Wednesday, December 15, 2010

Do Not Track: A Golden Opportunity?

This is the longest blog entry I have done for a while, but I think the subject deserves it. I beg your indulge, and hope that if you bear with me it will be worth the effort.

The Federal Trade Commission, in response to complaints that "tracking" software can violate the privacy of those using the Web, has recently moved to curtail such monitoring, calling for Websites to implement a "Do Not Track" (DNT) mechanism that would enable consumers to opt out of having their activity monitored on the sites they visit.

Predictably, the proposed "Do Not Track" option has triggered howls of protest from many eMerchants, whose ability to tailor offers to visitors and returning customers relies on these tracking tools. The agency is accepting written comments until Jan. 31, after which the full commission will vote on whether to formally request a congressional mandate requiring ad networks and Websites to honor Do Not Track requests. In response, industry lobbyists are making a vociferous argument for the FTC to stick with the self-regulatory approach that has applied up until now. They also claim that DNT could put an undue burden on Websites to make sure it actually works as it is supposed to.

Notes Byron Acohido and Jon Swartz in USA TODAY, "’Smaller ad networks and tracking services, in particular, would suffer if Do Not Track is implemented broadly,’ says Kevin Lee, CEO of online advertising consultancy Didit. That's because ads aimed at high-end products, which account for a good portion of the smaller ad networks' profits, command higher premiums because they can be targeted at specific groups of Web users who are being tracked anonymously across the Internet. 'Failure to price this advertising inventory based on anonymous tracking information would probably drop its value in half,' Lee says."

Acohido and Swartz go on to suggest that DNT could spur innovation, and that "The more creative companies will find new ways to legally and ethically make profitable use of information that users openly volunteer," particularly if visitors to these Websites are properly incentivized to volunteer profile information.

Amy Africa, Chief Imagination Officer at eCommerce consultancy Eight by Eight Marketing, says in an article in Multichannel Merchant magazine on Internet Explorer’s tracking protection feature, that consumers don’t mind being tracked if they get something appropriate in return. "I think consumers are aware that everything is tracked, but they are willing to trade in a teensy bit of their information for savings or a discount," Amy says. "When you offer the choice to get a discount and be tracked or get nothing and not be tracked, there's no doubt in my mind that the majority of folks are going to take the tracking."

Amy also believes that DNT would have the same issues that cookie management does: good in theory, but mostly ignored in practice. Or like pop-up blocking: "Everyone says they hate them, everyone says they block them, and (pop-ups) are still incredibly successful."

In the same article, Tom Funk, vice president of eCommerce consultancy Timberline Interactive, points out that “a lot of new ad-driven tactics are giving merchants a bad reputation and could spur Congress to legislate an online version of Do Not Call,” Funk says.

"’Some sneaky sites are now using “Flash cookies,” which are much harder to delete than traditional cookies,’ notes Funk. ‘Big ad networks are fingerprinting computers and mobile devices based on unique combinations of settings and operating software, so they don’t even need to depend on cookies to know who you are. Stories like that scare and anger the average consumer.’"

Self-Regulation: A Deeper Look

My own take on this is wrapped up in what for me are two critical issues, both of which involve a comparison between today’s multichannel marketing environment and the direct commerce world of what is now “a generation” ago, in the 1975-1995 pre-Web era that qualifies as “the heyday” of direct marketing, when most of the fundamentals of database marketing were invented and brought to maturity.

The first fundamental issue has to do with how the concept of “self-regulation” is supposed to work. In the pioneering days of database marketing, the practicing community was almost literally just that: a community of individuals that was small enough that, if they didn’t all know each other, at least they all spoke the same language, often worked interchangeably for the same companies, and attended one or two trade shows, like the annual forum of the National Center for Database Marketing (now part of the Direct Marketing Association, about which see below), where their methods and issues received a very public airing.

Even more significant was the “larger” context of direct marketing as a profession, driven at its core by the list management and brokering business that dates back to Benjamin Franklin (and before), but became highly organized a hundred years ago, when the Direct Marketing Assoc. was formed to serve as a professional development resource center, a training ground for practitioners, and a lobbying enterprise.

Together, the direct marketing community and the database marketing community flourished in the 1975-95 era, expressed archetypally in the plethora of “niche” catalogs that replaced the “big books” of earlier eras, and could survive only because they were able to use the customer profiling and segmentation techniques that were available to smart marketers to grow their businesses, test and target effective offers, and manage both their customers and their merchandise profitably.

