Privacy Policies and Internet Advertising Rules of the Road
Latest posts by Verio, StartupNation's Web hosting service (see all)
- Creating a Customer Database - May 1, 2008
- How to Secure Your Web-Enabled Business - May 1, 2008
- Privacy Policies and Internet Advertising Rules of the Road - May 1, 2008
Provided by StartupNation’s Web Hosting service, Verio.
One reason the Internet is an excellent marketing and advertising tool is that it provides much more information about consumer behavior than is available through traditional print-based media.
By monitoring visitors on your Web site, and collecting reactions to ads placed on other Web sites, you can obtain a host of consumer information, including how many people viewed your ad, what percentage of people clicked on the ad, what percentage of people purchased your product after seeing the ad, which pages on your Web site are visited most often, the names of other Web sites your customers have visited, and customers’ e-mail addresses and other personal information.
This data can help you substantially improve your products and services. Unfortunately, the ease of collecting consumer data has resulted in fraud, violations of consumer privacy, and identity theft. As a result, consumers are increasingly wary of providing personal information, and more laws are being passed to protect their rights.
In this article we examine several Internet advertising and privacy laws, and we discuss how to reassure your customers while legally collecting the information you need to build your business.
The Law of the Land
Long before the Internet, the U.S. government passed laws protecting the privacy of consumers’ personal information and shielding them from misleading, fraudulent, and deceptive advertising practices. These laws also apply to the Internet–you should be especially familiar with Section 5 of the FTC Act. The U.S. Federal Trade Commission (FTC) publishes guidelines to help businesses apply older laws to the Internet. For instance, the three primary legal requirements for truth in advertising are:
- Advertising must be truthful and not misleading.
- Advertisers must have evidence to back up their claims.
- Advertisements cannot be unfair.
To honor these legal requirements when advertising on the Internet, the FTC recommends that businesses:
- Place disclosures on the same Web page as the claim they apply to, and when necessary, provide adequate visual cues to indicate that a consumer must scroll down on the page to view the disclosure.
- When hyperlinking to disclosures, make the link obvious and noticeable, label the link accurately and indicate its importance, place the link near relevant information, ensure that the link takes consumers directly to the disclosure, and monitor link usage to ensure its effectiveness.
- Display disclosures prior to purchase.
- Ensure that an advertisement’s "text, graphics, hyperlinks, or sound do not distract consumers’ attention from the disclosure."
If your Web business sells other companies’ products, be aware that the FTC can also hold you responsible for misleading ads and product descriptions, even when those materials are provided by the manufacturer. The FTC recommends that "to protect themselves, catalog marketers should ask for material to back up claims rather than repeat what the manufacturer says about the product" and that "in writing ad copy, catalogers should stick to claims that can be supported." The FTC pays closest attention to ads that make health or safety claims, or that present data or statistics that consumers would have difficulty verifying.
In addition to pre-existing laws, the U.S. Congress has enacted several new laws that govern Internet advertising and privacy. The most important of these is H.R. 29, more commonly known as the SPY Act (Securely Protect Yourself Against Cyber Trespass Act), which came into effect on March 5, 2005. The Act prohibits specific types of Internet advertisements and methods for manipulating users’ computers, including:
- Advertisements that cannot be closed "without undue effort or knowledge by the user."
- Advertisements that can only be closed by "turning off the computer or closing all sessions of the Internet browser for the computer."
- Modifying a computer user’s browser settings so that a different Web page appears when the browser is launched.
- Changing a computer user’s default ISP or Internet connection method, as well as any settings associated with these connections.
- Altering a "list of bookmarks used by the computer to access Web pages."
- Altering any "security or other settings of the computer that protect information about the owner or authorized user for the purposes of causing damage or harm to the computer or owner or user."
- "Collecting personally identifiable information through the use of a keystroke logging function."
The SPY Act also addresses Internet consumer privacy issues, particularly the use of information collection programs that are installed on a user’s computer to gather information about that user. The Act defines an information collection program as one that collects personally identifiable information and either sends the information to anyone other than the computer user, or uses the information to display advertising on that user’s computer.
