Posts Tagged ‘PII’
Privacy policies are long, onerous and boring. Most consumers never read them, even though they constitute a binding contract. Here is a handy checklist of some quick things to skim for.
- The type of information is gathered by the website, including information which is voluntarily provided (i.e., name, date of birth, etc.) and electronic information (i.e., tracking cookies).
- What information is optional (i.e., requested but not required for website use) versus what information you must provide if you want to use the website.
- With whom your information is shared, and if it is shared with affiliates, you should learn the identity of the affiliates. The more information you provide, the more concerned the user should be about this answer.
- How your information is used (i.e., for targeted advertising, for general marketing, for selling data to third-parties, etc.). Similar to above, the more information you provide, the more concerned the user should be about this answer.
- How long the website retains your information, and similarly, what rights you have to have all of your information deleted by the website (including information the website has already shared with third-parties).
To understand the genesis of “Do Not Track” it is important to understand what online tracking is and how it works. If you visit any website supported by advertising (as well as many that are not), a number of tracking objects may be placed on your device. These online tracking technologies take many forms, including HTTP cookies, web beacons (clear GIFs), local shared objects or flash cookies, HTML5 cookies, browser history sniffers and browser fingerprinting. What they all have in common is that they use tracking technology to observe web users’ interests, including content consumed, ads clicked, and other search keywords and conversions to track online movements, and build an online behavior profiles that are used to determine which ads are selected when a particular webpage is accessed. Collectively, these are known as behavioral targeting or advertising. Tracking technologies are also used for other purposes in addition to behavioral targeting, including site analytics, advertising metrics and reporting, and capping the frequency with which individual ads are displayed to users.
The focus on behavioral advertising by advertisers and ecommerce merchants stems from its effectiveness. Studies have found that behavioral advertising increases the click through rate by as much as 670% when compared with non-targeted advertising. Accordingly, behavioral advertising can bring in an average of 2.68 more revenue than of non-targeted advertising.
If behavioral advertising provides benefits such as increased relevance and usefulness to both advertisers and consumers, how has it become so controversial? Traditionally, advertisers have avoided collecting personally identifiable information (PII), preferring anonymous tracking data. However, new analytic tools and algorithms make it possible to combine “anonymous” information to create detailed profiles that can be associated with a particular computer or person. Formerly anonymous information can be re-identified, and companies are taking advantage in order to deliver increasingly targeted ads. Some of those practices have led to renewed privacy concerns. For example, recently Target was able to identify that a teenager was pregnant – before her father had any idea. It seems that Target has identified certain patterns in expecting mothers, and assigns shoppers a “pregnancy prediction score.” Apparently, the father was livid when his high-school age daughter was repeatedly targeted with various maternity items, only to later find out that, well, Target knew more about his daughter than he did (at least in that regard). Needless to say, some PII is more sensitive than others, but it is almost always alarming when you don’t know what others know about you.
Ultimately, most users find it a little creepy when they find out that Facebook tracks your web browsing activity through their “Like” button, or that detailed profiles of their browsing history exist that could be associated with them. According to a recent Gallup poll, 61% of individuals polled felt the privacy intrusion presented by tracking was not worth the free access to content. 67% said that advertisers should not be able to match ads to specific interests based upon websites visited.
The wild west of internet tracking may soon be coming to a close. The FTC has issued its recommendations for Do Not Track, which they recommend be instituted as a browser based mechanism through which consumers could make persistent choices to signal whether or not they want to be tracked or receive targeted advertising. However, you shouldn’t wait for an FTC compliance notice to start rethinking your privacy practices.
It goes without saying that companies are required to follow the existing privacy laws. However, it is important to not only speak with a privacy lawyer to ensure compliance with existing privacy laws and regulations (the FTC compliance division also monitors whether companies comply with posted privacy policies and terms of service) but also to ensure that your tracking and analytics are done in an non-creepy, non-intrusive manner that is clearly communicated to your customers and enables them to opt-in, and gives them an opportunity to opt out at their discretion. Your respect for your consumers’ privacy concerns will reap long-term benefits beyond anything that surreptitious tracking could ever accomplish.
A February 2011 ruling against Williams-Sonoma by the California Supreme Court held that a consumer’s ZIP code was “personal identification information” that merchants are not permitted to demand from customers under a California consumer privacy law. The result was a rash of lawsuits against businesses such as Wal-Mart Stores Inc., Bed Bath & Beyond Inc., Crate & Barrel and Victoria’s Secret. Though some stores claim to use the ZIP code information to protect against credit card fraud (i.e., if the card was stolen, the user is less likely to know the ZIP code of the true owner), most businesses use the information for marketing purposes. Ultimately, the California Supreme Court held that merchants can still collect customer’s ZIP codes under limited circumstances such as gas station pumps where the information is requested for security reasons, and in transactions involving shipping. Retailers may also ask customers to produce a valid driver’s license for security reasons, but may not record the personal information contained on the license.
The California Supreme Court’s decision was premised upon California’s strict consumer privacy laws. However, the theory of ZIP codes representing personal or protected information has now spread to New Jersey. Superior Court Judge Stephan Hansbury refused to dismiss a lawsuit against Harmon Stores, Inc. for collecting ZIP code information from its credit card customers. The Court held that New Jersey’s Truth in Consumer Contract, Warranty and Notice Act allowed the plaintiffs to assert a claim for violation of N.J.S.A. 56:11-17, which provides:
No person which accepts a credit card for a consumer transaction shall require the credit card holder, as a condition of using a credit card in completing the consumer transaction, to provide for recordation on the credit card transaction form or any other form, any personal identification information that is not required by the issuer to complete the credit card transaction, including, but not limited to, the credit card holder’s address or telephone number, or both; provided, however, that the credit card holder’s telephone number may be required on a credit card transaction form if the credit card transaction is one for which the credit card issuer does not require authorization. (emphasis added)
It appears that the New Jersey Superior Court, like the California Supreme Court, considers ZIP code information to represent protected “personal identification information.” As a general matter, the ZIP code information is not required by the credit card company. As the New Jersey case is in its infancy, we do not yet know the results or full repercussions.
While it is likely that the Harmon Stores case will be appealed at some point (if it does not settle), its very existence creates new uncertainty amongst New Jersey consumers and merchants alike. For consumers, Judge Hansbury’s opinion suggests that the consumer can refuse to provide his or her ZIP code information when engaging in a live transaction (as opposed to online transactions or, like in California, when using an automated machine to charge a transaction). Of course, it is also possible that refusing to provide ZIP code information could simply result in the merchant demanding that you produce a driver’s license.
Merchants, on the other hand, should be sure to have a valid justification for seeking a customer’s ZIP code information in connection with any credit card transaction. Merely seeking it for marketing purposes will not suffice. Alternatively, merchants can be clear in seeking the ZIP code information that providing the information is completely voluntary. However, engaging in such a practice presents its own pitfalls and could create new confusion or a public relations nightmare.
As privacy-related litigation and consumer’s concerns about their privacy rights increase, one thing is becoming abundantly clear: now is the time for businesses to proactively use consumer privacy protection as a marketing tool to distinguish the business from its competitors.