Assistant Professor Kim Sheehan

by Kim Sheehan and Timothy Gleason

The Federal Trade Commission (FTC) informed Congress in July 1999 that new Internet privacy laws concerning information collection and usage are not needed at this time and endorsed a regulatory policy of self-regulation. This recommendation was based on the FTC’s opinion that companies with a presence on the World Wide Web are likely to gradually create rules of their own for the handling of information collected at Web sites. While applauding a perceived trend on the most visited Web sites toward better protection of consumer privacy, the Commission cautioned the Internet community that “Congress and the Administration should not foreclose the possibility of legislative and regulatory action” absent “swift and significant additional progress.” Several FTC commissioners as well as privacy advocates disagreed with the FTC decision, citing a lack of comprehensive Web site privacy policies; a lack of full disclosure about the use of information gathered on Web sites; and the lack of opt-out policies on many sites. Additionally, relatively few Web sites disclose information practices that address the FTC’s four fair information practice principles of notice, choice, access and security.

By May 2000, a majority of the commission reversed its position and adopted the critics’ views. Chairman Pitofsky reported to Congress that “industry efforts alone have not been sufficient.” With increased calls for legislative action and evidence that online consumers desire strong privacy protection, it is important to investigate Internet advertising practitioners’ perceptions of consumer attitudes toward information collection and usage practices, and assess practitioners’ responses to consumers’ concerns.

This study first surveyed advertising practitioners in the United States involved in online advertising and marketing for their clients. The survey recipients were provided with a questionnaire that was identical to a previous survey of online users that described fifteen online advertising and marketing practices involving information collection and usage. Practitioners were asked how concerned they thought the average online user would be about each practice. Seven behaviors that can be adopted by consumers to protect their privacy online were also provided in the survey. The survey asked practitioners how frequently the average online user adopted each behavior.

Advertising practitioners recognized that the 15 practices were likely to cause different levels of concern among online consumers, and recognized which practices caused high levels of concern among online users and which did not. For example, online consumers were fairly unconcerned about their privacy when they received e-mail from a company they recently e-mailed and when they had received e-mail from a company they currently did business with. Other practices caused a moderate level of concern. For example, online consumers are moderately concerned when they receive e-mail about a new product from a company they’re familiar with but they do not do business with, or when they are asked to provide their name in order to access a home page. Certain practices caused a high level of concern. Online users are highly concerned when they are asked to provide their social security number to access a home page.

Of the seven behaviors assessed, advertising practitioners accurately recognized the frequency that online users reported that they adopted four of the behaviors. For example, they correctly identified that online users reported that they read unsolicited e-mail and register for Web sites slightly less than half of the time. Advertising practitioners also recognized that online users rarely notified their Internet Service Provider about unsolicited e-mail that they received.

Dean Tim Gleason

The survey was followed by a content analysis of responding practitioners’ advertising agency and client Web sites. Given the evidence that practitioners understood privacy concerns, it was expected that many of the sites for both the agencies and their clients would address such concerns. However, this was not the case for this sample. A very small percentage (5%) of advertising agency Web sites had a posted privacy policy. One fourth of these sites collected personally identifiable information, most often from a Web form. Of these sites, 18% had a posted privacy policy. For the agency clients, the situation somewhat improved. More than one-fourth (28%) of the Web sites had a posted privacy policy, which is higher than the agency percentage. The majority (67%) of the client sites collected personally identifiable information. Of these sites, less than half (42%) had a posted privacy policy.

Of the sites with privacy policies, all addressed the FTC’s core principle of notice; that is, they alerted visitors that information was being collected about them. Beyond that principle, however, only one site addressed consent and none of the sites addressed access or security.

This study’s results indicate that practitioners are aware of consumers’ privacy concerns but fail to take appropriate actions to address them. In a July 2000 critique of the NAI initiative, the Electronic Privacy Information Center argued that “strong laws and effective enforcement” were needed to protect consumer privacy. The conflict between practitioners’ knowledge of consumers’ concerns and the privacy practices on Web sites indicates that the critics may be right.

Given that the current study finds that Internet advertising practitioners seem to have a good understanding of consumer concerns, it seems appropriate that practitioners should be well equipped to craft privacy policies that address such concerns. However, it was apparent that this is not the case in many situations. Advertisers rarely provide privacy policies as part of their online content, either for their own agency Web sites or for their clients’. Therefore, it appears that advertising agencies are not “walking the talk” in terms of online user privacy.

In summary, this study seems to indicate that the FTC is correct in recognizing that American businesses seem to be making an effort to understand the importance of privacy in the online environment. It also confirms the recent pronouncements that self-regulation alone is not sufficient to protect consumer privacy online. Because content developers do not appear to make their knowledge of consumer privacy concerns manifest on their Web sites, additional means may be necessary to ensure that consumer privacy online is not violated.

A longer version of this article is scheduled to appear in the Journal of Current Issues.