October 2003   

That kind of personalized shopping certainly has its advantages. Customers can create profiles that include their buying and shipping information, so that they need not bother to reenter that information each time they purchase from the site. Once they've registered and surfed, the site can direct them to areas they seem to prefer, bypassing others that appear to spur no interest. One of the early leaders in this direction is Amazon.com, which tailors its opening page to show the returning customer only the recently visited areas of the site. And as any good shopper knows, a store that doesn't waste your time is a store that's more likely to get your business.

However, personalization has its drawbacks. With growing concerns being voiced over privacy issues on the Internet, personalization has drawn the unwanted spotlight of public and even governmental scrutiny. Because personalization involves tracking a customer both by identifiable and non-identifiable information, privacy becomes a very real issue for e-commerce sites.

Invasion of Privacy

Personalization as it was originally conceived was simply meant to be a way of altering information given to online customers to match their individual interests. While there doesn't appear to be anything amiss with that approach, other extensions from the concept began to appear.

Companies that stored personally identifiable information, or PII, such as names, addresses, phone numbers, credit card numbers, and even Social Security numbers, began to sell or share that information with other companies, allowing those third parties access to customers who had not requested their services. Spam emails began to proliferate, but even that seemed minor compared to the more troubling vision of credit card numbers being abused, either within a company or by hackers.

Not surprisingly, customers who were bombarded with spam emails or credit card bills with unauthorized charges became concerned and angry over what they viewed as an invasion of their privacy. Even if they'd authorized the originating company to use that information, many felt they hadn't been informed -- and in many cases, they hadn't -- of how that information would be used.

Bridging the Gap

As a result of public outcry, Federal and state governments began looking into the issue. "There are currently more than 4,000 bills pending at a state level, and many more before Congress," says Bonnie Lowell, co-chair of the Personalization Consortium's Privacy Committee. "Many of these bills focus exclusively on online privacy, security, and PII handling."

The Personalization Consortium is a voluntary organization of 26 systems integrators and vendors, which has as its goal the construction of standards for the use of personalization. Their aim is not to destroy personalization, but to enhance its privacy features to make the process of shopping online safer and yet still more convenient for customers.

Lowell says that companies wanting to balance personalization with privacy should, first and foremost, be clear about the privacy policies on their sites. "Disclosure is commonly done in the form of a privacy policy posted at the e-business site," she says. "However, there are new software services aimed at promoting online privacy by offering intelligent, managed disclosure methods, including the ability to make a privacy policy interactive through a new technology standard called P3P." P3P, or Platform for Privacy Preferences, is technology designed to simplify the user's process of understanding a site's privacy policy. P3P would collect the user's privacy preferences and screen through a privacy policy, flagging any discrepancies between the user's preferences and the site's stated actions.

Lowell feels the next important consideration is participation management. Using a combination of opt-in and opt-out will allow customers control over the personalization experience, and keeping the customer informed of that control is important as well. "The ultimate goodwill an e-business can provide their customers with is a combination of opt-in and opt-out that is clearly disclosed in a privacy policy," says Lowell.

Do's -- and a Don't

Lowell provides a list of suggestions for sites trying to bridge the gap between privacy and personalization:

• Do understand which customer base you are personalizing to and what your expected results are. Without this knowledge, it's difficult to select from the different categories of available personalization software.
• Do provide the best method of disclosure possible; always have an up-to-date, clearly accessible privacy policy.
• Do provide the best method of program participation possible. A combination of opt-in and opt-out is optimal.
• Do only take the customer PII that is absolutely required to perform a business process, such as credit and shipping information. Most information required to personalize a customer is not personally identifying -- such as travel and restaurant preferences -- and doesn't need to be tied back to their identity.
• Do educate your entire company, not just the team doing the personalization implementation, about PII handling practices. A fair amount of PII exposure happens from the mishandling of printed information within a company.
• Do plan and implement methods of access to any PII stored about your customers.
• Don't sell your customers PII (including email addresses) unless they have consented and you are providing them with a value for it. Web surfers hate spam and are often aware of its origins, making sure they avoid the offenders and pass their names along to friends, family, and co-workers.

The Future of Privacy and Personalization

Following Lowell's recommendations to assuage privacy fears is only the beginning. As personalization techniques become more sophisticated and intelligent, companies will need to increase their privacy measures to keep increasingly savvy consumers from clicking away from what they see as a high risk.

But if e-commerce sites think "out of the box," finding different ways to use existing technology, privacy issues may fade and recede, says Michael Ponder, formerly the Internet Research Manager for JCPenney and now an Internet researcher and consultant. "Privacy and personalization doesn't have to be an 'either/or' question," he says. "The question has always been how that information is used."

He sees current personalization technology being used in what he refers to as a toddler state. "We're applying old-fashioned rules to a new environment," he says. "It's similar to the first TV shows, which were nothing more than radio shows broadcast before a camera. We're using old ideas of personalization in a new arena."

What he sees as the future requires retooling current personalization concepts. "Why create profiles of a customer's past?" he says. "At least one-third of the time, customers are not shopping for themselves, so at least thirty-three percent of a customer's profile is just plain wrong."

Instead, he says, serve the need, not the profile. "The technology exists today to serve the customer's current needs," he says. "When you go into a brick-and-mortar store, you expect the salesperson to help you find what you need that minute, not what you needed the last time you shopped there. Web sites should do the same thing: focus on what the immediate need is, not the past history."

By doing that, Ponder believes that privacy issues can be reduced considerably. "Don't try to steer or force sales, just try to help the customer," he says. "There's no privacy issue if the control of the technology is in the viewer's hands. 'Collaborative' will be the key word."

But Ponder acknowledges that focusing on the immediate needs of the customer still requires the e-tailer to back off from traditional marketing practices of selling information and engaging in spam email. "Some say those names are worth money," he says. "But they're becoming less and less worthwhile, especially as customers become more and more hostile. People are not demographic blocks. They need to be seen as units needing help, not names on a list to be sold. People don't want to be 'marketed at' -- it's the unwanted stuff they get that annoys them and drives them away."