|
For DoubleClick Inc. (
DCLK), a
hot Internet advertising company, things have suddenly gotten a little too warm. On Jan. 27, Harriet Judnick, a Marin County (Calif.)
administrative assistant, filed a lawsuit against the company alleging violation of privacy rights and deceptive business practices. It's
a case of the mouse that roared, and it signals how ordinary consumers are getting wise to the intricate workings of online marketers and
the lack of privacy on the Web.
DoubleClick is the top ad-server company on the Web. Its computers insert banner ads and other promotional messages on about 1,500 Web
sites. Those messages can be precisely aimed at the most likely customers, thanks to little text files called cookies, which allow
DoubleClick to track what people are looking at and build detailed profiles of them—about 100 million profiles to date. These profiles
show how Web surfers—who are identified only by their cookies—move around among sites, what books and CDs they buy, what places they
spend the most time in.
What prompted Judnick to call a lawyer was DoubleClick's latest marketing tour de force: It quietly reversed an earlier policy of
providing only anonymous data about Web surfers to marketers and last fall began combining its online profiles with information from
direct mailers and others that help determine the actual identity of the Web surfer. In November, DoubleClick paid $1.7 billion for Abacus
Direct Corp., a data-warehouse company that has records of consumers' catalog purchases, including name and address data. It has also
begun pulling in similar personal data from Web partners. The result: DoubleClick not only knows where you go online and what you do there
but also who you are, where you live, and your phone number. This is nirvana for direct marketers, but it gives Judnick the creeps. She
says she got a stream of unsolicited e-mails from insurers, loan companies, and other firms after she recently looked up
medical-insurance information online.
WHAT POLICY? Privacy advocates say the allegations in the DoubleClick suit are just one sign of how the Internet's data-grabbers
routinely go too far. The advocates concede that consumers willingly give up information about themselves when they register at a site but
they insist that most surfers have not understood how a little bit of data can turn into a big invasion of privacy. Another issue: Even
when sites have strong privacy policies, they are often overlooked. The Health Privacy Project at Georgetown University released a study
on Feb. 1 showing that many online health sites don't follow their own privacy policies—and in some cases share health information about
visitors with their business partners.
Internet companies have every incentive to gather as much customer data as they can—and few reasons to stop. Indeed, integral to the
business plans of many Web companies is the notion that they can reach clearly identified individuals rather than an "audience."
Advertising agencies say they are willing to pay a premium of 10% to 20% for such targeted advertising. "The Internet is the first medium
that offers advertisers the ability to speak to your customers," says Susan Nathan, senior vice-president at ad agency McCann-Erickson
Worldwide Inc., whose clients include Microsoft Corp. and HotJobs.com Ltd. "The more you know, the easier and more fruitful it is to do
that."
A suit filed against Yahoo! Inc. (
YHOO)
gives a peek at how vital private data is to Web businesses. Universal Image Inc., which makes educational videos, sued the portal in
December, seeking damages of up to $4 billion for allegedly not living up to a contract to provide data, including customer e-mail
information, that Yahoo culled from surfers who downloaded video from its Web site. The contract had been signed between Universal Image
Inc. and Broadcast.com Inc. before Broadcast.com was acquired by Yahoo. Yahoo declines comment on the case.
Online marketers say the data-gathering is nonthreatening—that it is merely a way of fine-tuning marketing for the convenience of
consumers as well as marketers. But with cybercitizens up in arms, Capitol Hill is listening to the complaints. Online-privacy legislation
is expected to be a major bipartisan issue in Congress this year, with at least five legislators preparing to introduce bills that require
companies to better inform consumers about their practices, let Web surfers know exactly what they're agreeing to, and provide enforcement
if companies drop the ball. Several states are also taking legislative and enforcement initiatives. "This issue has gone off the Richter
scale in terms of public sensitivity," says Senator Ron Wyden (D-Ore.)
Judnick is representative of the breed of Netizens who just want to be left alone. Her suit contends that DoubleClick, with the new
Abacus data, is using personal information without the knowing consent of Internet users. "I didn't feel like my information should be
sold," Judnick says. DoubleClick says its policy has always been to inform online users and give them the option to opt out. "If we have
personally identifiable information, it must be true that you have been given notice, and you have chosen not to opt out," says Jonathan
Shapiro, DoubleClick's vice-president for business development.
But privacy policies can be deceptive, says privacy advocate Richard M. Smith, who has been documenting online privacy breaches (page
40). He has charged Amazon.com Inc. (
AMZN)
with gathering more personal information about customers than consumers would expect if they read its privacy policy. "The more
experience we all have with the inadequacy of these policies, the more sense there will be to enact some protections," says David Sobel,
general counsel at the Electronic Privacy Information Center in Washington.
LITTLE WARNING. Net companies insist that they are capable of regulating themselves and that it would be self-defeating to abuse
customer privacy: It's in their best interest to keep customers happy and surfing. And so far, regulators have taken a hands-off approach.
While the Federal Trade Commission has watched online privacy closely and issued rules governing the online privacy of children in
October, it has so far declined to establish any rules regarding adults. In November, the FTC concluded a privacy workshop with promises
from the 10 leading ad-services companies to come up with voluntary guidelines. Since then, the companies have not put anything
forward.
Privacy advocates maintain that consumers are not adequately warned about how the information they volunteer, or that they allow a
specific site access to, will be used. In her suit, Judnick is asking the court to force DoubleClick to request permission before it
tracks consumers' online behavior. She is also asking that the company be forced to destroy all data it acquired without users'
consent.
As the privacy issue gets more attention, momentum is building for government action. States including New York and Hawaii have pending
legislation, and California, Maryland, and Virginia are expected to follow. In a case that could be a taste of things to come, the New
York State Attorney General reached settlements with Chase Manhattan Bank (
CMB) and
Sony Music Entertainment Inc.'s (
SNE)
online service InfoBeat to curtail information-sharing practices with outside partners. The office says Chase was violating its own
privacy policy, though the bank contends it didn't.
In this election year, many federal legislators are taking a range of initiatives. Oregon's Wyden and Senator Conrad Burns (R-Mont.)
are co-sponsoring a bill that gives consumers the chance to block the collection of information and the right to access any data that has
been gathered. A bill from Senator Patrick J. Leahy (D-Vt.) bolsters the ability of consumers to opt out and tackles government intrusion
into personal privacy. This year's campaign slogan could be: It's online privacy, stupid.
| 
