought a snowboard last year) to any third party. The use of personally identifiable information represents a significant change from their prior privacy policies. THE CASE AGAINST DOUBLECLICK DoubleClick has been the target of several lawsuits and complaints alleging that it engaged in deceptive and possibly illegal trade practices by not requiring their network of web sites to reveal their relationship with DoubleClick. If web users do not have proper notification that DoubleClick has placed a cookie on their browsers and is watching them surf the Internet, critics charge, users can neither give their informed consent to data collection nor opt out of that collection. Moreover, many privacy advocates believe that linking personally identifiable information with an individual’s web surfing habits is a violation of an inherent right to privacy while online. Needless to say, web users are upset and DoubleClick has suffered a hailstorm of negative publicity. Privacy interest groups such as the Electronic Privacy Information Center (EPIC), which filed a complaint against DoubleClick with the Federal Trade Commission, say that DoubleClick’s actions constitute a failure of self-regulation in the privacy arena and call for legislative and regulatory action to clamp down on the collection and use of personal data by Internet web sites and advertisers. But rushing to write laws in the wake of this case would be a mistake. PUTTING THE PROBLEM IN PERSPECTIVE Public concerns about online privacy are driven by several factors: unfamiliarity with Internet technology such as cookies, the rapid commercialization of the World Wide Web, and alarmist rhetoric by privacy advocates. Before making public policy decisions, it is important to consider the privacy issue in context. The practices decried by privacy interest groups—delivering personally identifiable data on preferences and habits to marketers, without the knowledge or affirmative consent of the consumer—have been around for a long time. Buy a pair of khakis from a catalog and your mailbox will soon be flooded with competing clothing catalogs. Subscribe to an opinion magazine and you be swamped with solicitations from political action committees. Contribute to an environmental group, and you will be asked for money to save every animal from whales to kittens. This free flow of personal data, even sensitive data such as political preferences and charitable giving, is widely considered to be little more than a nuisance, a junk mail problem rather than a privacy problem because it is understood that the personal data is used only for direct marketing and not more sinister purposes. While the Internet makes the collection and use of that data more efficient; the practice is not more malicious simply because it takes place in cyberspace. If anything, the Internet has made it easier than ever for consumers to opt out of the data collection. As long as the information is used only for marketing, and web users are able to opt out, it is hard to view this activity as a major threat to personal privacy. Moreover, targeted advertising provides clear benefits to the consumer. The Internet is the most powerful consumer tool in history, providing not only vast amounts of information on which products are the best, but also the ability to shop all around the world for the best price without ever leaving home. But web users can only take advantage of that power if they know where to look. Advertising targeted at personal preferences and interests is one way to help consumers find web site needles in the Internet haystack. Most importantly, there are myriad ways for web users to protect their privacy while online. Web browsers allow users to block some or all cookies from being deposited on their hard drives. There are also many programs, available for free on the Internet, that allow users to examine their cookies and delete any that they don’t want. Special connections, or proxies, allow users to connect to the Internet anonymously, and are also free. Individual web users have more than enough tools to protect their own privacy without burdening those who are willing to make the trade-off between privacy and convenience. THE RISKS OF OVERREACTION Of course, concerns about privacy cannot be dismissed, and DoubleClick should be punished if their practices are found to be unfair or deceptive. At the same time, it is important that the federal government not react to the public furor over DoubleClick with unwise or overburdensome laws and regulations. Consumer privacy interests must be balanced against the likely outcome of government action, and any government action must be undertaken with this central fact in mind: targeted advertising is critical to the continued growth of the Internet. Many of the most important and useful sites on the Internet, from newspapers to search engines, rely on advertising to support their online operations. While generalized banner ads provide some revenue, their small click-through rates and the high odds of wasted impressions make them less valuable to advertisers. Targeted ads, on the other hand, are likely to have much higher rates of return, and advertisers will pay considerably more to place them. Maintaining a high-quality web site is neither easy nor inexpensive—witness the large number of Internet sites that operate at losses of millions of dollars per year. As the high-flying technology stocks indicate, investors believe that the Internet will eventually shake out the best business models and become profitable. For the time being, however, the situation is precarious and the market is beginning to lose patience with the mounting losses. Without the revenue that targeted advertising is expected to bring, some of the best sites on the Internet may either start charging for access (an Internet death sentence) or close down altogether. If the former occurs, this will exacerbate risks of a digital divide, as only middle- and upper-income individuals will be able to afford access to many web sites. More importantly, rushing to pass legislation in the wake of a high-profile case like DoubleClick is inherently risky. A highly politicized debate may result in excessively broad restrictions, swatting the privacy fly with a regulatory sledgehammer and crippling the growth