One reason the Internet is an excellent marketing and advertising tool is that it provides much more information about consumer behavior than is available through traditional print-based media.
By monitoring visitors on your Web site, and collecting reactions to ads placed on other Web sites, you can obtain a host of consumer information, including how many people viewed your ad, what percentage of people clicked on the ad, what percentage of people purchased your product after seeing the ad, which pages on your Web site are visited most often, the names of other Web sites your customers have visited, and customers’ e-mail addresses and other personal information.
This data can help you substantially improve your products and services. Unfortunately, the ease of collecting consumer data has resulted in fraud, violations of consumer privacy, and identity theft. As a result, consumers are increasingly wary of providing personal information, and more laws are being passed to protect their rights.
In this article we examine several Internet advertising and privacy laws, and we discuss how to reassure your customers while legally collecting the information you need to build your business.
The Law of the Land
Long before the Internet, the U.S. government passed laws protecting the privacy of consumers’ personal information and shielding them from misleading, fraudulent, and deceptive advertising practices. These laws also apply to the Internet–you should be especially familiar with Section 5 of the FTC Act. The U.S. Federal Trade Commission (FTC) publishes guidelines to help businesses apply older laws to the Internet. For instance, the three primary legal requirements for truth in advertising are:
Advertising must be truthful and not misleading.
Advertisers must have evidence to back up their claims.
Advertisements cannot be unfair.
To honor these legal requirements when advertising on the Internet, the FTC recommends that businesses:
Place disclosures on the same Web page as the claim they apply to, and when necessary, provide adequate visual cues to indicate that a consumer must scroll down on the page to view the disclosure.
When hyperlinking to disclosures, make the link obvious and noticeable, label the link accurately and indicate its importance, place the link near relevant information, ensure that the link takes consumers directly to the disclosure, and monitor link usage to ensure its effectiveness.
Display disclosures prior to purchase.
Ensure that an advertisement’s “text, graphics, hyperlinks, or sound do not distract consumers’ attention from the disclosure.”
If your Web business sells other companies’ products, be aware that the FTC can also hold you responsible for misleading ads and product descriptions, even when those materials are provided by the manufacturer. The FTC recommends that “to protect themselves, catalog marketers should ask for material to back up claims rather than repeat what the manufacturer says about the product” and that “in writing ad copy, catalogers should stick to claims that can be supported.” The FTC pays closest attention to ads that make health or safety claims, or that present data or statistics that consumers would have difficulty verifying.
In addition to pre-existing laws, the U.S. Congress has enacted several new laws that govern Internet advertising and privacy. The most important of these is H.R. 29, more commonly known as the SPY Act (Securely Protect Yourself Against Cyber Trespass Act), which came into effect on March 5, 2005. The Act prohibits specific types of Internet advertisements and methods for manipulating users’ computers, including:
Advertisements that cannot be closed “without undue effort or knowledge by the user.”
Advertisements that can only be closed by “turning off the computer or closing all sessions of the Internet browser for the computer.”
Modifying a computer user’s browser settings so that a different Web page appears when the browser is launched.
Changing a computer user’s default ISP or Internet connection method, as well as any settings associated with these connections.
Altering a “list of bookmarks used by the computer to access Web pages.”
Altering any “security or other settings of the computer that protect information about the owner or authorized user for the purposes of causing damage or harm to the computer or owner or user.”
“Collecting personally identifiable information through the use of a keystroke logging function.”
The SPY Act also addresses Internet consumer privacy issues, particularly the use of information collection programs that are installed on a user’s computer to gather information about that user. The Act defines an information collection program as one that collects personally identifiable information and either sends the information to anyone other than the computer user, or uses the information to display advertising on that user’s computer.
Before you can install and execute such a program, the user must be given notice of the program’s data collection functions and must consent to the program’s execution. The Act states that notice of the program’s information collection functions must be clear, conspicuous, written in plain language, and clearly distinguished from any surrounding text or information. Further, the program must contain one of the following statements (or something substantially similar) depending on the program’s exact function:
“This program will collect and transmit information about you. Do you accept?”
“This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?”
“This program will collect and transmit information about you and will collect information about Web pages you access and use that information to display advertising on your computer. Do you accept?”
If your business caters to children, you should be aware of The Children’s Online Privacy Protection Act, which requires that businesses “obtain verifiable parental consent before collecting, using, or disclosing personal information from children, including their names, home addresses, e-mail addresses, or hobbies.” Also investigate state laws.