I should also point out that more than a few catalogs managed to just break even on selling their inventory, then made all of their considerable profit from list rentals alone. Even those who made money selling goods were certainly made healthy financially from list rental income.

But let’s not lose sight of the point here: this was in many ways a “club,” with a coherence of purpose and common goals and methodologies that every practitioner was committed to honoring. While lists were “seeded” to catch the odd double-dealer or outright crook who broke the rules (and there were certainly a few famous examples) and tried to make a fast buck, even these unethical characters were only hurting their competitors, not the consumers whose names and addresses were “stolen” for nefarious promotional purposes.

The situation today is completely different. There are many reasons why “the community” is no longer relevant: the number of players in the multi-channel world has grown significantly, many of them are primarily from the eCommerce “never-never land” and came out of a technical environment, or the “wild West” world of entrepreneurial madness that prevailed in the boom. Or even from retail, where the lack of knowledge about the customer during the blossoming of retail in the last 20 years meant that the retail community did not grow up with the same values about customer data that direct marketers and database marketers had developed. If your customers are anonymous to begin with, it’s so much easier to play fast and loose with whatever data you gather about them.

Unfortunately, as well, The Direct Marketing Association offers very little in the way of leadership anymore. It lost its way in the late 90s, and today has trouble finding a roadmap, let alone a way forward.

I don’t think I’m being too black-and-white here. I have spent over 25 years working primarily with the direct marketing community, and the last five working with more than a few of the “new age” marketers who don’t have the same background. There is truly a cultural difference that is palpable to me. I’m not slamming contemporary multichannel practitioners – let’s even go so far as to say that the ratio of ethical players to scoundrels in this new age is no different from what it was in the heyday I refer to, or certainly compared to today’s direct marketers. Apples and apples.

So what’s the point? Simply that the scope of the “damage” that the tiny minority of scoundrels can impose is so much greater than what applied in the earlier era. Moreover, the ability to “police” and identify what is being done by whom and to whom is practically non-existent. And most important of all (knowing how the world works…), in the old days the miscreants knew darn well that what they were doing was unethical, if not downright illegal. Today’s troublemakers are often completely unaware that what they are up to violates any ethical or professional standards. There is no community “voice” strong enough, focused enough, and loud enough to convey that message. And as time passes, this devil-take-the-hindmost approach is likely to become the norm.

This is even more likely given what is generally accepted as a shrinking awareness of “privacy” on the part of consumers themselves. I will spare you a major digression on that subject, but it certainly is relevant here (see Privacy Icons for state-of-the-art coverage and thinking on this topic). If consumers themselves are unlikely to object to practices that can be considered, by some, to be dangerous or downright abusive, then without that push back the cancer of database abuse is bound to spread.

Segment Vs. Dossier

Which leads me to the second fundamental issue. Database marketers in the golden age always stressed that what they were doing was not in any way creating “dossiers” about individual customers. “We don’t care about any single customer’s behavior,” they were fond of saying. “We are looking for ‘promotable market segments’ that contain enough people to make it worthwhile targeting.” If one customer was a divorced accountant with two children and an inferred income of $75,000 who liked to buy stylish suede boots and take two-week cruises, it meant nothing unless there were 20,000 others just like her to make a marketable segment.

Yes, when you rented her name along with the other 20,000, the data on the individuals was there for the picking. And there were certainly many reputable marketers who would use it on a one-by-one basis for upselling and cross-selling in a call center environment. But the idea that you would use data about an individual for anything other than your own competitive advantage was against all logic. You protected this data like the family jewels, because it made the difference between profit and loss. The value in the marketplace among practitioners was in the aggregate, not in the particular instance.

In today’s multichannel world, dossier building is much more the point of the entire exercise. You want to gather every possible scrap of information about how individual consumers behave, especially on your Website, but also in the call center and in stores, so that you can devise better and better ways to make the most effective offers to each one of them. And you will also use this data so that offers from affiliates and advertisers can be as profitable as possible, too.

OK. I know that in most cases these “dossiers” are not necessarily identified with the identity of the individual, especially if they don’t place an order. A Website will welcome “Mary Doe” back when in fact it could be her daughter, sister, mother, or someone else sitting at her computer browsing away.  But placing an order will be taken as confirmation of who the person is, and if it’s done on Mary’s behalf by someone else, it doesn’t matter. Mary gets the “credit” for the activity, even if it is not in her best interest.

