We Don't Need 'Do Not Track'

To protect consumers' privacy in the digital age, we need better adherence to existing guidelines—not a whole new set of regulations

by Christopher Wolf

You're walking down the street and receive a mobile-phone text message that offers a digital coupon for a frappuccino at the Starbucks (SBUX) you're approaching. This brand of communication is known as "one-to-one marketing" or "behavioral advertising," and it's likely on its way to a wireless handset near you.

Pharmacies and grocery stores have long targeted offers, but there are many new ways marketers can use personal information to tailor advertising messages. They're able to gather information about personal interests by tracking Internet use and digital media viewing habits, among other things, and then tailor messages accordingly. Consumers benefit from the customization as they receive ads relevant to them instead of those intended for mass consumption that may have no utility for them at all.

The marketing landscape is being transformed through the availability of new technologies. Social networks Facebook and News Corp.'s (NWS) MySpace recently joined the ranks of behavioral marketers (BusinessWeek.com, 11/7/07). Telecommunications giant Verizon Communications (VZ) has unveiled a plan to mine data from its wireless and wire-line customers. And data powerhouse Acxiom (ACXM) recently announced a new service geared toward personalized marketing.

How personal data will be used to tailor communications with consumers in the future is not exactly known, as new technologies rapidly emerge. For marketers and their targets, though, the marketing world will change. Discussions about how to best protect privacy amid this transformation are well under way, with some calling for an overhaul in regulation. But what's really needed is the better application of existing guidelines, rather than the creation of a new set of rules.

Too Much Protection?

The theme at the recently concluded meeting of the International Data Protection & Privacy Commissioners in Montreal was "Terra Incognita," a reference to the unknown future ways that technology will collect and use personal data. While much of the attention was on the new ways that governments can collect and use data, some concluded that privacy laws on the collection and use of personal information are outdated and increasingly irrelevant, with greater restrictions needed.

In that vein, a coalition of U.S. privacy organizations recently demanded that the Federal Trade Commission (FTC) set up a "do not track" list (BusinessWeek.com, 11/5/07) that would let consumers surf the Web not just anonymously but also shielded from targeted marketing that uses anonymous data to tailor online advertising.

This would take privacy law to a new level, where protection is given not only to private data (names, addresses, account numbers, etc.) but also to anonymous data (e.g., data collected through cookie technology), which would be legally regulated. The complexity and enforcement problems with a "do not track" law are enormous. Advocates liken it to the "do not call" rules that pertain to telemarketers, but only the names are similar. Compiling and applying a list of those who do not want tailored advertising will be a technological nightmare. Compliance, to the extent it can occur at all, will be costly. Ultimately, consumers will suffer through increased costs passed on to them, and opportunities for more useful consumer information will be diminished.

Fair Information Practices

Proponents of such a new Web of regulations are overlooking the existing privacy toolbox, principally the practices that have developed under the umbrella of Fair Information Practices. Informed consumers can, using the tools available right now on their computers and choices companies provide them, control the extent to which they are subject to behavioral marketing.

The FTC explains how Fair Information Practices underlie current privacy laws this way:

"Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information—their "information practices"—and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, and model codes that represent widely accepted principles concerning fair information practices."