of the Internet in the process by reducing the revenues available to Internet publishers. A number of bills have been introduced or are under discussion in Congress that aim to restrict the collection of personal data by marketers, but contain ill-advised provisions that will unduly tamper with the revenue potential of web publishers. The publicity surrounding the DoubleClick case makes the passage of such ill-considered legislation a real possibility. INDUSTRY BEST PRACTICES: GIVE SELF-REGULATION A CHANCE In March 1999, PPI issued a paper on online privacy standards. In that paper, we argued that: “[The federal government] should give the private sector time to build robust self- regulatory programs that give consumers greater control over the uses of their personal information ... If after a significant trial period self-regulation is not adopted by a large share of Web sites engaged in e-commerce, if consumer concerns regarding privacy on the Internet do not diminish, and if a record of significant abuses emerges, Congress should pass legislation empowering the Federal Trace Commission to protect consumer privacy in both online and direct marketing transactions.”[1] A year has passed, and while the rise of online profiling raises potentially troubling new issues, we do not believe that it is time to throw in the towel on self-regulation. On the other hand, the organic development of a set of industry best practices is proceeding too slowly. The slow pace is shaking consumer confidence in electronic commerce and turning up the heat on lawmakers to take action. If Internet businesses want to avoid legislation, now is the time to develop an industry-wide privacy code for online profiling. At this early stage in the development of the Internet, the small number of online advertisers makes it possible to develop a self-regulatory code for online profiling that reaches 100 percent of the affected companies. DoubleClick and its competitors have formed the Network Advertising Initiative (NAI) to develop such a code, but we believe the guidelines under discussion appear to be inadequate to address legitimate privacy concerns. Any online profiling privacy code should include, at a minimum, the following provisions: ***_ Clear notice on every web site telling users what personal information may be collected by whom and how it will be used. *** If a web site partners with marketing companies, such as DoubleClick, the name and URL (Internet address) of those companies should be clearly displayed, not merely referred to as “third parties.” ***_ Prohibitions on selling or sharing personally identifiable profiles with other companies or third parties. *** Advertisers should not under any circumstances share personally identifiable profiles with other companies, even with their business partners. ***_ Clear and simple procedures to opt out of data collection. *** Though some privacy advocates prefer that users “opt in” by giving affirmative consent for data collection, such a burden could mean the death of the targeted advertising business model. Many consumers do not mind if their personal information is collected and used, but would not go out of their way to give their permission to do so. If the opt out procedures are easy to find and execute, the protection should be sufficient for most consumers. Those who want more protection can set their browsers to refuse cookies or use any of the other freely available tools to make their web surfing completely anonymous. ***_ Stringent guidelines on the collection of sensitive personal data. *** Some personal data—such as credit card numbers, financial history, and medical information—are too sensitive to be used for marketing purposes. Such data, if collected by a web site, should be held to a higher standard of privacy and should not be used to develop profiles without explicit consent (opt in) from the consumer. Moreover, web sites should never collect data from children without express consent from a parent or guardian. ***_ Notification on updates to privacy policies. *** Frequent changes in privacy policies, especially changes that allow for more permissive use of personal data, tend to undermine consumer confidence in electronic commerce. When a web site changes its privacy policies, clear notification should be given to consumers to allow them to reevaluate their decision to permit data collection or to opt out. ***_ Prohibitions on the use of data collected under more stringent privacy policies. *** It would be inappropriate for a company to collect data from a web user under one policy and then use the data under a different policy. If a company engaged in online profiling decides to become more permissive in the use of the data collected from web users, that company should “reset the clock” and use only data that is collected going forward. Web users who no longer want their data to be used by a company because of changes to the privacy policy should be allowed to opt out retroactively, preventing the use of previously collected data even if that data is to be used strictly in accordance with the privacy policy under which it was collected. CONCLUSION Every day thousands of people log on to the Internet for the first time. The technology is so powerful and so complicated that concern about online privacy is natural and healthy. But it is also easy to panic unnecessarily, especially when cases like DoubleClick raise important issues about data collection and anonymity. It is important for the future of a free and freely available Internet that we resist the urge to panic and demand government intervention. If, however, the industry is unable or unwilling to implement a sufficient self-regulatory regime, congressional action and federal regulation may be the only answers. But if such action is needed, it should be limited, specifically targeted at online profiling, and follow the guidelines above. Shane Ham is technology policy analyst at the Progressive Policy Institute, and Robert D. Atkinson is director of PPI’s Technology & New Economy Project. -------------------------------- FOOTNOTES: [1] Randolph Court and Robert D. Atkinson, On-Line Privacy Standards: The Case for a Limited Federal Role In a Self-Regulatory Regime (Washington, DC: Progressive Policy Institute, March 1999).