Web Firms Up Ante on Privacy Regulation

While the U.S. Congress debates proposed Internet privacy laws, a tech industry group announced Wednesday that it has issued a set of self-regulatory guidelines in a bid to ward off federal intervention.

Although the Personalization Consortium said the standards provide a set of "best practices" that businesses can follow "to ensure consumer confidence in their privacy policies," privacy advocates and legislators are wary of allowing the industry to regulate itself.

The Wakefield, Massachusetts-based trade group counts among its founding members online advertising giant DoubleClick, ad technology firm 24/7 Media, application and portal developer BroadVision (Nasdaq: BVSN)and American Airlines. The group said it is also developing guidelines for conducting independent privacy audits, which it hopes will become industry-wide protocol.

"Our intent with these principles and the auditing guidelines is twofold: first, to provide an instructional template to help companies devise and communicate their own privacy policies, and second, to enable them to follow a set of verifiable auditing guidelines when commissioning a third-party audit," said consortium co-chair Don Peppers.

Red Flags

Although online businesses have long touted the benefits of personalization, which allows firms to zero in on consumers' interests through everything from targeted advertising to shopping recommendations, privacy advocates have raised red flags about the amount of information that must be gathered from users in order for the technology to be effective.

Privacy advocates also have questioned the use of personal data collected online for other purposes and the potential for the sale of such data without the knowledge or consent of the affected consumers.

The consortium, however, said it believes that its guidelines will allow it to more clearly identify the fine line between privacy invasion and digital customization.

Follow Me

The new standards require participating members to:

• Provide "clear and conspicuous" notice to consumers about their data collection practices, including what individual or household information is retained and the duration of time it is kept, whether consumer information is combined with data from multiple sources, and whether the information will be disclosed to other parties.

• Collect only the amount of individual and household data necessary to perform a specified set of tasks that are consistent with privacy notices.

• Protect consumer information by implementing "appropriate security methods and technologies," as well as by limiting employee and contractor access to personal data.

• Offer consumers the ability to opt out of data collection and sharing practices.

• Obtain "express and informed" consent before sharing certain "sensitive" consumer information.

• Provide users with "reasonable" access to personal data, allow users to correct or delete information and make a good-faith effort to ensure that collected data is accurate.

In addition, the consortium said it will require all of its members to submit to an annual privacy audit in which a third-party reviewer will assess whether companies are complying with the privacy guidelines. The Personalization Consortium plans to announce specific audit guidelines and procedures later this spring.

Multiple Standards

According to Andrew Shen, a policy analyst with the Electronic Privacy Information Center, there are already a number of industry guidelines in place, including an advertising trade group's set of Web privacy guidelines that were approved by the U.S. Federal Trade Commission (FTC).

"What we really need is an environment that allows for a predictable level of protection. It doesn't make sense for a consumer to look at a Web site and not be aware of what privacy guidelines apply, the Web site's or a third-party advertiser's," Shen told the E-Commerce Times.

"Many consumers are not even aware of the collection of private data, which is often invisible to the consumer," Shen said.

Hot Spots

Over the past year, the issue of Internet privacy has ignited a firestorm of controversy, with DoubleClick often bearing the brunt of the criticism.

However, the advertising company was able to put its primary legal problem behind it last week when the FTC closed a year-long probe into DoubleClick's data collection and handling practices. The agency concluded that the firm did not violate its own privacy policy or engage in deceptive trade practices.

The investigation, which initially came to light in February, was triggered when the ad company revealed plans to integrate online tracking data with offline personal information -- such as individual names, addresses and shopping patterns -- taken from the extensive catalogs of Abacus Direct Corp., a direct marketing services company that DoubleClick acquired in 1999. DoubleClick later said it would not integrate the data.

Heading for Showdown

Meanwhile, the newly seated U.S. Congress is gearing up for a showdown over online privacy. A batch of Net privacy bills have been introduced since the beginning of the year, proving that the issue -- which has been a source of controversy within the tech world for months -- is now politically potent as well.

Earlier this week, legislation was re-introduced in the Senate that aims to safeguard online users from "spyware" software that covertly tracks shopping and surfing habits of online consumers. Another measure proposed in the U.S. House of Representatives last week calls for Web sites to notify visitors about how personal data, such as telephone numbers and ZIP codes, is being used. That proposed law would allow visitors to limit such use.