Privacy Advisor

Sometimes the Tail Has to Wag the Dog

September 1, 2006

Elise Berkower

Vendors that provide Internet technology products or services sometimes find themselves in the strange position of suggesting that changes be made in their clients' Web site privacy policies. As Privacy Compliance Officer for a company that has, over the years, offered ad-serving, volume email delivery, Web site analytics and search technologies, among other services, I have had to explain to our clients why our contracts require them to disclose in their privacy policies their use of our technologies. Once they understand the implications of the use of online technologies, however, they recognize that they need to view the data collected from their online technology vendors in the same way that they examine their offline vendors' information collection practices: They need to understand what kinds of information are collected and processed on their behalf, and how that information "gets" to the vendor.

While clients may recognize the general best practices of giving their online visitors meaningful notice and choice about the kinds of information that are collected about them when they visit their Web sites, how such data are collected and what is done with that information, clients may not be aware that there are laws and formalized industry guidelines that cover the disclosure of the use of certain Internet technologies. In addition, recent decisions, consent decrees and settlements indicate that regulators may hold vendors responsible for clients' use of their products/technology (and vice versa).

Laws and Industry Guidelines

The EU Telecommunications Directive (2002/58/EC) requires Web site operators to disclose their use of "non-obvious technologies" to gather information from visitors, and provide visitors with a means of exercising choice with regard to such data collection. These technologies include cookies and Web beacons (a/k/a "pixel tags"). In addition, industry best practices in the U.S. (i.e., the Web Beacon Guidelines and the Direct Marketing Association's Online Marketing Guidelines), and some self-regulatory schemes - such as the Network Advertising Initiative's (NAI) Self-Regulatory Principles - similarly support a Web site's disclosure of the use of Internet technologies such as cookies and Web beacons. Most ad-serving, email delivery, search, and Web site analytics solutions - and just about every technology that enables personalization - utilize cookies and/or web beacons or similar "non-obvious technologies."

Regulatory Activities

Within the past year, the Federal Trade Commission and the New York state Attorney General have obtained settlements or consent decrees that hold businesses responsible for the information collection practices of their "partners" (read: customers and vendors) and "affiliates." These "you are your brother's keeper" cases arguably impose reciprocal obligations on both Internet technology vendors and their clients.

When clients were made aware of the laws, industry practices and regulatory developments, they invariably understood the need to ensure that their privacy policies adequately disclosed their use of our technology at their Web sites. They also recognized that technology vendors are in the best position to understand their own technology and the implications of its use. Most technology vendors, through industry groups or directly, are in the trenches legislatively and with regulators and are more familiar with the necessity of adequate disclosures. Poorly worded state anti-spyware legislation, for example, could negatively affect technology vendors' products or their clients' use of them.

Depending upon the product or service, we have offered clients either suggested disclosure language or the elements that should be included in such a disclosure. Once the client has understood why a change was needed, the modifications to its privacy policy were usually a collaborative effort. Because nuances of some technologies can be difficult to grasp, it sometimes took two or three drafts to satisfy both sides.

Suggestions for the Application Service Provider Technology Vendor

  • For your own protection, include a provision in your contracts that requires your clients to accurately disclose in their Web site privacy policy the use of your product or service.
  • If you are encountering reluctance from your client about changing its privacy policy, try to escalate the discussion to your client's privacy specialists, if any, or legal department.
  • Walk them through how your technology works and its privacy implications.
  • Emphasize that any material changes in the kinds of user data collected or ways they are used cannot be retroactive - data collected under a different privacy policy should not be loaded into your system if they will be used in a different way than was promised when they were acquired.
  • Maintain a compliance program that prevents a client from "going live" until its privacy policy adequately discloses the use of your technology.

Suggestions for the Vendee

  • Ask the vendor if it is a member of an industry group that has "best practices" guidelines or other self-regulation.
  • Ask the vendor what types of technology its product uses (i.e., cookies, Web beacons, JavaScript) and whether personally identifiable or non-personally identifiable information is collected during the process.
  • Have the vendor walk you through exactly how the product would work on your site, including what information about your visitors would be implicated.
  • Find out if the technology needs to use personally identifiable information for it to work the way your company wants. Most Web site analytics, email delivery, and many search products need to use some sort of personally identifiable information for them to work satisfactorily - but may be able to be adjusted to give you more comfort with the process.
  • If the vendor's product does use a cookie, find out from which domain the cookie is set. If the domain will be established just for you, then it is less likely that information collected from your site would be available to the vendor's other clients than if the domain is used by multiple clients.
  • If the product uses cookies, ask the vendor to see the P3P policy (or policies) for the cookies. (The P3P policy will identify the owner of the data linked to the cookie, the categories of data and whether there is an opt-in or an opt-out related to that cookie.)
  • Ask if the vendor can review your existing privacy policy to see if what its technology will do is already covered by the way other vendors' services are described. If it isn't, ask for help in conveying how the technology will work. Some technology vendors provide suggested disclosure language (i.e., the NAI suggested disclosure for Online Preference Marketing).

Ensuring that the use of Internet technologies is disclosed adequately to visitors is a Win-Win-Win situation: consumers are appropriately informed and feel more comfortable about visiting a Web site, and both the Web site and the technology vendor are recognized as responsible cyber-citizens and can also benefit from the consumers' greater comfort.

Elise Berkower, an attorney and CIPP, served as DoubleClick's Senior Privacy Compliance Officer for six years, helping DoubleClick's ad serving, search, Web site analytics, email and direct marketing clients address privacy issues. She recently joined Chapell & Associates, the leading strategic consulting firm focusing on privacy, marketing and public policy, as its Executive Vice President of Privacy Strategy. She participates in many privacy and technology industry groups, and is a member of the Advisory Board of The Privacy Advisor. She can be reached by email at elise@chapellassociates.com.