E-Tailers say 'Trust me'

Well-publicized privacy-related disputes have promoted reactions from both implicated e-tailers and concerned consumers. What are the issues involved here?
Written by Jim O'Brien, Contributor

This holiday season, privacy concerns threaten to put a damper on what little customer loyalty exists on the Net. An alarming 86 percent of consumers are concerned about unknown businesses obtaining their personal information, according to a Pew Internet & American Life Project survey.

In response to pressure from privacy groups and voters, federal and local governments are racing to regulate Internet marketers. Ironically, it's Big Brother protecting us from Big Commerce.

It's easy to see why consumers are concerned, given recent well-publicized privacy-related issues involving major e-tailers. The Federal Trade Commission recently settled with Toysmart after the bankrupt e-tailer agreed to refrain from selling its customer list separately from the rest of its assets. Then Toysrus.com was pressured to dump its e-marketing-analysis firm Coremetrics because privacy groups said Coremetrics' policy didn't reveal it shared user-behavior data with third parties - even though Coremetrics was only providing information back to Toysrus.com.

Perhaps reacting to the Toysmart incident, Amazon.com's legal team revised its privacy policy to add an exception to its guarantee against transferring customer data in the event of an acquisition of some or all of its assets. This set off a minor uproar, with privacy group Electronic Privacy Information Center announcing it would stop distributing its publications through the online bookseller.

Groups such as this judge a privacy policy by its guidelines on disclosure, permission (choice over what happens to your data or what you receive from marketers), security (how safe your data is from hackers), quality (the accuracy of data about you), and consumer control (your ability to view and update that data).

The National Advertising Initiative recommends that marketers not tie tracking and marketing to personally identifiable information such as credit-card numbers, names, and e-mail addresses without explicit permission. In addition, marketers should tell you the scope of the information they collect about you, how it's collected, and whether it's shared with third parties.

Unsolicited e-mail is also facing legislation. This summer, the House passed the Unsolicited Commercial E-mail Act, requiring spammers to at least include working unsubscribe links in their e-mails. A Senate vote is pending. Another bill pending in the House would prohibit sending advertising to any wireless device without an explicit "opt-in" from wireless subscribers. The Wireless Advertising Association considers all wireless "push" advertising without confirmed opt-in to be spam, a more stringent m-commerce guideline than the proposed bill. Until recently, e-mail marketers were at loggerheads with Mail Abuse Prevention System (MAPS) over permission to send advertisements through e-mail. So many ISPs use the group's Realtime Blackhole List (RBL) that perceived spammers on the list can easily lose access to half their customers.

Last summer, opt-in marketing service yesmail.com threatened to sue MAPS after it said it would put yesmail.com on the RBL. MAPS removed yesmail.com from the list after it agreed to adopt "confirmed" or "double" opt-in. This generally involves sending a confirmation message asking new subscribers to verify permission so people can't maliciously or negligently sign up others to receive promotional e-mail.

Rather than continue fighting, e-mail marketers have joined with MAPS and other privacy organizations to form the Email Standards Working Group and come up with a "permission guaranteed" seal for companies that follow certain best practices. Industry trade organization Responsible Electronic Communication Alliance is also expected to come up with guidelines. It remains to be seen if we'll have competing standards for permission from different groups, and whether there will be an enforcement mechanism; TRUSTe has been criticized for issuing thousands of seals and never rescinding any.

Even stickier is the issue of "house files," the e-mail-address databases that e-tailers keep to communicate with customers. For instance, it's unclear whether an e-tailer can send notice of a holiday sale to current customers without opt-in. Or notice of a privacy-policy change, for that matter.

We shouldn't overlook the damage unscrupulous individuals do to companies. Some security products align both consumers' and e-tailers' interests. American Express announced a Private Payments service that generates virtual credit-card numbers that are good only for a limited time (30 to 67 days). The real number is never on file at the e-tailer, reducing the risk of a hacker stealing a working number.

Consumers will have access to an array of such products, but with them will come the responsibility to treat e-tailers fairly as well. (Have you ever used a coupon twice just because you could?) Until all parties recognize their interdependence, the value and convenience that have become hallmarks of online shopping are at risk.

Active links

www.cauce.com Coalition Against Unsolicited Commercial Email

www.freedom.net Software for private surfing

www.privacyalliance.org Online Privacy Alliance

www.privatebuy.com Pay to shop anonymously

Editorial standards