Visitor Monitoring Achieving & Maintaining Privacy on Your Website | Keynote
Article

Achieving & Maintaining Privacy on Your Website

An interview with Keynote Director of Privacy Services Ray Everett

Few assets are as valuable to business brands today as their online presence. Fortunes rise and fall with website reputation, and news of even minor missteps can rocket across social networks and dull a brand's luster. And as this year's Google-gate proves out (see accompanying story), running afoul of user privacy is guaranteed to generate bad headlines and user ire. Benchmark recently sat down with Keynote Director of Privacy Services Ray Everett, author and long a leader in online privacy matters, to talk about how website owners can balance the competing priorities of protecting user privacy and maximizing monetization of their sites.

Benchmark: If website owners have privacy policies in place, why do they need to be concerned about tracking?

Ray Everett: The simplest answer is that you have to make sure that once you have a privacy policy in place that you're actually living up to it. And if you have third party advertising networks appearing on your site, you really can't guarantee that they are all going to be adhering to your policy.

A privacy policy is also a fixed point in time, but a website is constantly dynamic, with changing content or changing ad networks that are being cycled in and out by your ad partners. So just having a policy doesn't guarantee that each partner or each partner's partner will be aware of that policy and adhere to it. You can hope for the best, but you need to monitor and verify.

Benchmark: If I’m interested in making money off of my website, and I want to sell as many ads as I can for as much as I can, don’t I just want to leave tracking out of my privacy policy so I don’t have to worry about it?

Ray Everett: Failing to disclose that tracking is going on or failing to give people notice of tracking activities is really a fundamental failure of a privacy policy. The core of a privacy policy is giving users on your site notice regarding any activities that impact their privacy, and giving them the ability to make an informed choice.

So if you don't discuss tracking, then you haven't given folks appropriate notice. And if you have a policy that is 'no holds barred, abandon all hope ye who enter here,' that's not going to be very well received by consumers either.

Having a privacy policy that runs counter to consumers' expectations is as bad as having no privacy policy at all.

Benchmark: So you shouldn’t bury on Page 48 of a privacy policy that users will be tracked.

Ray Everett: Absolutely not. Because the folks who make it their point to care about privacy practices online – and there are many tools and services out there that do this – will dig down in that privacy policy and then rate your site poorly if you have made choices that are not consumer-friendly.

Consumers are increasingly using these tools, whether they are features built into browsers or plug-ins and add-ons that monitor and give consumers a real-time score about the nature and quality of the sites they're visiting. Those are having a real impact on how consumers are becoming aware of privacy practices.

Benchmark: So websites have an interest in protecting privacy. But the flip side of the coin is that advertisers want more specific targeting than just putting an ad on a site because of its content or general user profile. They want behavioral advertising. How are those competing interests reconciled?

Ray Everett: Certainly, website publishers have choices to make about how they monetize their site, and to what lengths they're willing to go to increase that revenue. Having a no-holds-barred approach with regard to tracking and advertising can be more profitable, but it can also leave a bad taste in consumers' mouths.

There's an infamous video online of the CEO of Zynga, Mark Pincus, giving a speech at a conference. And he was basically explaining how, in the early days of Zynga, they drove users to advertisements and forced them into downloads of all sorts of junk – spyware and tracking software, and just shoving all sorts of ads at every opportunity – to the point where he actually had to have them wipe his laptop. He had so many of these things stuck on there that he couldn't use his laptop.

This sort of thing has a real consequence for consumers' experiences. And hopefully the lesson is learned that if you burn consumers, they will burn you, too.

Hopefully companies are making choices that trend towards sustainable relationships with their consumers. And part of that is going to be making choices about how to monetize the site in a way that is consistent with consumers' desires and expectations.

The balance that must be struck is how aggressive you get with your marketing and your revenue choices versus how smooth and unimposing you want your consumer's Web experience to be.

Benchmark: So that elusive middle ground is a worthwhile goal. Is there some way through privacy policy and choice of partners that you can have some middle ground with tracking?

Ray Everett: Sure. The answer is to build strong partner relationships with reliable advertising networks and all parts of the ad ecosystem that you have a connection with. If you reach out and build strong relationships with reputable ad networks, that can be a way to help deliver on the expectations that you set. But you also must understand that the advertising ecosystem is very large and sprawling and chaotic.

And as hard as the ad networks may try to police, there's just so much traffic and so much ad content being drawn from so many sources that the websites themselves will have to monitor the networks for compliance.

It falls to you as a website publisher to keep an eye on your site and understand what's going on. Just as you might, on the operations side, have service level agreements with your website hosting company or bandwidth provider or content distribution network. You have to be able to actually monitor their performance so that you are assured that you're getting what you've paid for.

The same holds true with advertising networks and making sure that they are delivering the content as promised.

Benchmark: So what’s a poor consumer to do at this point, other than try to cobble together some sort of protection for themselves until there is some more universal protection in place. I can download a scoring tool and look at the scores. I can use one of the software tools that flat-out blocks tracking. But certainly a consumer’s not going to go and read the privacy policy of every site they visit. You visit dozens of sites in an hour – it’s not practical. So is the consumer just at the mercy at the industry right now?

Ray Everett: The short answer is yes. A consumer really only has the tools they have. The newest versions of the browsers have more privacy controls, more capability to block or delete cookies as they come in. There's the capability of using private browsing sessions or anonymous browsing sessions that essentially dissociates your browsing during that session from your normal day-to-day browsing.

