United States: DoubleClick and the Privacy Wars

Co-written by Jennifer Girard Gehrlein

As the average American has always feared, big brother is watching. And his name is DoubleClick. The "Privacy Wars" are officially declared.

The Internet is properly touted as a near-miracle tool for expanding the ability to communicate and gain access to information for everyone — but as usual, there is a flip side. It is also a uniquely capable tool for gathering and distributing information about everyone who uses it, and that capacity is the driving force behind the Privacy Wars.

Much of life's good and bad fortune seems to be the result of being in the right place at either the right or wrong time. Amazingly, DoubleClick has done both. It was one of the first companies to see the potential of Internet advertising, and today it provides the advertising on Web sites that are members of its "DoubleClick Network," which consists of some of the most highly trafficked Web sites on the Internet. The result of being in the right place (Internet advertising) at the right time (the rapidly growing Internet is the most quickly and widely adopted technology in history) made DoubleClick one of the strongest New Economy stocks in a very strong market. But today everything happens in Internet time, and the good news came fast and went fast. DoubleClick has become the poster child for privacy abuses on the Internet — the right place at a very wrong time.

DoubleClick provides the DoubleClick Network sites with advertisements to display to their users, and it monitors the users who receive ads from these sites through the use of cookies. "Cookies" is a term used to describe the information that a Web site places on a user's hard drive so that the site can recognize that computer on later visits and remember its user's preferences. The information recorded by cookies is called "clickstream data," which includes information about the Web sites that a user visits, how long he or she spends at these sites, and what, if any, online purchases that person makes. And cookies may be even more powerful than this. Not only can a Web site read the cookie that it places on a user's hard drive, but it also may be possible for that site to read other cookies on the same hard drive placed by other Web sites.

Cookies have many positive benefits to Web users, including the ability to streamline transactions and customize an Internet experience. The problem comes when online cookies are connected to an offline user. And this is how DoubleClick has gotten itself into trouble: by using cookies to collect a user's clickstream data and then proposing to connect that information to the user's identity and data about his or her offline behavior.

For several years, DoubleClick has collected the navigational history of users who visit DoubleClick Network sites. When a user receives an advertisement from one of these sites, DoubleClick deposits a cookie on that user's computer hard drive. The cookie contains a unique identification number, which enables DoubleClick Network sites to identify that specific user on future visits to their sites. DoubleClick is then able to leverage a user's experience on each of the DoubleClick Network sites to build an impressive cookie file of a user's Internet activity, or navigational history. Through DoubleClick's "DART" technology, DoubleClick is then able to target the advertisements displayed to the user based on the navigational history contained in the user's cookie file. DoubleClick states that it creates these cookie files and uses DART technology so that it can offer consumers the benefits of targeted advertising.

The problem for DoubleClick came when it announced that it was going to connect the data about a user's online navigational history with that user's offline spending habits, a practice that is an almost complete reversal of DoubleClick's previously stated privacy policies. DoubleClick reportedly acquired the capability to match an individual user's clickstream data with his or her offline purchasing history as a result of its purchase of Abacus Direct Corporation ("Abacus") in November 1999. Abacus is a leading provider of specialized consumer information and analysis for the direct marketing industry. According to the complaint against DoubleClick filed by the Electronic Privacy Information Center with the Federal Trade Commission ("FTC"), the Abacus database contains information about the spending habits of more than 88 million people derived from more than two billion offline purchases. Although some privacy groups protested the $1.7 billion acquisition of Abacus by DoubleClick, the Privacy Wars did not really grab people's (and Congress') attention until DoubleClick announced its intention to match online navigational histories in the DoubleClick Network database with offline purchasing information in the Abacus database.

According to media reports, after it acquired Abacus, DoubleClick began creating user profiles that merge information from the two databases. Reportedly, it happens like this: If you provide identifying information about yourself, such as your name and address, to a Web site that is part of the "Abacus Alliance," DoubleClick stores that information. DoubleClick is then able to connect the identifying information you provided with the cookie ID number that it placed on your hard drive. The result is that now DoubleClick knows that you, John Doe, who provided your name and address when you registered at an Abacus Alliance Web site last week, searched for "automobiles" earlier this morning on the AltaVista Web site, a DoubleClick Network site.

The result of DoubleClick's advances in technology and information-collection practices is that DoubleClick is positioned to provide user-specific navigational data to companies to enable them to market directly over the Internet to individuals who have shown an offline purchasing history of being interested in their products. This is an online marketer's dream, and a privacy watchdog's nightmare. Not only is DoubleClick poised to connect online and offline data, but, according to DoubleClick's critics, it does so in a manner that allegedly violates its previously stated privacy policies. The result of DoubleClick's current and proposed practices is investigations by the FTC and at least three state attorneys general's offices, as well as a flurry of class action lawsuits.

The FTC investigation centers on whether it is an unfair or deceptive practice for a Web site to say one thing in its posted privacy policy and do the opposite when it collects data from users. Peggy Twohig, assistant director for financial practices at the FTC, was recently quoted as stating that the FTC does "a lot of investigations that nobody knows about because our policy is to keep them private. The ones you have heard about recently are only the ones that have become lawsuits or have been made public by the companies involved." She further warned, "The FTC can be called in anytime a company misrepresents its practices to consumers. If you post a privacy policy to consumers and you violate it, then we can act."