Which takes us back to Tom Funks’ point: “Big ad networks are fingerprinting computers and mobile devices based on unique combinations of settings and operating software, so they don’t even need to depend on cookies to know who you are.”

I suspect that, based on everything I’ve said, Tom’s statement resonates a little differently now, doesn’t it?

Let me add one more dimension. One of the biggest ad server networks at the heart of this issue is Doubleclick, which is now owned by Google. In the 1990s Doubleclick helped itself grow by acquiring Abacus, a company in Denver, Colorado, started by Tony White, who had earlier founded “Lifestyle Selector," later acquired by Equifax. This was the company that received all those “warranty” postcards that were enclosed in appliances, cameras, and similar merchandise (did you ever wonder why they all had a Colorado address?), which requested information about your hobbies, interests, and “lifestyle” (hence the name).

Lifestyle Selector, of course, created massive databases of very marketable segments based on the data that consumers “willingly” volunteered. Now obviously this was not a totally above-board business, since the “warranty” blather was a ruse to get you to submit the card. But give them this: coming from the bygone era, they did not, to the best of my knowledge, abuse their data at the individual level. Though they had the capacity to build “dossiers,” they were in the segmentation business, not the personal profiling business.

[For a related but quite different perspective on the Heydey of Database Marketing, see the thoughtful blog entry by Kevin Hillstrom, From Database Marketing to Web Analytics.]

Drum Roll, Please!
If you’ve come this far, you’re probably thinking that I am in favor of imposing the Do Not Track option, because it will help to bring some kind of order to the impending chaos.

But you would be wrong, for several reasons. One: I agree with Amy and others that consumers not only benefit from, but seek the advantages that tracking provides them when shopping online.

Two: it will be difficult to have a level playing field for Do Not Track. Apart from the obvious advantages that the larger marketers will have in setting this up and maintaining it (i.e., the burden will fall disproportionately on the smaller outfits), there will also be those who find ways to work around it, no matter how the DNT regulations turn out to be written.

Look at two other examples. The payment card industry (PCI) over the last few years has established a set of regulations for Data Security Standards that impose a combination of self-regulation and formal auditing. Without getting sidetracked in that black hole, suffice to say that the enforcement situation is a shambles. It’s working, but not extremely well. And the original intentions of the PCI Standards are failing to be realized with too much attention focused on the letter rather than the spirit of what they require.

The other example is the FTC's "Mail and Telephone Order Merchandise Rule, or so-called “30-day rule,” requiring that customers be notified if merchants cannot send items they have purchased within 30 days (to allow for back order processing). This, too, is a wobbly gray area of misunderstanding, poor execution, and honoring in the breach. Like PCI, there have been financial penalties imposed from time to time, but “shambles” applies equally well to this regulation.

Do we want to turn DNT into a shambles, as well?

Finally, and most important of all, while I think having the FTC impose a DNT mechanism is a mistake, I don’t think that doing nothing is a very good idea, either (and let's face facts -- "self regulation" is the equivalent of doing nothing, for all practical purposes). What I am in favor of instead is having the conscientious multichannel merchants use this issue as a rallying point to start creating a new professional culture that will carry the old torch forward in a new way that is appropriate for the marketing environment of today and for the foreseeable future. In fact, this should help to shape that future so that issues like transparency, manageability (in many dimensions), customer/shopper integrity, and data ownership/use/and abuse can be productively discussed, debated, and respected. After all, we may not all be marketers, but we are all consumers, and these issues affect us in that dimension as much as they do from the point of view of the practitioner.

Of course, the fact that it is truly a Worldwide Web makes this a rather daunting challenge. But that should only serve to fire up those who will lead this movement in such a way that it becomes an even more effective workshop in which the future of this business can be forged. That's what makes this such a "golden opportunity."

Anything less would be the easy way out, and a disservice to the business, its consumers, and to the public at large. Grandiose? Perhaps. But just as “desperate times call for desperate measures,” challenging times demand heroic efforts from those who wish to lead us effectively. And it’s a lack of leadership, I dare say, that has brought us to the current state of affairs.

POSTSCRIPT: December 18, 2010

It occurs to me since I wrote the above that I left one important element out of the equation of the companies in today's multichannel marketplace, having to do with company size.

