All RSS Feeds
OPINIONS
Published: February 27, 2006
Bill May Upend Online Marketing Model
By Alan Chapell
More by this Author
Contact Author
 
PRINT

Chapell & Associates' president looks at new legislation that could limit online data collection and how it could change the internet advertising landscape.

Have you ever had someone tell you that they had some good news and some bad news? I get that a lot-- as I bet do many of you. My eight year old and I have made a game of it actually. But when it's not part of a game, it's not very much fun. Well today, ladies and gentlemen, we in the online business world have a situation of good news / bad news. Why Well, let me start from the beginning.

As most of us know, the whole internet economy is driven by consumer information. So what would happen if companies were legally required to delete the information they collected from and about consumers after a short period of time?

This isn't just speculation, kids. Legislation has just been proposed that attempts to regulate the data retention practices of our industry. In early February, Representative Edward J Markey (D-MA), introduced the "Eliminate Warehousing of Consumer Internet Data Act of 2006" on the House Floor. According to the Congressman, "Personal information about consumers' internet use shouldn't be stored unnecessarily to await data thieves, or fraudsters, or disclosure through judicial fishing expeditions." So in order to avoid these consumer risks, the proposed bill would require online companies to dispose the consumer data they collect.

Daddy, what does legitimate mean?

However, exactly how quickly they must dispose of the data is up for debate. The bill states that information no longer "necessary for the purpose it was collected or any other legitimate business purpose" must be deleted [emphasis mine]. The bill doesn't go on to explain what these purposes might be, but since it references data breaches and judicial fishing expeditions as what it intends to combat, we might be able to predict what purposes would be judged as legitimate. In any event, the trouble with leaving "legitimate business purposes" undefined is that it would make compliance very challenging.

…and scope?

Although the bill references specific types of personally identifiable information (PII) -- name, physical address, date of birth, social security number -- the scope of the bill seems much broader. For example, much of the wording in the bill's preamble suggests the bill focuses on IP addresses, entered search terms, and other types of data that "can be traced back to individual computer users." Could the bill directly impact cookies and web logs? It would seem that the answer is a YES, albeit an enigmatic one.

So if the Markey Bill passes there may be cause to seriously rethink how online businesses interact with consumers. For example, there may be increased pressure for email marketers to delete addresses from consumers who haven't responded to recent messages or opted out of past mailings. And what are the implications for you if you're in the behavioral targeting business? Or Affiliate Marketing? Or Ad serving? Or research? Heck, what if you just run a website?

Costs of compliance

If the bill is passed, many in this space will face a unique set of challenges. To start with, all businesses that collect, store and use consumer information are going to continually need ask themselves the following questions: what information am I collecting? What business purpose does this data serve? And how long do I keep this data? (Just as an aside, I would suggest that we should be asking ourselves these questions anyway-- and often shudder at the infrequency in which such data process evaluations take place in many online businesses.)

If these types of compliance challenges seem painful to you, you're not alone. A colleague of mine, a well respected privacy professional from a large online company believes that Representative Markey's bill would leave many online businesses with little obvious response. "Compliance with this will be unwieldy for so many big players," he said, "Actually, for nearly anyone who has a web presence. It will create immediate cookie lifetime issues, log retention issues, and data integration changes. And that is just to start."

Requiring businesses to keep track of the information they collect -- and delete what is no longer necessary and risky to keep -- is a worthy goal. But as privacy guru Ruth Day puts it, this is the "right problem, but the wrong solution." Notwithstanding that "building consumer trust means purging data" that is unnecessary or sensitive, Day thinks that the proposed legislation goes too far in its regulatory standards. The bill's application, she says, "would be industrial policy at its worst."

I promised you some good news and some bad news-- so here it is. The good news is that from what I hear, this particular piece of legislation does NOT appear to have any legs. The bad news, however, is that this bill could very well be a harbinger for what awaits our industry over the next year. And that would definitely be no fun.

Alan Chapell, CIPP, is president of Chapell & Associates, a consulting firm that helps companies understand privacy and incorporate consumer perception into product development. Chapell has been instrumental in the development of emerging best practice standards for privacy and interactive marketing and can provide a real world evaluation of where your organization's practices fit within that spectrum. He has been in the interactive space for more than seven years with firms such as Jupiter Research, DoubleClick and Yes Mail. Mr. Chapell is the New York chapter co-chair of the International Association of Privacy Professionals and publishes a daily blog on issues of consumer privacy.