Online Privacy’s Call to Arms

Web surfers aren’t just mad about online privacy violations. They’re getting even. Consumers are speaking out publicly against companies they say have gone too far in tracking their Web surfing patterns, creating public relations nightmares. They’re also heading for the courts, seeking millions of dollars in damages. Before long, companies will need to pay more than lip service to privacy protection or they may end up being forced to pay up — period.

The latest alleged corporate breach involves Sears Holdings (SHLD), parent of department stores Sears and Kmart. On Jan. 8, the Berkman Center for Internet and Society, a research program at Harvard Law School, released a report accusing Sears of violating the privacy of users of its online community site. To join, customers download a program that tracks their online purchases and other activity. Sears failed to sufficiently explain what the software does, according to the study’s authors. “It is pretty clear that they were doing some things that were not adequately disclosed to the users,” says John Palfrey, executive director of the Berkman Center.

More Transparency Needed The report follows a class-action lawsuit filed Jan. 4 in Cook County, Ill., that accuses Sears of exposing its customers to identity-theft risks by sharing individuals’ purchase histories to anyone who searched for a particular user’s name or address on the Sears ManageMyHome Web site. The suit, filed by New Jersey resident Christine Desantis and on behalf of other Sears customers, seeks $5 million in damages. Sears declined to comment, citing the lawsuit.

The report and lawsuit reflect growing unease over efforts by companies to make use of the mountains of data they collect on customers who use the Web — and the rising stakes for corporations thought to trample consumer rights. Companies are eager to harness information they collect on a person’s interests, purchases, and product searches to better tailor their own or partners’ advertisements. But when customers believe a company has gone too far, they’re fighting back. In December, users of Google’s (GOOG) Reader program flooded Web forums with complaints about a new feature that broadcast information about items that users bookmarked for their contacts in a separate Google messaging program. The prior month, more than 50,000 users signed a petition opposing a new ad program on Facebook that shared information about purchases and online activities outside of Facebook [BusinessWeek.com, 11/28/07] with a user’s “friends.”

Government officials appear to be losing patience, too. The Federal Trade Commission issued recommendations Dec. 20 demanding more transparency [BusinessWeek.com, 12/20/07] from companies that track the Web sites visited by individual computers in order to deliver ads related to a user’s past activity. The FTC said it will investigate whether “heightened protections” are needed.

“Fed Up” The concern over privacy comes as a surprise to at least some Web executives. Consumers had appeared all too willing to sacrifice privacy in exchange for convenient and free ad-supported services. Users post private data on sites such as Facebook and News Corp’s (NWS) MySpace, a sign they didn’t care who saw what they did on Saturday night or where they did it. Sure, public complaints typically follow particularly egregious violations, such as a mass loss of personal financial data or Internet searches, and an apology and a promise to better protect sensitive information quickly quelled most uprisings. Google has promised to give Reader users better control over who sees their information, but it is still sharing it with contacts. “Companies that respond to user concerns and make some changes often have been able to power through complaints,” Palfrey says.

Once lawyers get involved, companies may need to make more than changes around the edges of a policy. The threat of lengthy legal battles undoubtedly has sites taking notice. “Generally speaking, we haven’t held big companies responsible for privacy issues of this sort before,” Palfrey says. “This has to be high up there on the list of concerns with companies in the consumer Internet [space] all of a sudden.”

Indeed, consumers seem more willing to take big companies to task over privacy. “There is a sense that big companies are out to get consumers more than before, and you get the sense that consumers are getting fed up with it,” says Benjamin Edelman, an assistant professor of business administration at Harvard Business School who helped call attention to Sears’ practices. “They are sick and tired of being treated like dirt by big companies.”

Spurring the wake-up call is a more aggressive push by online sites to serve higher-priced, personalized ads based on the activities of users’ online contacts. Users showed little interest in privacy when sites were sharing information, behind the scenes, about searches and sites visited in order to deliver, say, a car ad to a computer that recently visited an auto comparison site. However, they have loudly complained as sites have begun sharing information with all the contacts in a person’s social network, turning users into unwitting product promoters.

The rude awakening of having friends know about a recent jaunt to the movies, before consciously sharing the information, has sensitized users to their online privacy more than ever. “The experiences I have had in talking to young people about this is a lot of a-ha moments,” says Palfrey. “These are multiple parties sharing data across different platforms .You are not hoping to tell all of your business colleagues and all of your friends that you just rented a certain movie or bought a book.”

Users in the Driver’s Seat Yet it’s just that kind of information that marketers want and are willing to pay for at a premium. The online advertising market is projected to reach $27.5 billion this year, according to research firm eMarketer. That money is flowing online, often from print publications, radio, and, increasingly, TV, in large part because of the potential to better target ads to those consumers most likely to be interested in, or convinced by, the particular message.

But, with the threat of legal or, increasingly, government action, companies may have to find new ways to entice marketers. Already, companies such as Google, which is seeking European Commission approval to merge with another data giant, ad firm DoubleClick, have limited the length of time for which they store search data tied to particular Web browsers and computers. And Google, Time Warner’s (TWX) AOL, and others have promised to better, and more clearly, notify users when their data is being tracked. AOL, which has faced privacy-related suits in the past, began rolling out banner ads at the end of 2007 that alert users to their data being collected. “The keys are transparency and control,” says Google spokeswoman Victoria Grand.

The real key may be that users already have more control than Web companies previously thought. With many similar sites on the Web, users can easily leave one for another that better protects their privacy. That’s what IAC/InterActive’s (IACI) Ask.com is hoping — the search engine announced a tool that enables users to keep their search data from being tracked. “In practice, there still tends to be competition to get users to your free service,” says Edelman. “It doesn’t ring true to say, if you want to use our free service, you have to jump through these hoops.”