Feature: After the privacy controversary, DoubleClick looks ahead

This week, the US government agreed to develop a “safe harbour” system to ensure that US organisations that transfer data out of Europe protect the rights accorded to EU citizens by the 1998 Data Protection Directive. This might not sound terribly exciting - but given the laissez-faire, self-regulatory climate in the US, there's no doubt that it is significant. If nothing else, it is testimony to the fact that privacy is shaping up to be a pivotal issue for the internet industry.

Earlier this month DoubleClick, the US internet advertising company, was forced to make an embarrassing climbdown following a furore over its plans to link offline databases - which contain names and addresses - with anonymous profiles of internet audiences. DoubleClick's CEO, Kevin O'Connor, issued a statement in which he said that he had made a “mistake” by planning to merge the names - contained within databases held by the direct marketing company Abacus Direct, which was recently acquired by DoubleClick - with anonymous user activity across web sites. O'Connor emphasised that the plan had not been implemented and that DoubleClick would not link identifiable information to web activity.

In the wake of the controversy, DoubleClick created two new, high-level privacy positions. Jules Polentsky, New York City's consumer affairs commissioner has been appointed as DoubleClick's chief privacy officer and will act as an ombudsman for internet users, says DoubleClick, working with clients to develop, police and publicise their privacy policies. Meanwhile Bob Abrams, formerly New York State attorney general, will chair the company's privacy advisory board, heading an independent group of outside experts that will make recommendations to DoubleClick on improving its privacy procedures.

Eric Stein, managing director of DoubleClick UK, says that the appointments signal a commitment to safeguarding the privacy of internet users and to developing industry standards, in the US and Europe. “[There's] a commitment to working with government and partners in the industry to set standards, standards that are acceptable to the government and standards that work for the industry.” Of course, one might equally observe that the appointments are designed to show that the industry can regulate itself - thus heading off any calls to bolster privacy regulation.

DoubleClick's view is that excessive privacy regulation could threaten the embryonic internet economy - and for governments eager to foster the new-media economy this is quite an effective threat. “If they [internet advertisers] are regulated into an environment where they are just throwing it [their marketing budget] away they're just going to stop. I think self-regulation can work and be effective and we'd prefer to see that,” says Stein. “I think no-one wants to do the industry and the economic development that's going on any harm and I think the industry can and should be trusted to regulate itself.”

“I think our lesson is that advertising needs to work - there's too many businesses that rely on it, it's too much of a power in the internet economy and it's a powerful force for… bringing consumers free services for it not to work,” elaborates Stein. “And in order for advertising to work it has to work for both sides. It has to work for the consumer - they need to have their privacy guarded and respected - and it needs to work for advertisers who need to have… the possibility that their marketing dollar is spent effectively.”

Of course, the regulatory environment in the UK is in any case rather more stringent than that in the US. The Data Protection Act 1998, which is based on EU Data Protection Directive and came into force in the UK on 1 March 2000, gives individuals more control than previous legislation over information that is held about them as identifiable individuals. Helena Simms, compliance manager at the Data Protection Registrar, says; “Where information relates to someone who is identifiable - or likely to become identifiable - then the individual has rights and the corporation has obligations under the Act. An individual must know who is processing information about them and purpose the data is used for [and the individual] has the right to see the data and object to the use of the data for direct marketing.”

However, the Act only applies to information that relates to identifiable individuals, rather than aggregated data. Nevertheless, it requires that individuals be given an opt-out with regard to direct marketing, where previously it was good practice to offer an opt-out. Also, personal data may only be transferred outside the European Economic Area if it is going to countries judged to have an adequate level of protection - hence the accord this week between the US and EU.

Of course, most internet advertising companies are adamant that they are engaged in anonymous profiling - they are collecting and processing information that is not linked to identifiable individuals. Cookies, for example, are used to drop an anonymous ID onto a computer - the advertiser's profiling systems recognise the ID rather than an individual, so there is no link between the person and the profile. Engage's profiling system operates by matching online behaviour against consumer interest categories, says Peter Chaplin, Engage's vice-president international. “It's fairly benign. We've always set out to protect personal privacy… we collect no personal information at all.”

And so far, the self-regulatory case has been in the ascendant. Earlier this month, President Clinton urged the industry to improve privacy protection on the internet by joining self-regulatory programmes such as TRUSTe and the Online Privacy Alliance, which encourage organisations to develop and publicise their privacy policies. In the UK a similar body, TRUST UK, was launched in January, with the aim of building consumer confidence in e-commerce by accrediting internet companies and ensuring that minimum standards on data protection are met. But DoubleClick did open Pandora's Box and now the industry will have to work hard to keep the lid firmly in place.