OTHER OPTIONS
A Do Not Track list isn't inevitable. With the right security technology and a forthright approach to customers, the hue and cry might just die down. Businesses must demonstrate to customers that they aren't out to do evil--to manipulate or surreptitiously grab data that customers don't want them to have.

One approach is to give customers control over the data being collected. Ask is doing that, as is Microsoft, which is letting customers opt out of behavioral ad targeting conducted by Microsoft's network advertising partners.

"You can't group customers all together. There are varying perspectives," says Brendon Lynch, senior privacy strategist in Microsoft's Trustworthy Computing Group. "Some people are willing to give up all sorts of details for a personalized service, and other people are very wary. So being able to give control to them ... is key."

Another approach is for companies to engage customers in a discussion of their privacy policies. But too often, that discussion revolves around privacy statements and is along the lines of what Verizon did last month when it informed customers that they would have to opt out if they wanted to keep the company from sharing data--other than names, addresses, and telephone numbers--about their network usage (call duration, destination, etc.).

Essentials

How to make behavioral targeting work

Security's Key
Secure data that's potentially traceable to individuals as if it were sensitive personal data. Let customers know how you do this.

Be Straight
If you want access to customer data, ask for it, say why you want it, and tell what customers get in exchange.

Opt-Out Options
Have them, and be clear about how they work--and options available don't have to be all or nothing.

Interact
Put privacy policies up front. Try something new, like video.

Partner Wisely
Work with companies you trust to handle your customers' data with care.

Weigh The Risk
Make sure the reward for keeping data outweighs the risk.

Sharing that information, Verizon says, will let it "better offer and provide" a full range of communications-related products and services. But it's widely believed the company made this change to facilitate plans to deliver ads to mobile phones. A more respectful approach would have been to let customers opt in.

Privacy policies aren't the only way to talk to customers about the security of their personal data. Microsoft also builds privacy choices into the software user interfaces, Lynch says. Windows Media Player, for instance, has what the company calls "just-in-time notice and consent." The first time users run it, they get information on the various privacy controls. "It achieves a customer education goal, but it does so in a more prominent way," he says.

Google, too, is experimenting with alternatives to privacy statements, using video to explain privacy choices to users, Fleischer says.

Beyond providing more active privacy discussions with customers, companies would do well to be more forthright about what data they collect and whether they're aggregating it in ways that could be traced back to individuals. Any aggregated data that potentially still could be traced back to an individual should be subjected to data security policies and practices as if it were personal data. That could go a long way toward reassuring consumers that their personal information is safe.

When it comes to personally identifiable data, the use of thin-client technologies, where the information is stored on the back end, protected by IT professionals, is effective, Sun's Dennedy says. Sensitive information like credit card data shouldn't be stored on retailers' servers, but rather on MasterCard's servers, she says.

Even more effective when it comes to the type of data collected for behavioral targeting is data segmentation, which lets companies manage risk as well as make consumers more comfortable, Dennedy says. Information about consumers can be parceled out on a need-to-know basis using federated identity technology, which dynamically assembles a customer identity from multiple IT systems, and role-based access, which limits the data provided based on the role of the querying entity. A hotel, for example, doesn't need to know a traveler's airline seat preferences and an airline doesn't need to know where a traveler will be spending the night, though the traveler himself can and should see that information in one place.

That's how Microsoft is offering personalization and privacy at the same time, Lynch says. "When we personalize our online services--search and advertising in particular--we segregate personal information from any data that we use to target advertising," he says. Microsoft uses cryptographic techniques to separate that data so that it can't be connected to the specific customer, he adds.

Another company that manages data-driven marketing without privacy complaints is NebuAd. It started a year ago in an environment where all of AOL's search terms had become public and the government was subpoenaing clickstream data from Verizon and AT&T. "We resolved to come up with an architecture where we wouldn't have any risk of any of those unfortunate things happening to us," says CEO Bob Dykes.

NebuAd uses data segmentation to provide behavioral ad targeting without maintaining data about Internet users. It provides proprietary hardware to ISPs as part of an arrangement for ad-revenue sharing and monitors users' interests and provides relevant ads without tracking them in a way that's personally identifiable. Instead, it generates a code called a one-time hash with which to associate user interests. "We can see that same user coming back onto the Internet later, but we have no idea who it is," explains Dykes. "There's really no benefit to us to have more detailed information about the user."

That has real appeal to Tom Soevyn, CEO of direct response agency Focalex, which is running ad campaigns through NebuAd. "Frankly, I don't want my company's name, or any of the companies I work with, getting tied up in someone saying 'Big Brother' or 'Someone's tracking my behavior,'" he says. "They're just looking at data streams. They don't know who that consumer is or anything about that consumer, so that gives me a sort of comfort level."

It's that comfort level that every company engaged in behavioral targeting needs to shoot for. Engaging in ongoing dialogues with customers about the data being collected and how it's used, letting customers control the data that's being collected and the level of privacy they want it subjected to, and showing them that it's securely locked down will go a long way toward avoiding movements that lead to a blanket Do Not Track list.

Illustration by Richard Downs

Continue to the sidebar:
Social Networks Find Ways To Monetize User Data