Privacy: Outrage On The Web

A lawsuit against DoubleClick may be just the start of a backlash

For DoubleClick Inc., a hot Internet advertising company, things have suddenly gotten a little too warm. On Jan. 27, Harriet Judnick, a Marin County (Calif.) administrative assistant, filed a lawsuit against the company alleging violation of privacy rights and deceptive business practices. It's a case of the mouse that roared, and it signals how ordinary consumers are getting wise to the intricate workings of online marketers and the lack of privacy on the Web.

DoubleClick is the top ad-server company on the Web. Its computers insert banner ads and other promotional messages on about 1,500 Web sites. Those messages can be precisely aimed at the most likely customers, thanks to little text files called cookies, which allow DoubleClick to track what people are looking at and build detailed profiles of them--about 100 million profiles to date. These profiles show how Web surfers--who are identified only by their cookies--move around among sites, what books and CDs they buy, what places they spend the most time in.

What prompted Judnick to call a lawyer was DoubleClick's latest marketing tour de force: It quietly reversed an earlier policy of providing only anonymous data about Web surfers to marketers and last fall began combining its online profiles with information from direct mailers and others that help determine the actual identity of the Web surfer. In November, DoubleClick paid $1.7 billion for Abacus Direct Corp., a data-warehouse company that has records of consumers' catalog purchases, including name and address data. It has also begun pulling in similar personal data from Web partners. The result: DoubleClick not only knows where you go online and what you do there but also who you are, where you live, and your phone number. This is nirvana for direct marketers, but it gives Judnick the creeps. She says she got a stream of unsolicited e-mails from insurers, loan companies, and other firms after she recently looked up medical-insurance information online.

WHAT POLICY? Privacy advocates say the allegations in the DoubleClick suit are just one sign of how the Internet's data-grabbers routinely go too far. The advocates concede that consumers willingly give up information about themselves when they register at a site but they insist that most surfers have not understood how a little bit of data can turn into a big invasion of privacy. Another issue: Even when sites have strong privacy policies, they are often overlooked. The Health Privacy Project at Georgetown University released a study on Feb. 1 showing that many online health sites don't follow their own privacy policies--and in some cases share health information about visitors with their business partners.

Internet companies have every incentive to gather as much customer data as they can--and few reasons to stop. Indeed, integral to the business plans of many Web companies is the notion that they can reach clearly identified individuals rather than an "audience." Advertising agencies say they are willing to pay a premium of 10% to 20% for such targeted advertising. "The Internet is the first medium that offers advertisers the ability to speak to your customers," says Susan Nathan, senior vice-president at ad agency McCann-Erickson Worldwide Inc., whose clients include Microsoft Corp. and Ltd. "The more you know, the easier and more fruitful it is to do that."

A suit filed against Yahoo! Inc. gives a peek at how vital private data is to Web businesses. Universal Image Inc., which makes educational videos, sued the portal in December, seeking damages of up to $4 billion for allegedly not living up to a contract to provide data, including customer e-mail information, that Yahoo culled from surfers who downloaded video from its Web site. The contract had been signed between Universal Image Inc. and Inc. before was acquired by Yahoo. Yahoo declines comment on the case.

Online marketers say the data-gathering is nonthreatening--that it is merely a way of fine-tuning marketing for the convenience of consumers as well as marketers. But with cybercitizens up in arms, Capitol Hill is listening to the complaints. Online-privacy legislation is expected to be a major bipartisan issue in Congress this year, with at least five legislators preparing to introduce bills that require companies to better inform consumers about their practices, let Web surfers know exactly what they're agreeing to, and provide enforcement if companies drop the ball. Several states are also taking legislative and enforcement initiatives. "This issue has gone off the Richter scale in terms of public sensitivity," says Senator Ron Wyden (D-Ore.)

Judnick is representative of the breed of Netizens who just want to be left alone. Her suit contends that DoubleClick, with the new Abacus data, is using personal information without the knowing consent of Internet users. "I didn't feel like my information should be sold," Judnick says. DoubleClick says its policy has always been to inform online users and give them the option to opt out. "If we have personally identifiable information, it must be true that you have been given notice, and you have chosen not to opt out," says Jonathan Shapiro, DoubleClick's vice-president for business development.

But privacy policies can be deceptive, says privacy advocate Richard M. Smith, who has been documenting online privacy breaches. He has charged Inc. with gathering more personal information about customers than consumers would expect if they read its privacy policy. "The more experience we all have with the inadequacy of these policies, the more sense there will be to enact some protections," says David Sobel, general counsel at the Electronic Privacy Information Center in Washington.

LITTLE WARNING. Net companies insist that they are capable of regulating themselves and that it would be self-defeating to abuse customer privacy: It's in their best interest to keep customers happy and surfing. And so far, regulators have taken a hands-off approach. While the Federal Trade Commission has watched online privacy closely and issued rules governing the online privacy of children in October, it has so far declined to establish any rules regarding adults. In November, the FTC concluded a privacy workshop with promises from the 10 leading ad-services companies to come up with voluntary guidelines. Since then, the companies have not put anything forward.

Privacy advocates maintain that consumers are not adequately warned about how the information they volunteer, or that they allow a specific site access to, will be used. In her suit, Judnick is asking the court to force DoubleClick to request permission before it tracks consumers' online behavior. She is also asking that the company be forced to destroy all data it acquired without users' consent.

As the privacy issue gets more attention, momentum is building for government action. States including New York and Hawaii have pending legislation, and California, Maryland, and Virginia are expected to follow. In a case that could be a taste of things to come, the New York State Attorney General reached settlements with Chase Manhattan Bank and Sony Music Entertainment Inc.'s online service InfoBeat to curtail information-sharing practices with outside partners. The office says Chase was violating its own privacy policy, though the bank contends it didn't.

In this election year, many federal legislators are taking a range of initiatives. Oregon's Wyden and Senator Conrad Burns (R-Mont.) are co-sponsoring a bill that gives consumers the chance to block the collection of information and the right to access any data that has been gathered. A bill from Senator Patrick J. Leahy (D-Vt.) bolsters the ability of consumers to opt out and tackles government intrusion into personal privacy. This year's campaign slogan could be: It's online privacy, stupid.