Privacy and trust in e-commerce
3 Platform usage information. Through web analytics systems it is possible to collect information on type of computer, browser and screen resolution used by site users (see
Chapter 7).
4 Behavioural information (on a single site). This is purchase history, but also includes the whole buying process. Web analytics (Chapter 12) can be used to assess the web and email content accessed by individuals.
5 Behavioural information (across multiple sites). This can show how a user accesses multiple sites and responds to ads across sites. Typically these data are collected and used using an anonymous profile based on cookie or IP addresses which is not related to an individual. Complete Activity 4.3 to find out more about behavioural targeting and form an opinion of whether it should be regulated more.
Activity 4.3 Attitudes to behavioural ad targeting
Imagine you are a web user who has just found out about behavioural targeting.
Use the information sources provided by the industry to form an opinion. Discuss with others studying your course whether you believe behavioural ad targeting should be banned (as has been proposed in some countries) or whether it is acceptable.
Suggested information sources:
● Internet Advertising Bureau guide to behavioural advertising and privacy (www.you‑
ronlinechoices.com/). If you take a look at this page you will see the number of ad networks that users can potentially you can be targeted on. How many are you targeted by and how do you feel about it? See www.youronlinechoices.com/uk/
your‑ad‑choices.
● Digital Analytics Association (www.digitalanalyticsassociation.org/? page= privacy).
A trade association of online tracking vendors.
● Google ‘ Interest‑ based advertising’: How it works (www.google.com/ads/prefer‑
ences/html/about.html), which explains the process and benefits as follows:
Many websites, such as news sites and blogs, use Google’s AdSense program (‘a network of publishers using advertising through Google’) to show ads on their sites.
It’s our goal to make these ads as relevant as possible for you. While we often show you ads based on the content of the page you are viewing, we also developed new
Table 4.4 summarises how these different types of customer information are collected and used. The main issue to be considered by the marketer is disclosure of the types of informa-tion collecinforma-tion and tracking data used. The first two types of informainforma-tion in the table are usually readily explained through a privacy statement at the point of data collection, which is usually a legal requirement. However, with the other types of information, users would only know they were being tracked if they have cookie monitoring software installed or if they seek out the privacy statement of a publisher which offers advertising.
Ethical issues concerned with personal information ownership have been summarised by Mason (1986) into four areas:
● Privacy – what information is held about the individual?
● Accuracy – is it correct?
● Property – who owns it and how can ownership be transferred?
● Accessibility – who is allowed to access this information, and under which conditions?
Fletcher (2001) provides an alternative perspective, raising these issues of concern for both the individual and the marketer:
● Transparency – who is collecting what information and how do they disclose the collec-tion of data and how it will be used?
● Security – how is information protected once it has been collected by a company?
● Liability – who is responsible if data are abused?
All of these issues arise in the next section, which reviews actions marketers should take to achieve privacy and trust.
Data protection legislation is enacted to protect the individual, to protect their privacy and to prevent misuse of their personal data. Indeed, the first article of the European Union directive 95/46/EC (see http://ec.europa.eu/justice_home/fsj/privacy/) specifically refers to personal data. It says:
Member states shall protect the fundamental rights and freedoms of natural persons [i.e.
a named individual at home or at work], and in particular their right to privacy with respect to the processing of personal data.
In the UK, the enactment of the European legislation is the Data Protection Act 1984, 1998 (DPA). It is managed by the ‘Information Commissioner’ and summarised at www.
ico.gov.uk. This law is typical of what has evolved in many countries to help protect personal information. Any company that holds personal data on computers or on file about custom-ers or employees must be registered with the data protection registrar (although there are some exceptions which may exclude small businesses). This process is known as notification.
Notification The process whereby companies register with the data protection registrar to inform about their data holdings.
technology that shows some ads based on interest categories that you might find useful. The following example explains this new technology step by step:
Mary’s favourite hobby is gardening. With Google’s interest- based advertising technology, Mary will see more relevant gardening ads because she visits many gar-dening websites. Here’s how that works: When Mary visits websites that display ads provided by Google’s AdSense program, Google stores a number in her browser (using a ‘cookie’) to remember her visits. That number could look like this: 114411.
