300. "Firms Must Freely Resist Sniffing Net's Data Trail," USA TODAY, (June 22, 1998), p. 17A.
Barbara Fusco, a George Washington University researcher, ordered a book from Amazon, an internet bookseller. The next time she visited the Amazon website, it greeted her with "Hi Barbara. Here are your recommendations." Amazon had taken note of her tastes, suggesting scholarly books, no joy of cooking or gardening. She then received a slew of Amazon commercials, tailored to her preferences.
What Ms. Fusco encountered is a "cookie," a new device that allows advertisers to target individual customers rather then bombard millions of people with the same message, greatly enhancing the ads' effectiveness. But these cookies infuriate privacy advocates, such as the Electronic Privacy Information Center (EPIC) and the ACLU, who argue that cookies are the last nail in privacy's coffin. Information people inadvertently share with one party at one point in time, finds its way to as many as 400 different places. For a few bucks one can find out what another person bought at Victoria's Secret, with whom he traveled and to where, and which prescriptions he had filled (e.g. Viagra?). Privacy advocates show that such data are used by bankers to call in loans, employers to fire workers, and tabloids to spice up personal exposes.
Both marketeers and privacy advocates are gearing up to work out a policy both can live with during a Department of Commerce meeting, to be held on June 23-24.
The private sector, it is important to note, grants the need for better privacy protection, but opposes new government interventions and instead favors self-regulation. This can be accomplished by corporations posting privacy policies they promise to follow on their websites, as Disney already does. Consumers could then patronize corporations according to the strictness of their standards. (You may be willing to buy flowers--for your spouse--and not care who finds out about it.) The Direct Marketing Association (DMA) even offers ready-made policies that marketers are free to adopt.
In informal discussions before the June meeting, privacy advocates maintained that consumers cannot determine the extent to which corporations adhere to posted policies. Various remedies have been suggested. Cyberspace guru Esther Dyson favors affixing seals of good conduct to websites, to be awarded by independent trustees and backed up by independent audits. The FTC views self-regulation as woefully insufficient, seeks to require corporations that violate their posted privacy policies to compensate consumers for harm inflicted on them. And, such companies might be charged with engaging in fraudulent practices, bringing the government to bear through this back door.
Privacy advocates, such as Marc Rotenberg and Jerry Berman, favor tough new federal legislation to curb violations of privacy in cyberspace. They point to data that show that out of 1,400 websites studied, 92 percent collect information about customers but only 14 percent disclosed the ways in which this information will be employed. And many websites have no privacy policies at all.
As I see it, given that numerous corporations as well as the sizable DMA agree that self-regulation is called for, it should be given much more of chance. Developments in this area are so rapid that it is too early to maintain that self-regulation cannot do much of what must be done. The DMA has shown that given a bit more time, many more marketers may fall in line. Indeed, the number of child-oriented websites that introduced the privacy safeguards favored by the FTC has more than doubled since the beginning of 1998, now including the overwhelming majority of the sites studied.
Moreover, the merits of regulation are vastly exaggerated. Privacy advocates tend to ignore that the mere issuance of new regulations, does not mean that they will be closely heeded. Most consumers seem to have more important things on their minds than cyberspace cookies, and many businesses will be tempted to circumvent such regulations. Unless a whole army of cyber-cops are recruited, armed with the right to chase violators across state and international lines, regulation may falsely assuage whatever public concerns exist without significantly slowing down the violations of privacy. Instead, working with the involved industries to affect self-regulation may provide at least a good start.
Especially pesky is the protection of children. Corporations such as cereal producers and toy makers maintain various websites in which children can join clubhouses, play games, and download entertaining material. Some of these corporations then use information garnered from the children, sometimes in response to direct questions about their parents affluence, to aim specific marketing salvos at them. The FTC just recommended that corporations should be expected, if not required, to obtain parental consent before collecting information about children age 12 and younger. More than enticing children to buy Beanie Babies is at issue: the ability of parents to screen and control messages that reach their children is at stake. Parental duties can hardly be discharged without such oversight. Self-regulation is likely to be tested in this area; if it fails here, new government regulations are likely to follow before you can say, "Thanks, but no cookies."
Amitai Etzioni teaches at George Washington University and authored The New Golden Rule, Perseus BasicBooks paperback 1998.