Department of Commerce
Federal Trade Commission

Matt Calkins is CEO of Appian Corporation, a consulting and analyst firm specializing in E-Commerce Personalization and Data Warehousing. Mr. Calkins has managed over 100 web and data warehouse implementations, and has spoken and written extensively on Internet security, privacy, and information issues. Appian Corporation authors the Appian Web Personalization Report (www.appiancorp.com/awpr.com), the most comprehensive source for information on the technology, products and companies in the Personalization Industry.

Consumer concern over the privacy of personal information transfers over the Internet is one of the primary impediments to growth in online users and online transactions. A Business Week study in 1998 found that the #1 reason why consumers who are not on the web stay off the web is concern about the privacy of their personal information. A 1999 report released by AT&T found that 87% of respondents, all of whom were experienced Internet users, were "somewhat or very concerned about threats to their privacy online". Web site operators must realize that consumer concerns are real and must be alleviated through tangible efforts to address and protect privacy.

For the most part, consumers are most worried about the transfer of intimate personal information such as social security numbers, phone numbers, and credit card numbers. Nonetheless, the companies that use online profiling techniques are uniquely at risk to a consumer backlash because of the many indirect methods used to gathering personal information. When a consumer buys something on-line he or she has made the choice to send credit card information, but is often unaware that he or she will be remembered as a buyer of the product in question. The indirect gathering of information allows web sites to "personalize" content for each user through the application of pre-established rules or collaborative filtering algorithms.

Web site software vendors and their clients must take an activist approach towards educating and soothing the privacy fears of the everyday customers on the net for two reasons. First, the continued upward trend in on-line retail transactions will depend upon "normalizing" the idea of buying on-line. Today, many of those who do purchase goods via the Internet still perceive it as a novel experience. The next step the industry must take is to convince those people and the millions who have yet to make any purchases that buying on-line is easy, safe, and reliable.

The second reason for an activist approach to privacy issues is the risk of excessive and constrictive government regulations on the gathering and use of information on the Internet. Thus far the Clinton Administration, Federal Trade Commission (FTC), and, for the most part, Congress, have all endorsed a position of industry self-regulation. This position, however, is predicated on visible and concrete efforts to protect the privacy rights of consumers. If on-line companies and their product vendors do not continue to take tangible steps to organize base-line standards for privacy, there is a real risk that the government might step in with regulations. Already the U.S. government is being pressured by the European Union, domestic privacy interest groups, and other organizations to establish base-line privacy regulations.

Since the inception of the Internet, concerns about privacy have been prevalent. Numerous studies have attempted to distinguish the real concerns and test the comfort level of the typical on-line user. For the most part, however, the two key privacy concerns of individuals are (1) the unauthorized transfer of information to third parties (people do not want their names, credit histories, social security numbers, etc. circulating around the Internet) and (2) the abusive use of personal information in mass marketing campaigns.

Recent studies have shown that privacy fears may have a substantial impact of the overall level of business on the Internet. For example, Jupiter Communication released a report earlier this year stating that 64% of Web users don't trust the sites they visit, even those with privacy policies. Furthermore, the study predicted that up to $18 billion of the $40 billion in projected e-commerce sales in 2002 could be lost to privacy concerns by consumers.

Nonetheless, it is important to note that studies have shown consumers are willing to provide information about their preferences provided they are confident about how that data will be used and protected. For example, a recent study by the AT&T Labs entitled Beyond Concern: Understanding Net Users' Attitudes About Online Privacy came to several notable conclusions that directly relate to Web Personalization:

• 78% of respondents said they would accept identifiers (e.g., cookies) in order to facilitate customized service
• 60% of respondents said they would accept identifiers to facilitate customized advertising
• 44% would accept identifiers to facilitate customized advertising across multiple web sites

While these statistics show that consumers are willing to accept the idea of personalized sites, there are still lingering concerns about the use of identifiers. For example, the study found that 52% of respondents were "concerned" about cookies and that 56% of those who understood cookies (78% of the total) had changed their cookie setting to something other than "Accept All". In the majority of cases, people were more willing to enter personal information such as income or zip codes provided that they did not have to give their name or other individual identification.

In sum, these statistics show a preference for personalized sites, but companies must be able to overcome the lingering privacy fears of their patrons. These fears have to do with information sharing, information use, the given purpose for information collection, and the kind of information collection. For example, 96% of the AT&T study respondents stated that a site's sharing policy with third parties was very or somewhat important to their willingness to provide information (the highest rated factor in the study).

The AT&T study and many others have all come to the basic conclusion that users want a clear understanding of how web sites are using the information individuals provide. Not surprisingly, many government agencies and industry watchdog groups have called for consistent standards on notification and user interaction.

Privacy issues are becoming more and more important to overall online corporate strategy. For example, over the last several months companies such as Disney, Microsoft, and Intel have all announced that they will not advertise on sites that do not have a comprehensive privacy policy. The Global Business Dialog on Electronic Commerce (GBDe), a group organized by companies such as AOL, Time Warner, IBM, and Dell, has recently included privacy as one of the issues on which it hopes to soon establish global guidelines. These high profile actions by major Internet players must continue.

Already there are voices within Congress calling for legislation on the privacy issue. Representative Ed Markey has announced a bill that mirrors in many respects the EU law. He stated that the U.S. should "not wait for a privacy meltdown of Chernobyl-like proportions." Furthermore, the terminology being used by journalists to describe some the personalization industry's practices has begun to carry negative connotations. For example, a recent article stated "Web sites have used a variety of overt and covert means to collect personal information from visitors, ranging from questionnaires and registration forms, to surreptitious tracking of visitors' movements." To counter this trend, the industry and its clients should be more aggressive in codifying their own privacy policies and educating consumers.

Without a doubt, the best policy is one of industry self-regulation, given rapidly changing technology and information-gathering techniques. But the industry must ensure that self-regulation is enforceable. International organizations such as the GBDe or third-party verification groups like BBBOnline and Truste, offer the best vehicles with which to implement privacy policies. As the result of numerous studies show, privacy is a key concern of consumers, and, as their level of comfort increases, their willingness to transact over the Internet will grow.

What do I recommend to a company devising a privacy policy? The easiest and most appealing method is to contact a third-party verification group. By adhering to a set of standards policed by an outside group, you can not only demonstrate progress to government agencies and interest groups, but such a tactic can also increase consumer confidence. The level of privacy protection a company offers could be a competitive advantage.

The personal data that consumers provide is the lifeblood of the blossoming Web Personalization industry. It is absolutely essential that this information be protected and used in a responsible manner. Companies should not only conform to industry-created regulations, but should be proactive in educating their potential customers about their information privacy policies. The goal of the industry should be to achieve a state of "normalization" in the online shopping experience. Alleviating privacy concerns is not an added task, it is a core requirement to successfully attaining this goal.