Private Eyes

The government has brought consumer privacy into the spotlight, creating broad implications for relationship marketing both offline and online.

U.S. legislators are considering 50 privacy-related laws, at least 14 of which would have an impact on marketing.

Meanwhile, the Federal Trade Commission has pledged to increase the staff it dedicates to privacy concerns from 38 to 52 full-time equivalents, and will handle more investigations and file more cases under existing laws — especially the Children’s Online Privacy Protection Act (COPPA) and the Telemarketing Sales Act.

The biggest news for marketers is that, for the first time, the FTC will watch for offline infringements as carefully as it has been vetting online activity. That could affect any brand that benefits from collective consumer data, whether it’s gathered via Internet cookies or frequent-shopper cards.

“A lot of [data collection] practices offline were fairly invisible,” says J. Howard Beales, director of the FTC’s Bureau of Consumer Protection. “When the same practices moved online, they became visible … because it’s immediate, and more conspicuous how a marketer is using the information.”

Will that bring closer offline scrutiny? “It’s not clear how that will sort out,” says Beales. “It’s the same information, the same potential consequences. We try to focus on the consequences of using data, rather than how it’s collected.”

“The implications could be enormous,” suggests Robb Lippitt, chief financial officer of ePrizes, Farmington Hills, MI, who spoke on privacy last month at the Promotion Marketing Association’s annual law conference.

While most executives aren’t concerned yet, “marketers who ignore closer scrutiny of offline privacy practices do so at their peril,” says Reed Freeman, an attorney with Collier Shannon Scott, Washington, DC, who presented with Lippitt (see “Law”).

Year of Living Dangerously

The enhanced spotlight on privacy comes as marketers continue to embrace relationship marketing and incorporate online interaction into most promotional activity. That should make 2002 a bellwether year, as marketers grapple to set standard practices for offline marketing and watch what the FTC pursues.

The FTC will take its cue from consumers. The commission is building a computer system to gather and pursue privacy complaints that could be up by April and likely will launch with an awareness campaign, says Beales. The FTC is sifting through its Consumer Sentinel fraud complaint database and asking advocacy groups to help pinpoint other problem areas to develop a list of relevant categories to segment privacy complaints.

“Consumers are more tolerant of [marketers] collecting lots of information if its use is tightly limited,” says Beales, who also heads the FTC’s Privacy Task Force.

Some industry observers say the FTC’s shift away from adding laws is really a step back from aggressive protection, no matter how much more vigilant it becomes. “The Internet’s decline, the Republican administration, and the Sept. 11 attacks have each taken emphasis away from privacy as a concern,” says one marketing executive.

“Since Sept. 11, the nation is more focused on security, and the balance has shifted away from privacy,” adds Patrica Faley, vp-ethics and consumer affairs for the Direct Marketing Association, Washington, DC.

At least one FTC commissioner, Sheila Anthony, also favors more legislation. “Although some companies have made a good-faith effort, the private sector as a whole continues to fail to effectively self-regulate,” she says in a statement. Without federal legislation to set national standards, “it is unlikely that consumers’ privacy can be adequately protected from identity theft, commercial harassment, and hucksterism.”

“While this industry is not facing the imminent threat of regulation today, it’s only going to take one ‘Exxon Valdez’ kind of breach of privacy to trigger government regulation that will place a strangle-hold on the direct and online marketing industry,” DMA ceo Robert Weitzen warned members at an October conference. “Consumers and government watchdogs are … going to be even more watchful in the very near future.”

However, Weitzen added that, “This is not necessarily bad for an industry that needs consumer trust more than ever.”

The collision of regulation and relationship-building raises ethical questions for marketers. How much consumer data is needed to market effectively but not offensively? How should a brand collect it, use it, share it, and tally it among its assets?

“The big question becomes, ‘Is privacy about knowing who I am, or what I am?’” says David Sparkes, executive vp at Robinson & Maites, Chicago, who sees a silver lining amidst tightening restrictions: “It could make it more difficult to establish a relationship — but more valuable when you do.”

“The more consumers feel protected, the more likely they are to use the [targeted] stuff we give them. Our enemy is junk mail,” concurs Catalina Marketing executive vp David Diamond.

The questions are especially murky for offline promotions. Must marketers publish “affirmative disclosures” outlining how they collect and use offline data? Should they tell consumers if they use data in an unexpected way, or risk being charged with “deceptive material omission”? If consumers give permission once — say, when signing up for a frequent-shopper card — can they be tracked indefinitely?