Because many of the websites that Mary visits are related to gardening, Google puts her number (114411) in the ‘gardening enthusiast’ interest category.
As a result, Google will show more gardening ads to Mary (based on her browser) as she browses websites that use AdSense.
Answers to activities can be found at www.pearsoned.co.uk/chaffey
Type of information Approach and technology used to capture and use information
1 Contact information • Online forms – online forms linked to customer database
• Cookies – are used to remember a specific person on subsequent visits
2 Profile information, including personal information • Online registration forms collect data on social networks and retail sites
• Cookies can be used to assign a person to a particular segment by linking the cookie to a customer database record and then offering content consistent with their segment
3 Access platform usage • Web analytics system – identification of computer type, operating system and screen characteristics based on http attributes of visitors
4 Behavioural information on a single site • Purchase histories are stored in the sales order database.
Web analytics store details of IP addresses against clickstreams of the sequence of web pages visited
• Web beacons in email marketing – a single- pixel GIF is used to assess whether a reader had opened an email
• First- party cookies are also used for monitoring visitor behaviour during a site visit and on subsequent visits
• Malware can collect additional information such as passwords
5 Behavioural information across multiple sites • Third- party cookies used for assessing visits from different sources such as online advertising networks or affiliate networks (Chapter 9)
• Search engines such as Google use cookies to track advertising through its AdWords pay‑ per‑ click program
• Services such as Hitwise ( www.experian.com/hitwise/) monitor IP traffic to assess site usage of customer groups within a product category
Table 4.4 Types of information collected online and related technologies
The guidelines on the eight data protection principles are produced by legal requirements of the 1998 UK Data Protection Act. These principles state that personal data should be:
1 Fairly and lawfully processed.
In full: ‘Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – at least one of the conditions in Schedule 2 is met; and in the case of sensi‑
tive personal data, at least one of the conditions in Schedule 3 is also met.’
The Information Commissioner has produced a ‘fair processing code’ which suggests how an organisation needs to achieve ‘fair and lawful processing’. This requires:
● Appointment of a data controller who has defined responsibility for data protection within a company.
● Clear details in communications such as on a website or direct mail of how a ‘data subject’ can contact the data controller or a representative.
● Before data processing ‘the data subject has given his consent’ or the processing must be necessary either for a ‘contract to which the data subject is a party’ (for example as part of a sale of a product) or because it is required by other laws.
Personal data Any information about an individual stored by companies concerning their customers or employees.
Data controller Each company must have a defined person responsible for data protection.
Data subject The legal term to refer to the individual whose data are held.
● Sensitive personal data require particular care, – the racial or ethnic origin of the data subject;
– political opinions;
– religious beliefs or other beliefs of a similar nature;
– membership of a trade union;
– physical or mental health or condition;
– sexual life;
– the commission or alleged commission or proceedings of any offence.
● No other laws must be broken in processing the data.
2 Processed for limited purposes.
In full: ‘Personal data shall be obtained only for one or more specified and lawful pur‑
poses, and shall not be further processed in any manner incompatible with that purpose or those purposes.’
This implies that the organisation must make it clear why and how the data will be pro-cessed at the point of collection. Figure 4.8 suggests some of the issues that should be con-sidered when a data subject is informed of how the data will be used. Important issues are:
● Whether future communications will be sent to the individual (explicit consent is required for this in online channels).
● Whether the data will be passed on to third parties (again explicit consent is required).
● How long the data will be kept.
3 Adequate, relevant and not excessive.
In full: ‘Personal data shall be adequate, relevant and not excessive in relation to the pur‑
pose or purposes for which they are processed.’
This specifies that the minimum necessary amount of data is requested for processing.