Before you can install and execute such a program, the user must be given notice of the program’s data collection functions and must consent to the program’s execution. The Act states that notice of the program’s information collection functions must be clear, conspicuous, written in plain language, and clearly distinguished from any surrounding text or information. Further, the program must contain one of the following statements (or something substantially similar) depending on the program’s exact function:
- "This program will collect and transmit information about you. Do you accept?"
- "This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?"
- "This program will collect and transmit information about you and will collect information about Web pages you access and use that information to display advertising on your computer. Do you accept?"
If your business caters to children, you should be aware of The Children’s Online Privacy Protection Act, which requires that businesses "obtain verifiable parental consent before collecting, using, or disclosing personal information from children, including their names, home addresses, e-mail addresses, or hobbies." Also investigate state laws.
Many industries have special laws governing information privacy; these laws also apply to doing business on the Internet. For instance, if your business offers loans, financial or investment advice, insurance, or any type of financial product or service, make sure you adhere to the Gramm-Leach-Bliley Financial Modernization Act of 1999.
- Explains to consumers how your business will collect, use, and keep secure any information you obtain about them.
- Demonstrates a level of responsibility to your customers, forming a bond of trust that will increase their confidence in you and willingness to do business with you.
- Helps your business meet legal requirements.
- Functions as a guideline for making business decisions.
- Notify consumers about your Web site’s information collection policies.
- Allow consumers to choose how your business uses any information you collect which personally identifies them.
- Give consumers a mechanism for reviewing the information you collect about them.
- Ensure the security of all consumer information that your business collects.
What Information Is Collected and How
- Personally identifiable information (PII) is the most sensitive because it can be used to identify an individual. PII includes a person’s legal name, e-mail address, physical mailing address, social security number, phone number, medical records, and bank account numbers or other financial data. Consumers feel most secure when the only PII you collect is information they provide to you directly, such as by filling out a form on your Web site.
- Non-PII is anonymous information that cannot be used to identify an individual. Non-PII is often used to track how visitors navigate your Web site, which pages were viewed most often, what other Web sites they have visited, and similar data.
You should also identify the technologies and methods your business uses to collect consumer information. Disclosing your methods accomplishes two things: increases customers’ trust and confidence in your business, and helps technically-savvy customers opt-out of data collection. For non-technical customers, however, you should explain how they can opt-out of providing both PII and non-PII.
How Collected Information Is Used
How Consumers Can Opt-Out
If you allow third-party advertising companies, such as 24/7 Real Media or DoubleClick, to run advertisements on your site, you should tell consumers how to opt-out of these companies’ information collection process as well. However, you do not have to provide the exact instructions; simply point customers to the appropriate page on the third-party’s Web site. Alternatively, if the third-party advertiser is a member of the Network Advertising Initiative (NAI), point your customer to the NAI opt-out page at http://www.networkadvertising.org/optout_nonppii.asp.
For more information about third-party advertisers and the NAI, please see our article "Introduction to Internet Advertising."
How Collected Information Is Kept Secure
With Whom You Share Collected Information
It is not necessary that you list every single company, business partner, or entity that you might share collected information with. You should, however, mention types of entities you will share information with; for instance: business partners, credit card companies, and government agencies. For each type of entity, list the type of collected information you would share and under what circumstances.
Getting More Information
There are several organizations that can assist your business by recommending privacy policies and security technologies, reviewing your privacy practices, and providing endorsements. One of the most respected is TRUSTe (www.truste.org), an independent, non-profit organization established to safeguard Internet privacy and security.
Look at your competitors’ privacy policies and consider them from a customer’s perspective. Make sure that your policy does a better job of informing and reassuring potential customers.
If you have questions about advertising and privacy laws, or how they are interpreted and applied to business, we recommend that you consult a lawyer. For information about running an Internet advertising campaign, see our article "Introduction to Advertising."