Cookies Crumble

as Internet network advertising company DoubleClick Inc. takes the heat from the dark side of the privacy spotlight – it has five state attorneys general and the Federal Trade Commission breathing down its neck – the e-commerce community struggles to determine what privacy means in the age of profiling.

Profiling through the use of cookies is at the center of government probes into DoubleClick. As the first to push the privacy envelope – and get stung for it – the company is in many ways a test case.

Profiling occurs through the use of a cookie – a code that is placed by a network advertiser on a user’s computer hard drive. Many marketers defend the practice.

“Cookie technology is the most important mechanism for measuring the marketer’s return on investment online,” remarks Jay Schwedelson, corporate vice president of Worldata/WebConnect, Boca Raton, FL. “Because it’s personalization without intrusion if used properly.”

Because of cookies, New York-based DoubleClick is able to target a cokibanner advertisements to consumers. It sends banner ads to 11,000 Web sites. A cookie doesn’t identify the consumer by name. Instead, once imbedded into the hard drive of a user’s computer, it tracks the travels of that computer around the Web, collecting non-personally identifiable information such as the server the computer is logged onto, the browser type and whether the consumer has responded to an ad. Known as anonymous profiling, this technology keeps track of how many ads have been shown to a particular computer’s browser, and serves particular ads based on activity.

“A cookie is like a license plate – a string of numbers and letters that will tell that Web site that you’ve been there before,” explains Jonathan Shapiro, senior vice president of the New York-based DoubleClick. “If I serve 25 ads to a browser and I know 24 of 25 ads were served to a sports content site, I have a strong indication that the person using that browser is interested in sports [and I’ll serve subsequent ads aimed at that interest].”

“Ninety-nine percent of DoubleClick’s business is what Engage and 24/7 do,” says Derek Scruggs, permission advocate of MessageMedia, whose Boulder, CO, company is a client of DoubleClick. “There’s no difference between them. They all track what you do across multiple Web sites.”

But when DoubleClick signed its pact to acquire catalog cooperative Abacus Direct Corp. in November, it also acquired the ability to marry the anonymous behavioral data collected by cookies with the name, address, buyer and demographic information in Abacus’ database. This changed the privacy balance of power, setting DoubleClick apart from most – but not all – of its competitors.

In addition to serving ads based on cookie data, one other network advertiser, 24/7 Media, has combined cookies with personally identifiable data through an agreement it has with Naviant, which processes online product registrations for computer companies. 24/7 reportedly placed 15 million cookies on the hard drives of Naviant’s registrants.

DoubleClick and 24/7 are the only two of the 10 advertising networks that have offline data. Engage, an advertising network that is a unit of CMGI, and includes AdSmart and Flycast, has built a database of 52 million profiles “all based on behavioral data online,” according to a spokesman. “We don’t plan on having any personally identifiable information,” he adds.

The way the DoubleClick model was to work is clickstream (anonymous cookie) data was merged with personal data collected on Web sites. After completing the Abacus acquisition, DoubleClick began signing up sites where consumers would provide their name, address and e-mail address on a site’s registration page or an order form.

Since the Abacus co-op contained information on 90% of the households in the nation, it was a safe bet that whomever registered on a Web site could be found in the Abacus database.

Consumers who signed up were given notice when they registered online, through language on the registration screen that their data was going to be used for marketing purposes – and they were given an opportunity to opt out, says Shapiro, who is also general manager of Abacus Online.

Meanwhile, the company began building technology that would enable it to serve ads based on this mingled data targeted toward consumers’ past buying behavior and travels around the Web.

“We never served one single ad that was attached to a user’s name,” Shapiro points out. “We weren’t planning on launching this technology until the fourth quarter of 2000.”

That didn’t matter to the Electronic Privacy Information Center (EPIC), Washington, D.C., which filed a complaint with the FTC in February, charging that DoubleClick did not make clear to consumers how it was planning on using the Abacus data. EPIC knew about 24/7, but “DoubleClick is the Internet’s largest advertiser, that’s why we focused on them,” explains Marc Rotenberg, EPIC director.

The subsequent FTC inquiry and probes by attorneys general (four of which DoubleClick is now negotiating settlements with) created a firestorm of publicity.

Finally, on March 3, DoubleClick’s CEO Kevin O’Connor made his now-famous pledge not to merge anonymous data with consumer names. “I made a mistake by planning to merge names with anonymous user activity across Web sites in the absence of government and industry privacy standards,” he said.

“That’s kind of a `duh’ moment because the real value for them is if they can link the Abacus data with online data,” observes Internet privacy expert Paul Schwartz, a professor at Brooklyn Law School.”

By the time O’Connor made his statement, DoubleClick had married a certain number of its 100,000 files containing clickstream data with a certain number of its 80,000 files containing Abacus Alliance data. How many have been combined “we never release,” says a spokesperson.

Using these records is still very much in DoubleClick’s business plan, after a privacy standard has been hammered out and agreed upon by industry, government and privacy interests. “We are hopeful and confident that we will find a way to do this in the future,” Shapiro says.

(24/7 says it also has not yet served ads on its offline/online combined information. “We don’t have any plans to do so until and unless the government approves self-regulatory principles or gives us other guidance,” says Megan Hurley, vice president and associate general counsel of the New York company.)

None of this is illegal, but many observers feel it would be a privacy violation nonetheless. “On the one hand, I sympathize with DoubleClick,” muses MessageMedia’s Scruggs. “All they are trying to do is make advertising more accessible. “Their fatal error was in trying to take the Abacus database and marry that to online data.”

Another error was not communicating its intention well, others says. Joining Abacus data to online data “was a very spectacular thing and I think it demanded a very spectacular announcement and education to the consumer,” opines Connie LaMotta, president and CEO, LaMotta Strategic Communications Inc., New York. “They did not do this effectively….It’s more like they got found out.”

