Sometimes the Tail Has to Wag the Dog
Vendors that provide Internet technology products or services sometimes find themselves in the strange position of suggesting that changes be made in their clients' Web site privacy policies. As Privacy Compliance Officer for a company that has, over the years, offered ad-serving, volume email delivery, Web site analytics and search technologies, among other services, I have had to explain to our clients why our contracts require them to disclose in their privacy policies their use of our technologies. Once they understand the implications of the use of online technologies, however, they recognize that they need to view the data collected from their online technology vendors in the same way that they examine their offline vendors' information collection practices: They need to understand what kinds of information are collected and processed on their behalf, and how that information "gets" to the vendor.
While clients may recognize the general best practices of giving their online visitors meaningful notice and choice about the kinds of information that are collected about them when they visit their Web sites, how such data are collected and what is done with that information, clients may not be aware that there are laws and formalized industry guidelines that cover the disclosure of the use of certain Internet technologies. In addition, recent decisions, consent decrees and settlements indicate that regulators may hold vendors responsible for clients' use of their products/technology (and vice versa).
Laws and Industry Guidelines
The EU Telecommunications Directive (2002/58/EC) requires Web site operators to disclose their use of "non-obvious technologies" to gather information from visitors, and provide visitors with a means of exercising choice with regard to such data collection. These technologies include cookies and Web beacons (a/k/a "pixel tags"). In addition, industry best practices in the U.S. (i.e., the Web Beacon Guidelines and the Direct Marketing Association's Online Marketing Guidelines), and some self-regulatory schemes - such as the Network Advertising Initiative's (NAI) Self-Regulatory Principles - similarly support a Web site's disclosure of the use of Internet technologies such as cookies and Web beacons. Most ad-serving, email delivery, search, and Web site analytics solutions - and just about every technology that enables personalization - utilize cookies and/or web beacons or similar "non-obvious technologies."
Within the past year, the Federal Trade Commission and the New York state Attorney General have obtained settlements or consent decrees that hold businesses responsible for the information collection practices of their "partners" (read: customers and vendors) and "affiliates." These "you are your brother's keeper" cases arguably impose reciprocal obligations on both Internet technology vendors and their clients.
When clients were made aware of the laws, industry practices and regulatory developments, they invariably understood the need to ensure that their privacy policies adequately disclosed their use of our technology at their Web sites. They also recognized that technology vendors are in the best position to understand their own technology and the implications of its use. Most technology vendors, through industry groups or directly, are in the trenches legislatively and with regulators and are more familiar with the necessity of adequate disclosures. Poorly worded state anti-spyware legislation, for example, could negatively affect technology vendors' products or their clients' use of them.
Suggestions for the Application Service Provider Technology Vendor
- Walk them through how your technology works and its privacy implications.
Suggestions for the Vendee
- Ask the vendor if it is a member of an industry group that has "best practices" guidelines or other self-regulation.
- Have the vendor walk you through exactly how the product would work on your site, including what information about your visitors would be implicated.
- Find out if the technology needs to use personally identifiable information for it to work the way your company wants. Most Web site analytics, email delivery, and many search products need to use some sort of personally identifiable information for them to work satisfactorily - but may be able to be adjusted to give you more comfort with the process.
- If the vendor's product does use a cookie, find out from which domain the cookie is set. If the domain will be established just for you, then it is less likely that information collected from your site would be available to the vendor's other clients than if the domain is used by multiple clients.
Ensuring that the use of Internet technologies is disclosed adequately to visitors is a Win-Win-Win situation: consumers are appropriately informed and feel more comfortable about visiting a Web site, and both the Web site and the technology vendor are recognized as responsible cyber-citizens and can also benefit from the consumers' greater comfort.
Elise Berkower, an attorney and CIPP, served as DoubleClick's Senior Privacy Compliance Officer for six years, helping DoubleClick's ad serving, search, Web site analytics, email and direct marketing clients address privacy issues. She recently joined Chapell & Associates, the leading strategic consulting firm focusing on privacy, marketing and public policy, as its Executive Vice President of Privacy Strategy. She participates in many privacy and technology industry groups, and is a member of the Advisory Board of The Privacy Advisor. She can be reached by email at firstname.lastname@example.org.