There is difficulty in reconciling this provision between the needs of the individual and the needs of the company. The more details that an organisation has about a customer,
Figure 4.8 Information flows that need to be understood for compliance with data protection legislation
Do I understand?
• the purpose
• likely consequences
• future use
…of my given data
‘Data subject’
i.e. prospect or customer
‘Data controller’
Individual in organisation responsible for
personal data 1 Obtain ‘personal data’
2 Store ‘personal data’
3 Disseminate and use ‘personal data’
4 Modify and delete data
the better they can understand that customer and so develop products and marketing communications specific to that customer.
4 Accurate.
In full: ‘Personal data shall be accurate and, where necessary, kept up to date.’
It is clearly also in the interest of an organisation in an ongoing relationship with a partner that the data are kept accurate and up to date. Inaccurate data are defined in the guidelines as: ‘incorrect or misleading as to any matter of fact’.
The guidelines go on to discuss the importance of keeping information up to date. This is only necessary where there is an ongoing relationship and the rights of the individual may be affected if they are not up to date.
5 Not kept longer than necessary.
In full: ‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’
The guidelines state: ‘To comply with this Principle, data controllers will need to review their personal data regularly and to delete the information which is no longer required for their purposes.’
It might be in a company’s interests to ‘clean data’ so that records that are not relevant are archived or deleted. However, there is the possibility that the customer may still buy again, in which case the information would be useful. For example, a car manufacturer could justifiably hold data for several years.
If a relationship between the organisation and the data subject ends, then data should be deleted. This will be clear in some instances; for example, when an employee leaves a company their personal data should be deleted.
6 Processed in accordance with the data subject’s rights.
In full: ‘Personal data shall be processed in accordance with the rights of data subjects under this Act.’
One aspect of the data subject’s rights is the option to request a copy of their personal data from an organisation for payment of a small fee such as £10 or £30; this is known as a
‘subject access request’. This includes all information on paper files and on computer.
Other aspects of a data subject’s rights are designed to prevent or control processing which:
● causes damage or distress (for example, repeatedly sending mailshots to someone who has died);
● is used for direct marketing (for example, in the UK consumers can subscribe to the mail, email or telephone preference service to avoid unsolicited mailings, emails or phone calls). This invaluable service is provided by the Direct Marketing Association (www.dmaconsumers.org). Organisations must check against these ‘exclusion lists’
before contacting you.
● is used for automatic decision taking – automated credit checks, for example, may result in unjust decisions on taking a loan.
7 Secure.
In full: ‘Appropriate technical and organisational measures shall be taken against unau‑
thorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
(Techniques for managing data security are discussed in Chapter 11.)
Of course, the cost of security measures will vary according to the level of security required. The Act allows for this through this provision:
(i) Taking into account the state of technological development at any time and the cost of implementing any measures, the measures must ensure a level of security appropriate to:
(a) the harm that might result from a breach of security; and (b) the nature of the data to
Subject access request A request by a data subject to view personal data from an organisation.
be protected. (ii) The data controller must take reasonable steps to ensure the reliability of staff having access to the personal data.
8 Not transferred to countries without adequate protection.
In full: ‘Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.’
Transfer of data beyond Europe is likely for multinational companies. This principle prevents export of data to countries that do not have sound data processing laws. If the transfer is required in concluding a sale or contract or if the data subject agrees to it, then transfer is legal. Data transfer with the US is possible through companies registered through the Safe Harbor scheme (www.export.gov/safeharbor).
Anti- spam legislation
Laws have been enacted in different countries to protect individual privacy and with the intention of reducing spam or unsolicited commercial email (UCE). Spammers rely on sending out millions of emails in the hope that even if there is only a 0.01% response they may make some money, if not get rich.
Anti- spam laws do not mean that email cannot be used as a marketing tool. As explained below, permission- based email marketing based on consent or opt-in by customers and the option to unsubscribe or opt out is the key to successful email marketing.
Before starting an email dialogue with customers, according to law in Europe, America and many countries in the Asia– Pacific region, companies must ask customers to provide their email address and then give them the option of ‘opting into’ further communications.