Many industries have special laws governing information privacy; these laws also apply to doing business on the Internet. For instance, if your business offers loans, financial or investment advice, insurance, or any type of financial product or service, make sure you adhere to the Gramm-Leach-Bliley Financial Modernization Act of 1999.
Developing Your Privacy Policy
Now that you are aware of the laws governing Internet privacy, it is time to develop a privacy policy for your business. A privacy policy is a legal document that:
Explains to consumers how your business will collect, use, and keep secure any information you obtain about them.
Demonstrates a level of responsibility to your customers, forming a bond of trust that will increase their confidence in you and willingness to do business with you.
Helps your business meet legal requirements.
Functions as a guideline for making business decisions.
Following is a summary of the FTC’s recommendations for a privacy policy:
Notify consumers about your Web site’s information collection policies.
Allow consumers to choose how your business uses any information you collect which personally identifies them.
Give consumers a mechanism for reviewing the information you collect about them.
Ensure the security of all consumer information that your business collects.
Two excellent examples of a privacy policy can be found at www.ftc.gov/ftc/privacy.htm and www.amazon.com. The remainder of this article discusses the elements of a complete privacy policy.
What Information Is Collected and How
Your privacy policy should clearly state what consumer information you collect from anyone who visits your Web site (or communicates with your business in any other manner). There are two broad types of consumer information:
Personally identifiable information (PII) is the most sensitive because it can be used to identify an individual. PII includes a person’s legal name, e-mail address, physical mailing address, social security number, phone number, medical records, and bank account numbers or other financial data. Consumers feel most secure when the only PII you collect is information they provide to you directly, such as by filling out a form on your Web site.
Non-PII is anonymous information that cannot be used to identify an individual. Non-PII is often used to track how visitors navigate your Web site, which pages were viewed most often, what other Web sites they have visited, and similar data.
You should also identify the technologies and methods your business uses to collect consumer information. Disclosing your methods accomplishes two things: increases customers’ trust and confidence in your business, and helps technically-savvy customers opt-out of data collection. For non-technical customers, however, you should explain how they can opt-out of providing both PII and non-PII.
How Collected Information Is Used
In this section you tell consumers exactly how you will and will not use the information you collect. Use this as an opportunity to sell them on your Web site’s features and services. For instance, maybe you use cookies to track what articles they read so that you can suggest related articles.
Because e-mail spam is such a problem, the first question consumers usually have for a business is, “Will you give my e-mail address to anyone else?” Customers are usually most comfortable when their e-mail addresses are only used by the business they directly give them to. However, there are many situations where businesses can benefit from sharing their customers’ e-mail addresses. Whether you plan to share customers’ information or not, it is vital that your privacy policy accurately describes your business practices and, in the process, reassures customers so they will continue to provide the information you need to successfully run your business.
How Consumers Can Opt-Out
Generally speaking, PII should only be collected with the consumer’s consent. Non-PII can be collected without the consumer’s consent, but your privacy policy should clearly explain how the consumer can opt-out of your data collection process. The actual steps for opting-out depend on the type of information you collect and the technologies you use to do it.
If you allow third-party advertising companies, such as 24/7 Real Media or DoubleClick, to run advertisements on your site, you should tell consumers how to opt-out of these companies’ information collection process as well. However, you do not have to provide the exact instructions; simply point customers to the appropriate page on the third-party’s Web site. Alternatively, if the third-party advertiser is a member of the Network Advertising Initiative (NAI), point your customer to the NAI opt-out page at www.networkadvertising.org/optout_nonppii.asp.
For more information about third-party advertisers and the NAI, please see our article “Introduction to Internet Advertising.”
How Collected Information Is Kept Secure
Privacy and security are two separate issues. The security section of your privacy policy should describe how you ensure that all consumer information is protected from theft. If you share consumer information with business partners, what steps do you take to ensure they keep the information secure?
With Whom You Share Collected Information
It is not necessary that you list every single company, business partner, or entity that you might share collected information with. You should, however, mention types of entities you will share information with; for instance: business partners, credit card companies, and government agencies. For each type of entity, list the type of collected information you would share and under what circumstances.
Getting More Information
There are several organizations that can assist your business by recommending privacy policies and security technologies, reviewing your privacy practices, and providing endorsements. One of the most respected is TRUSTe (www.truste.org), an independent, non-profit organization established to safeguard Internet privacy and security.
Look at your competitors’ privacy policies and consider them from a customer’s perspective. Make sure that your policy does a better job of informing and reassuring potential customers.
If you have questions about advertising and privacy laws, or how they are interpreted and applied to business, we recommend that you consult a lawyer. For information about running an Internet advertising campaign, see our article “Introduction to Advertising.”