While there were certainly some rather large direct marketing companies in "the heyday" I refer to (Readers Digest, Publisher's Clearinghouse, TV Guide, Sears, Lands' End, and LL Bean all come to mind), most of the players had revenues well south of a billion dollars a year, with the exception of some of the banks -- and American Express -- who were actually in the forefront of developing database marketing techniques in the 1970s and 80s, plus Time/Life, whose database marketing pioneer work dates back to the 1960s.

Today, we have quite a few global corporate players in the arena with multi-billion dollar revenue streams and valuations. What makes this worth a P.S. is that in my opinion such companies typically behave in ways that discourage the kind of consensual, collaborative efforts I suggested would help to resolve the privacy issue to everyone's benefit. Even when such corporations pay lip service to something like "corporate social responsibility," it is more often than not a PR effort and a cost center rather than an organic part of the business that actually has a positive impact on the company's behavior in the marketplace. That's just the nature of the beast.

That said, it simply raises the stakes and makes it all the more important that the challenge of addressing the privacy issue effectively be met by all elements in the multichannel marketplace in order to serve the best interests of everyone concerned.

[I am sure that The Web Analytics Association could play an important role in this effort.]

POST POSTSCRIPT: December 21, 2010
One additional consideration. I somewhat cavalierly passed over data security issues above in referring to the PCI Data Security Standards as a "black hole" and a "shambles." Both true statements. But what I should have mentioned in addition is the serious threat posed by potential cyber attacks of all kinds, ranging from those perpetrated by recreational hackers and company insiders, on one end of the spectrum, to criminals, rogue government agencies worldwide, and other nefarious evil doers on the other. This is far from a trifling matter, and is indeed one of the biggest challenges multichannel merchants face by operating on the Web (see 2010 Data Breach Report From Verizon Business, U.S. Secret Service Offers New Cybercrime Insights). It's directly relevant in that customer data of all kinds can be vulnerable in many ways, and the PCI standards address only credit card data. Even in that regard, the Data Security Standards are -- and will most likely remain -- a moving target. Who's addressing the security of customer profile data in any systematic way?

It's tempting to suggest that some group of cyber vigilantes, based on the model of the "Guadian Angels," be established to serve as "the good guys" to fend off "the bad guys." (See "Volunteer Cyber Army Emerges in Estonia" as another possible model, plus this very intriguing suggestion by John Arquilla to "Go on the Cyberoffensive.") There are a lot of reasons why such a concept could never fly, of course, including the risk of having such a group infiltrated by the very bad guys they are trying to fend off. Besides, each eMerchant needs to be responsible for its own data protection and there is a large number of private enterprises with the skills and experience to help those who can't handle this on their own.

But it does even more dramatically underscore the nature of the challenges in the road ahead on the so-called "Privacy" issue.

See Browsers Attempt to Protect Online Privacy
See also the


CASUDI said...

Coincidence, or tracking?

Last weekend I did my usual 'best recipe' search on Google (if you are curious, it was for a pork loin roast...irrelevant to my comment:-) I found what I thought was a good recipe, and noticed the author had written a cook book, which I checked out on her own website. Within 2 hours I had an email from Amazon offering me a cookbook...... not the one I had looked at..... surprise!

And this is not an isolated incident; I can dredge up several other similar examples over the past several months. If I were not so curious about this I could be feeling slightly paranoid by now......!

BTW: Amy Africa is one of my favorites, and I have learned great bucketfuls from her via our twitter association.


Ernie Schell said...

Which reminds me, see my post on "Web Cookies for Dummies,"

Ernie Schell said...

Recognizing the growing call for privacy, Cambridge, MA-based online privacy company Abine today launched DeleteMe, a "delete button for the Internet." See

David P Himes said...

I concur with your analysis, Ernie. At best, a few big players could comply if they wanted. Fair enforcement would be impossible ... and it would be enforced selectively to punish some company who the FCC didn't like or one who was particularly abusive.

Further, as you observe, DNT is simply not practical. There will always be a way around it. The technologists will always be ahead of the regulators.

The regulators simply aren't smart enough or fast enough.

The marketplace is a better policing force than the FCC or any other governmental agency.

Ernie Schell said...

See "U.S. Seeks Web Privacy 'Bill of Rights'" in the Wall Street Journal, 12/17/10 -

Ernie Schell said...

"Your Apps Are Watching You"
Wall Street Journal

Ernie Schell said...

My comments on the DMA are outdated. The Direct Marketing Association is much more "with it" today and has regained its former position as a leading trade association, which is a very good thing, indeed!

Web Analytics