“There’s absolutely nothing wrong with my telling you in a privacy statement up front that I’m going to be tracking every move that you make,” remarks Rodney Joffe, founder of customer relationship marketing company Whitehat. “What was wrong is DoubleClick didn’t make it absolutely clear that visitors to their clients’ Web sites that DoubleClick was actually [a third party] involved in the process.”

After O’Connor’s announcement, the company took a number of widely reported steps to show its good intentions toward privacy. One was working with a group it formed last summer, the Network Advertising Initiative, to hammer out privacy guidelines for itself and the 10 other entities that use cookie technology to place ads online. At press time, the nonprofit group was putting the finishing touches on a set of principles on which they would all abide, says a source. The FTC, the Direct Marketing Association and other groups are to have input on the finished guidelines. Generally, the principles will be based on the general standard of fair information practices on the use of personal information, which provide consumers’ notice, choice, security of information and access. Specifically, the ad companies would post privacy statements with a way for the consumer to opt out of personally identifiable or anonymous data from being used by marketers. New clients of the network advertisers would be compelled to post policies that explain and identify the third-party ad companies and present a link to an opt-out site. The group would also work to educate site visitors about profiling and increase consumer confidence.

The DMA’s privacy guidelines are similar, saying sites’ privacy policies should disclose when cookies are used and how they are used, says Pat Faley, DMA vice president of ethics and consumer affairs, Washington, D.C.

Sure, but whose responsibility is it to disclose when and how cookies are used – the site where the consumer sees the ad or the network advertiser that posts the ad on the site? “Both,” Scruggs says. “If you are running a site, you need to talk about what data you’re collecting. If you’re running ads that are collecting data, you really should disclose that to your users.”

Meanwhile, privacy advocates are bruising for more dramatic change. To Andrew Shen, policy analyst at EPIC, the guidelines sound like a start to a process that should end with a law. “There’s a need for a legally enforceable privacy standard with independent enforcement,” says Shen, who also serves on an online privacy panel for the FTC.

DoubleClick’s Shapiro defends self-regulation and says focus groups organized by his company across the country have shown it’s not the profiling in general that people are concerned about. “It’s the potential for someone’s name, once it’s attached to Web usage across sites, to give someone access to sensitive information [such as medical or certain financial data] that is concerning people,” Shapiro says. “At the same time, almost everyone we speak to would rather get ads that are relevant to them.”

Shen retorts: “But to receive targeted ads, you have to be tracked. Do you still want to receive targeted ads? I think most people would say no.”

Since cookie technology is vital to the future of online direct marketing, that alone may motivate compromise. “If you don’t make sure that as an industry, we have best practices that include the use of cookies…it’s going to kill direct marketing,” cautions Reggie Brady, vice president of strategy and partnerships at Greenwhich, CT-based FloNetwork Inc., “it’s going to kill all direct marketing.”

asian Americans are the most wired ethnic group in the United States. A whopping 64% of Asian American households were online in 1998 – and that’s expected to grow to 68% this year, says Cambridge, MA-based Forrester Research Inc. They are an e-commerce purveyor’s dream, making by far more purchases online than any other group.

That’s not news to two of the hottest community sites for Asian Americans. Both AsianAvenue and Aonline appeal to young people whose parents generally came from China, the Philippines, Japan, India, Korea or Vietnam. They typically grew up speaking their parents’ native language, but they are at ease speaking English. They view themselves as Americans who want to hold onto the cultural richness of their Asian heritage.

With their chat rooms, personal Web pages, forums on controversial topics and resources for enhancing one’s social and professional life, both sites meet these goals, but they also serve as a way to find, say, another Indian-American graduate student in the Midwest. “If there’s one place that can link people of disparate needs in one place, it’s the Internet,” says Gilbert Cheah, senior vice president of marketing at A. Media.

AsianAvenue.com, New York, has signed up 640,000 members since 1997. It appeals to 18- to 34-year-olds, with a concentration on college students. Membership is free.

Grassroots enlistment efforts, which tend to work well with older Asian Americans – a segment that’s been neglected by marketers but is reportedly ready to buy – also works for the younger generation.

AsianAvenue’s sign-up rate accelerated to 80,000 members a month after a fall campaign on 30 college campuses where the site gave away about 10,000 grab bags containing CDs of Asian American music groups as well as AsianAvenue-branded mouse pads and telephone calling cards.

The site followed up in April – Asian American Pacific Heritage Month – with a spring tour featuring those artists performing live. The thousands of attendees are all solid prospects. “It’s really our responsibility to go out and show the community…what we’ve contributed,” explains Calvin Wong, executive director of sales and marketing for AsianAvenue’s parent, Community Connect.

Keeping it in the community is an ideal method for e-mail prospecting, too, says Wong, who notes that he can only get lists with a few thousand names in his target demographic. Members who pass along a prospecting e-mail win points they can cash in for branded goods or travel services.

Aonline.com – set for debut this month – is the latest endeavor of A. Media Inc., New York. A. Media publishes the decade-old A. Magazine, whose 180,000 subscribers are from the same group expected to be drawn to the new Web site: 25- to 45-year-old professionals, who tend to be high earners. Executives expect half a million people to pay $16 to join.

Most prospects responded to ads in the magazine that offered a free hard-copy subscription to the first 10,000 members. But many are reached for free through e-mail lists handed over by organizations to which Aonline executives belong, such as the Asian American Journalists Association. “Our contacts are very willing to help us,” says Cheah.

Both sites report enthusiastic advertisers who can access such demographic data as ethnicity, income and age, plus buying information. And, “if you want to do research or market niche products, you can almost do an instant focus group,” remarks A. Media CEO Jeff Yang.