“If you’re asking for permission, just be clear about what you’re asking permission for,” advises Beales. “If you want to track a consumer indefinitely, say so.”

This year, some enforcers may voice more concern over “involuntary” data (behavior tracked without consumers’ direct knowledge) than “voluntary” data (information obtained directly from consumers). The FTC could press marketers to disclose how they track and use involuntary data because such profiling “is unexpected by the average consumer,” says Freeman.

“We worry more about what information is collected and how it’s used,” counters Beales. “Is it personally identifiable? If not, consumers are less concerned about that.”

“Consumers are more concerned that someone is watching what they’re doing than about what they themselves tell marketers,” says DMA’s Faley. “They feel they have no control over their information. Reputable businesses want to give them control, because that helps build trust.”

Man Behind the Curtain

Consumers first started looking over their shoulders when Internet marketers loudly promised personalized pitches. Freeman calls it the “Wizard of Oz Syndrome. Online technology was scary because it was hard to understand,” he says. “But [similar] practices have been around a long time.”

When it dawned on consumers that marketers track their habits offline too, that raised alarms about catalogs, shopper cards, warranty programs, and other mainstay data-collection devices.

What are consumers so worried about? According to FTC chairman Timothy Muris, it boils down to three things: risks to physical security, especially when it comes to kids; economic injury, especially from identity theft; and unwanted intrusions in their daily lives.

That last one centers on marketing. “Unwanted phone calls disrupt our dinner, and our computers are littered with spam. Individually, the injury is relatively small. But in the aggregate, the harm can be great,” Muris said when announcing the FTC’s agenda in October.

The chairman has a three-part plan: enforce existing laws, improve the commission’s handling of consumer complaints, and step up education for both consumers and businesses.

Four FTC initiatives aren’t about marketing specifically, but seek to: curb identity theft and pre-texting (collecting financial data by impersonating the consumer); clean up credit reporting; and clarify the Gramm-Leach-Bliley Act, which requires financial services to disclose how personal information is used.

But five goals Muris outlined in October are about marketing. They are:

• Limit telemarketing via the Telemarketing Sales Rule and a new national do-not-call list.
• Curb deceptive spam.
• Enforce compliance with COPPA and other privacy policies.
• Extend the Platform for Privacy Preferences system (which lets consumers screen out sites) via Microsoft XP and other software.
• Track consumer complaints.

Past complaints might give marketers an early indication of what the FTC could end up pursuing. Consumer Sentinel (which is operated in collaboration with such consumer protection groups as the Better Business Bureau and the National Association of Attorneys General) fielded 100,000 fraud complaints last year. Of those, 11 percent were about sweepstakes, prizes, and lotteries — the second-highest after identity theft (which accounted for 23% of complaints). Other hot topics included Internet services (10%), online auctions (9%), and credit protection/advance-fee loans (8%).

The 1999 Gramm-Leach-Bliley Act hit financial services last year, requiring banks to disclose privacy policies and let consumers decide about information sharing. Children’s data, healthcare, and personal ID such as Social Security numbers could be the next areas targeted.

The DMA tags health, financial, and children’s data as the only areas sensitive enough to warrant consumer consent (rather than a simple opt-out option) before using, says Faley, whose own alarm bells went off when an American Red Cross postcard asked her to donate blood because stores of her blood-type were low.

“I don’t like that someone has me categorized by that kind of health information,” she explains. “If my antenna went up for that, imagine getting a pitch that says, ‘Since you take Prozac, you might be interested in this product.’”

Most personalized pitches don’t drill down as far as consumers might think, says Sparkes. “We want to make things look as personal as possible but, because of the lack of data or money, they’re not as personalized as people think they are. We use modeling techniques, so it’s mass customization.”

Besides, consumers like the benefits of targeted offers. A late-1990s survey by St. Petersburg, FL-based Catalina found that 93 percent of consumers are concerned about privacy, “but 85 percent of them think it would be great if we could find out what coupons they want and just send those,” says Diamond. “If you don’t surprise people or lie to them, they’re generally fine with you using their data.”

Catalina lets consumers opt in to all programs other than its flagship Checkout Coupon, which triggers offers from purchase data rather than personal identifiers.