So if you are going to visit a site that you're not sure of or have some reason to distrust, you can switch on these settings in your browser that will give you a heightened level of anonymity.

But all the websites out there don't always respect those technological measures. There are sites that use, for example, the Flash player to circumvent in-browser cookie blocking. There's a bit of a continuous arms race here with new aggressive advertising techniques and then tools developed to help consumers regain some level of control.

Unfortunately, that arms race continues and at the end of the day, consumers have to take responsibility for their own online experience and do the best they can.

Certainly the industry is working to help make it easier and more reliable for consumers who are going to popular sites from trustworthy sources. But the trustworthy guys tend to be trustworthy, or at least make an attempt at it. The bad guys aren't going to be premier members of industry self-regulatory organizations. They're going to be off in their own little world doing their own thing and try and take advantage of as many people as they can.

Benchmark: How does a website owner know they’re dealing with the good guys?

Ray Everett: The advertising networks have been affiliating themselves for a number of years with various industry organizations such as IAB, the Interactive Advertising Bureau, and industry initiatives such as the Network Advertising Initiative or the Digital Advertising Alliance.

Those organizations have tried to create more opportunities for good guys to demonstrate just how good they are – to develop policies and practices that are geared towards making their activities more transparent to consumers, to make privacy policies more easily understood, to take advantage of the new technologies, and to encourage coding websites so that they respect the signals that those browsers give off when people are trying to block cookies.

Those organizations that are trying to be responsible tend to self-identify by organizing themselves into these industry trade groups. That's a very good place to start.

The reality, though, is that you look at these organizations and they have dozens, or in some cases, 100 members or more. But we've identified over 600 individual advertising networks. A lot of them are not affiliated with any of these organizations. They do not have very transparent policies. They are sometimes very difficult to track down and figure out who exactly the organization is.

There are simply too many ad networks appearing with too much frequency to track and monitor without a tool such as our Web Privacy Tracking tool. Web Privacy Tracking gives you the capability to monitor and report on any violations of your privacy policy that appear on your site, and gives you the actionable intelligence to address those issues as they arrive. That can be extremely valuable in identifying an unknown risk, an unknown threat.

Benchmark: But if a site has vetted its ad partners and believes they’re going to honor their privacy policy, how is it that violations end up happening? How does your site gets contaminated, if you will?

Ray Everett: This happens because the ad ecosystem is so huge and the demand for advertising space, for high quality ad placement, is high. As a result, the number of ad networks competing to get their content slotted into your site is also very high.

There's a reason why there are 600-plus ad networks out there. It's because there's demand and money to be made in serving up those ads. So while you may have partnered with some good advertising networks, they are part of an ecosystem that is still a bit of the Wild West. At the end of the day, these ad networks are driven by the need to put an ad into a slot on a website. So they will search out new content providers that can fill that need.

New ad networks are coming up constantly. And ad networks are changing.

One day they may be great, but the next day they may have a new ad in circulation that violates your policies – that places tracking cookies in violation of your policy, for example. So your ad partners themselves, as hard as they may try, cannot guarantee that things will always be sweetness and light.

You as a good manager of your site have to continually go through that due diligence process to not just investigate and partner with good companies, but to continually ensure that those companies are delivering on their promise.

Benchmark: So we see a lot of the downside to taking privacy lightly. But what’s the upside? What’s the opportunity that is presented by good privacy practices?

Ray Everett: Good privacy practices are a definite brand builder. There is an aspect of privacy that is hard to quantify, in that privacy is most noted in its absence. So typically when a privacy problem arises, at that point your brand suffers.

There is a perspective on protection that good practices give you. Building strong privacy policies, and systems for reviewing and ensuring compliance, helps prevent the negative consequences – damage to brand, damage to reputation, breach of consumer trust.

So you'll see few consumers dancing in the streets about how wonderful the privacy protections are at a particular site. But you will see them riot in the streets when their privacy is breached.

Benchmark: What is your advice to website owners? How do they keep from getting stung by this whole issue?

Ray Everett: First of all, they should not fear monetization of their website. They should not fear advertising because there is great value to be had. And good targeted advertising can be not only a value to the website publisher, but also to the visitors of the site.

If ads are delivered in intelligent context and at appropriate times, they can be very well-received and highly effective. So do not fear advertising. But do understand that it is in some sense playing with a bear trap. And if you make a wrong move, that trap can spring shut.

While you have to go boldly forward and seek to monetize your site in a responsible way, you have to be aware that things can go wrong. And you have to plan accordingly.

So building privacy policies, building techniques for assuring adherence to your privacy policy from your vendors and suppliers, teaching your own employees how to comply with privacy policies and procedures, and then ultimately monitoring your site's performance – including the performance of your ad partners as they are helping you to get the most out of your content. That's what it takes to make sure you're respecting users and maximizing your site revenue at the same time.

About Ray Everett

Ray Everett is director of privacy services at Keynote. He’s been called the “dean of corporate privacy officers” byInter@ctive Week magazine for his role in establishing one of the world’s first corporate chief privacy officer roles and helping to create the first professional certification organization for the privacy industry. Ray has more than 15 years of consulting experience working with more than a dozen Fortune 500 companies, as well as extensive experience working with start-up companies creating privacy-related products and services. He is a co-author of Internet Privacy for Dummiesand Fighting Spam for Dummies, has testified before Congress, and has worked as an expert witness in several groundbreaking Internet privacy lawsuits. A native of the Washington D.C. area, Ray holds a law degree from George Washington University.

Back to Top