Tracking internet activity and privacy: 4 questions for your company to ask now
Marketers and executives alike are quickly realising that visitors to websites are like customers entering a physical store, each bringing with them a host of personal opinions, likes, dislikes, needs and wants. Only, unlike a customer being asked to complete a questionnaire at the point of sale in your physical shop, when a customer visits your website, that visitor's information is free for the taking.
Or is it?
Behavioural advertising brings to life the concept that an IP address can provide important information about the user. An IP address of a website visitor can be used to track their geographic location, which websites they like to visit, when they like to surf the net and more. This information can then be used by companies to shape each visitor's internet experience with targeted marketing, content and advertisements. This means, for example, visitors to your website from Sydney might be displayed ads and content which is relevant to Sydney only.
All this information is available to companies through the use of technology such as 'cookies' – software programs that watch and remember online behaviour and help marketers understand the person behind the IP address. A very tasty treat for marketers.
While this technology provides a rich goldfield of data for companies and their marketing departments, businesses engaging in this activity need to stop and ask how the information will be used, how your company can address consumers' expectations about your use of their information, and ultimately whether the way your company is collecting, storing and maintaining this data is legal.
The value of behavioural advertising is exponentially increased when your business combines a user's browsing and search activities, profiling and geographical location with information already held about that customer, or volunteered by the customer during their time at your website. For example, if you have a customer who already subscribes to your email newsletter, your company will know their email address. Through using cookies, you will also know their IP address, and can track which websites they like to visit aside from your own. This may give you information about your online competitors. It also means you can ensure that this user receives targeted ads and content (for example, on banners) about information your marketing team think they will be most interested in. Optimizing your online presence through sponsored links and other keyword searching techniques with search engines such as Google are also ways your company engages in behavioural advertising.
While all of this information is infinitely valuable, the way your company collects, stores and maintains this data gives rise to legal liability in certain circumstances. Who owns the information collected about a visitor to your company's website? Does that change if the visitor accessed your site through another site or paid link? Is there a difference in your obligations where some of that information is volunteered, but where other information is collected without the visitor's knowledge and where the visitor would probably prefer it was not collected?
This situation is further complicated when more than one physical user is using the same computer or IP address. How does your business address the inevitable situation where the data you hold about a user may actually be the personal preferences of more than one person?
Behavioural marketing is legal in Australia so long as your business complies with the Privacy Act 1988. This means that while the information your company collects about a particular IP address remains anonymous, it is not caught by the provisions of the Act. Companies should also be aware and adhere to relevant codes of conduct affecting their industry.
However, once your business starts combining that data with other information so the user becomes personally identifiable (for example, by name, address, telephone number or email address), then your obligations under the Act will arise.
Most businesses combat this legal responsibility by making a 'Privacy Statement' available on their website which says what information the company is collecting about visitors to the website, how it is being collected, and how visitors can contact the company to check what information is being held about them and how they can correct it. However, many companies who have these statements may ultimately discover they were prepared without addressing behavioural advertising.
Companies also need to consider whether the nature of their website and the data it collects means the business has international legal obligations. For example, it is possible that if your company has a website tailored to the US or European markets, you may need to be aware of the regimes in those jurisdictions. In the US whilst a physical name or other personal identifying factor may never be attributed to a user's behaviour online, tracking the behaviour of an IP address over a period of time may give rise to a right of privacy. This means that regardless of the fact that the IP address is not attributable to a physical person, there may be a right of privacy in the data collected which needs to be protected.
In the European Union, an IP address is considered personal information in the same way as a name, contact number or email address, and behavioural advertising enlivens the EU privacy regime. Both the US and Europe have recently released guidelines that specifically address behavioural marketing.
If your business is engaging in behavioural advertising, the four questions to ask now are:
1. What information am I collecting about visitors to or users of my website?
2. Does that information alone or when combined with other data I hold about the user, identify the user?
3. Do I have a privacy statement on my website which addresses what information I am collecting about the user through my website, and how the user can opt-out of my company collecting this information?
4. Does my website comply with Australian and international obligations including industry codes of conduct regarding privacy?
Swaab was recently named a 2009 Winner in the ALB Employer of Choice awards, and was winner 'Best Law Firm in Australia (Revenue < $20m)' and 'Attribute Award for Exceptional Service (Australia Wide)' in the 2008 BRW- Client Choice Awards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
