On 26 August 2002, DoubleClick announced a settlement with 10 U.S. state attorneys general to end their investigation into alleged violations of users' privacy. DoubleClick targets Web ads based on consumers' Internet habits and information culled from "cookie" files deposited on their computers. The company — which has not admitted any wrongdoing — will pay $450,000 to reimburse the states for the cost of the investigation. It also agreed to continue to follow a set of practices aimed at protecting users' privacy, including:

• Using information only in the way represented to the user when it was collected
• Archiving log files more than three months old
• Not sharing user data collected for a given client with any other parties
• Notifying users of any changes in privacy policies via e-mail opt-in notification

Legal practices aren't necessarily good business ideas. Web analytics can provide a window into consumers' browsing and shopping habits, but many users think collecting such information invades their privacy. Enterprises cannot abdicate responsibility if they enlist DoubleClick or any other firm to collect data and market to their customers and prospects. They are also accountable for how the data is used and how offers are delivered to customers.

For financial service providers (FSPs) in particular — for which customer trust is paramount — such practices can do more harm than good if they cause users to question the FSP's respect for their privacy. This potential problem doesn't so much affect customers who already log on to the FSP's site to do electronic banking — their identity is already known, their preferences can be directly solicited and honored, and online-preference-based marketing initiatives can take place within the firewalls of the Internet-banking application. The problem becomes more acute for prospects or non-Web-banking customers. For this group, FSPs should consider providing opt-in options — users decide whether to affirm their identities and their interest in receiving offers — before using information gathered through identity- and preference-tracing cookies.

U.S. FSPs should also consult with legal counsel and determine if their planned use of online-preference marketing demonstrates a respect for the "affirmative and continuing obligation to respect the privacy of their customers” established by the Gramm-Leach-Bliley Financial Services Modernization Act. From there, they should investigate whether clients will tolerate the practice. Surveys appended to online offers can provide valuable feedback. FSPs should monitor responses to such offers and compare them to other channels.

Gartner recommends that FSPs model their business plans on the impact of consumer demands for online privacy and regulations such as the European Union Data Protection Directive. As more people shop for their primary FSP online, establishing a trusting relationship is paramount. FSPs must ensure the customer's first impression is a good one.

Analytical Source: Kimberly Collins and Richard DeLotto, Gartner Research

Recommended Reading and Related Research

• "The FTC Exercises Its Privacy Enforcement Powers" — The FTC has made it clear that it will use regulations, such as Section 5 of the FTC Act, to investigate and punish deceptive privacy and security claims made to consumers by software vendors and online service providers. By John Pescatore and Avivah Litan
• "When It Comes to Privacy, One Size Doesn't Fit All" — Segmenting your customers according to the five Gartner privacy groups will enable your enterprise to develop marketing strategies that reach each group effectively. By Scott Nelson

(You may need to sign in or be a Gartner client to access all of this content.)