Legal opt-in email addresses and customer profile information are available for purchase or rental from a database traditionally known by marketers as a ‘cold list’. Your name will also potentially be stored on an opt-in house list where you have given your consent to be contacted by a company you have purchased from or its partners.
Regulations on privacy and electronic communications
While the Data Protection Directive 95 , 46 and Data Protection Act afford a reasonable level of protection for consumers, they were quickly superseded by advances in technology and the rapid growth in spam. As a result, in 2002 the European Union passed the ‘2002 , 58/EC Directive on Privacy and Electronic Communications’ to complement previous data protection law (see Box 4.3). This Act applies specifically to electronic communications such as email and the monitoring of websites using technologies such as cookies.
Worldwide regulations on privacy and electronic communications
In the USA, there is a privacy initiative aimed at education of consumers and business (www.ftc.gov/privacy), but legislation is limited other than for email marketing. In January 2004, a new federal law known as the CAN- SPAM Act (www.ftc.gov/spam) was intro-duced to assist in the control of unsolicited email. CAN- SPAM stands for ‘Controlling the Assault of Non- Solicited Pornography and Marketing’ (an ironic juxtaposition between pornography and marketing). The Act requires unsolicited commercial email messages to be labelled (though not by a standard method) and to include opt- out instructions and the sender’s physical address. It prohibits the use of deceptive subject lines and false headers in such messages.
Anti- spam legislation in other countries can be accessed:
● Australia enacted a spam Act in 2003 (www.privacy.gov.au)
● Canada has a privacy Act (www.privcom.gc.ca)
● New Zealand Privacy Commissioner (www.privacy.org.nz)
● Summary of all countries (www.privacyinternational.org and www.spamlaws.com).
Spam Unsolicited email (usually bulk‑ mailed and untargeted).
Cold list
Data about individuals that are rented or sold by a third party.
House list Data about existing customers used to market products to encourage future purchase.
While such laws are clearly in consumers’ interests, some companies see the practice as restrictive. In 2002, ten companies, including IBM, Oracle and VeriSign, who referred to themselves as the ‘Global Privacy Alliance (GPA)’, lobbied the EU saying that it put too much emphasis on the protection of individuals’ privacy, and not enough on ensuring the free flow of information between companies! More positively, the Online Privacy Alliance (www.privacyalliance.org) is a ‘group of more than 30 global corporations and associations who have come together to introduce and promote business- wide actions that create an environment of trust and foster the protection of individuals’ privacy online’.
Box 4.3 UK and European email marketing law
As an example of European privacy law which covers use of email, SMS and cookies for marketing, we review the implications for managers of the UK enactment of 2002 ÷ 58/EC Directive on Privacy and Electronic Communications. We will contrast this with the law in other European countries.
This came into force in the UK on 11 December 2003 as the Privacy and Electronic Communications Regulations (PECR) Act (update in force from 2012). Consumer marketers in the UK also need to heed the Code of Advertising Practice from the Advertising Standards Agency (ASA CAP code, www.cap.org.uk/ Advertising‑ Codes.
aspx). This has broadly similar aims and places similar restrictions on marketers to the PECR law.
The PECR law is a surprisingly accessible and common‑ sense document – many marketers will be practising similar principles already. Clauses 22 to 24 are the main clauses relevant to email communications. The PECR law:
1 Applies to consumer marketing using email or SMS text messages. 22(1) applies to ‘individual subscribers’, which currently means consumers, although the Information Commissioner has stated that this may be reviewed in future to include business subscribers as is the case in countries such as Italy and Germany.
Although this sounds like great news for business‑to‑business (B2B) market‑
ers, it could be dangerous. The Advertising Standards Agency found against a B2B organisation which had unwittingly emailed consumers from what they believed was
ers, it could be dangerous. The Advertising Standards Agency found against a B2B organisation which had unwittingly emailed consumers from what they believed was