The FTC investigation is just one of the many actions that the FTC has taken recently to position itself as the Internet regulator. All you need to do to see the possible consequences of this federal regulatory oversight is read a few Securities and Exchange Commission filings by e-commerce companies, which are now uniformly warning investors of the perils of a "rapidly evolving and uncertain regulatory environment." The FTC now has more than 80 staffers working on Internet commerce issues, and its Chairman, Robert Pitofsky, says, "Internet commerce is the No. 1 issue for us." For all companies involved in e-commerce, this should be a wake-up call. FTC oversight in this area, under its existing statutory authority, would mean a regulator with essentially no boundaries and no limits, because the statutes the FTC is invoking prohibit the malleable concepts of "unfair" and "deceptive" conduct. Not surprisingly, history has shown that the FTC's definition of "unfair" is frequently not familiar to dictionary publishers.

The class action lawsuits should be another source of concern to companies who could be targeted in the future. The entrepreneurial business of bringing class action lawsuits on a wide variety of subjects — tobacco, guns, defective products of all kinds, securities fraud, and now privacy — is no longer a business of a few solo lawyers looking to scratch out a living by chasing ambulances and suing the manufacturer of the car in which the victim was riding. The cigarette cases, which produced a guaranteed flow of funds to the plaintiffs' lawyers in the billions of dollars, have transformed plaintiffs' lawyers from small businesses to conglomerates. One plaintiffs' lawyer recently made a hostile bid for a significant company; others have begun to find new potential lawsuits and now have no trouble at all in funding those legal challenges to conclusion. Bringing lawsuits is now big business, and if privacy class actions show any traction at all — and more especially, if the plaintiffs' bar can ever find a target that has really deep pockets — we will see many more such lawsuits.

But these are only the most visible skirmishes; the Privacy Wars actually have many fronts. For example, there has been a two-year diplomatic battle between the European Union ("EU") and the United States over the application of the EU's privacy rules, which are much more protective of personal data (broadly defined) than is American law. A literal application of the EU rules to the Internet would have effectively stopped trans-Atlantic electronic commerce, so both sides have been trying to find some middle ground. A tentative agreement was reached in March under which the EU would permit personal data to be transferred to U.S. companies who agree to comply with a set of "safe harbor" principles on privacy protection. Formal approval and implementation of the "safe harbor" compromise will have a major effect in the United States, because the Internet knows no geographic boundaries.

There is also the problem of "screen scrapers," or people accused of pulling information off e-commerce Web sites without permission and then using or selling that information. Some organizations, especially banks with online services, are concerned that bill-paying and similar sites are collecting customer information and then misusing it, without either the bank's consent or informed consent from the customer. The banks are really worried about someone else making commercial use of the information, instead of the banks. These kinds of "who can do what with which data" fights are likely to continue for some time in the absence of controlling legislation. But the FTC, in another bid for prominence here, has already proposed rules to protect the privacy of customers who use financial services sites — and again not surprisingly, the FTC defines such sites very broadly indeed. And President Clinton has explicitly warned that unless the online community broadly adopts "effective" privacy controls, the federal government will step in. When the politicians start talking about a problem, you know that they sense that this is an issue that resonates with voters; no other sign that this is a real live issue is necessary.

So, how is this all going to turn out? Well, DoubleClick has already decided this is a war it sure doesn't want to fight alone; it announced recently that it had "made a mistake by planning to merge names with anonymous user activity across Web sites in the absence of government and industry privacy standards." It dropped (for the time being) its plans to amass a combined database of people's names, offline purchasing behavior, and Internet habits. But the stakes — and the potential impact on the Internet — are much higher than one company's business model.

This information-collection controversy threatens the free nature of the Internet. Just as people have always accepted the fact that television stations run commercials so that people can view programs for free, advertisers place banner ads on Web sites so that those sites can be provided without cost. No one is recording your television viewing habits, however, while someone is collecting data on your Internet habits. Nevertheless, market research is a critical ingredient in effective consumer communication, and collecting information about what consumers do and think is a widely practiced and accepted fact of an advertising economy. On the Internet, however, it is much easier to actually track what consumers do, rather than have to depend on them telling you what they did, and thus the incentive to collect and use this more accurate information is very strong. For many people, it is abhorrent that someone can "spy" on what they do on their computer in the privacy of their home. The irresistible market impulse meets the unmovable personal reaction, and something will have to give. If enough people feel strongly enough, there will be laws and regulations in this area, and they will restrict business' ability to use certain kinds of personal information.

Until the FTC, or some legislative body, produces new regulations or laws for this area, the principal liability exposure for a Web site that collects user data are class action lawsuits and regulatory actions that arise when the Web site uses the data it collects in ways that violate its stated privacy policy. Accordingly, the current prudent course for Web sites is to: (1) state what information your site collects and exactly how that information is used in a privacy policy, and (2) follow your stated privacy policy. Web sites also need to be aware of the privacy policies of companies with whom they do business, to ensure that information about their users is not being used by others in a way that violates the site's stated privacy policy. Finally, while the practical limitations of this approach are obvious, for certain types of particularly personal information, companies should consider seeking affirmative approval from the individual consumer for the use of that information.

Nobody likes a snoop, and as long as that is the impression that remains on the minds of consumers and voters about Internet data collection, the risk of heavy-handed regulation will be high. It will require a considerable and concerted effort by the e-commerce industry to change this mental impression.

For further information on the subject of this Technology Commentaries, please contact the principal authors, Robert W. Hamilton in our Columbus Office (telephone: 614/469-3848; e-mail: rwhamilton@jonesday.com) and Jennifer Gehrlein in our Cleveland Office (telephone: 216/586-7289; e-mail: jgehrlein@jonesday.com), or any lawyer in the Firm's Technology Issues Practice at tip@jonesday.com. We invite you to visit our Web site at www.jonesday.com.