The DMA, whose do-not-mail and do-not-call lists each have four million names (a newer e-mail opt-out has about 100,000), finds consumers often take their names off the list after a year or so when they realize they miss getting offers, says Faley. “Sometimes consumers overstate their concern about getting too much mail,” she adds.

Web Entanglements

Online customer acquisition averages $120 per person — twice its cost through direct mail. Still, Web surfing hit an all-time high in October with 115 million users, up 15 percent from one year ago, according to Nielsen/Net Ratings, New York City. Many new users are lower-income households, making Internet use more ubiquitous. Couple that with the fact that the Internet’s growth first prompted privacy concerns, and it’s clear that sites are vulnerable to scrutiny.

The FTC’s online standard is clear: Any Web site with a privacy policy must abide by it, and all sites must comply with COPPA (including the rule that kids under 13 must not be asked for more information than is necessary for them to participate in a particular activity).

The FTC settled with at least four sites for COPPA violations last year. Its highest-profile suit for infringement of a site’s own policy was brought against Toysmart.com, whose bankruptcy proceedings included an effort to sell its customer database after promising customers it wouldn’t share info. It ended with a July agreement that the database would sell only as part of total company assets — and then only to a related marketer that “expressly agrees to be Toysmart’s successor-in-interest as to the customer information,” per the FTC. (Commissioner Anthony disagreed with the settlement, saying consumers should be given the choice to have their info included in the sale or not.)

Separately, the FTC may extend its sliding scale of how sites obtain parental consent (which ranges from e-mail notification to written permission) until 2004, rather than April 2002.

America Online, Dulles, VA, in August changed its privacy policy to give details on how it tracks ad viewing via cookies. Aggregate and anonymous data measures ad effectiveness, but can’t be used to build profiles of individual members. The change initially raised the hackles of some privacy advocates, but there was “not really much” member reaction, says Doug Miller, AOL executive director of integrity assurance.

A Good Offense

So, how can marketers avoid further regulation — or future lawsuits? First, don’t collect more data than can be used. “Many marketers’ goals are bigger than what they can accomplish,” says Lippitt. “Besides, data has a very short shelf life.”

Second, clearly tell consumers how their information will be used, and stick to it. “Marketers who are upfront about privacy and how they market to consumers have an advantage,” says Robinson & Maites president Alan Maites. “The key is for consumers to know what they’re giving permission to. That’s where many marketers fall down.”

Third, make sure the data is secure. “Make sure your data isn’t used in ways inconsistent with what consumers thought the deal would be,” advises Beales, who calls security “fundamental to privacy.”

Consumers have control, too, contends Maites. “It’s not all the marketer’s responsibility. Consumers can opt out. It depends on how much they care about the issue, and how closely they pay attention.”

The government is paying attention. Are you?

Now in play

A scorecard of proposed laws that could affect marketing.

Internet/Interactive

• Online Privacy Protection Act of 2001 (H.R.89.IH): requires the Federal Trade Commission to prescribe regulations to protect the online privacy of individuals not covered by COPPA; to provide greater individual control over the collection and use of information.
• Consumer Online Privacy and Disclosure Act (H.R.347.IH): requires the FTC to prescribe regulations to protect the privacy of personal information collected from and about Internet users and to provide greater individual control.
• Consumer Internet Privacy Enhancement Act (H.R.237.IH): to protect the privacy of consumers using the Internet.
• Electronic Privacy Protection Act (H.R.112.IH): To prohibit the making, importation, exportation, distribution, sale, offer for sale, installation, or use of an information-collection device without proper labeling or notice and consent.
• Location Privacy Protection Act of 2001 (S.1164.IS): To provide for enhanced protection of the privacy of location information for users of location-based services and applications.
• Wireless Telephone Spam Protection Act (H.R.113.IH)
• Cyber Security Information Act (H.R.2435.IH)

Offline

• Personal Information Privacy Act of 2001 (H.R.1478.IH): to protect the privacy of the individual with respect to Social Security numbers and other personal information.
• Privacy Commission Act (H.R.583.IH): to establish the Commission for the Comprehensive Study of Privacy Protection.
• Privacy Act of 2001 (S.1055.IS): to limit the use of personally identifiable information for marketing and prohibit the sale or display of Social Security numbers, health or financial information.
• Citizens’ Privacy Commission Act of 2001 (S.851.IS): to establish a commission to conduct a study of government privacy practices.
• Consumer Privacy Protection Act (H.R.2135.IH): to assure that personal information is properly protected and used only with prior consent.