Are You 'Spying' On Your Web Site Users?

You may have left work Friday thinking that you knew what this workweek would bring. But our guess is that a Saturday report by The Wall Street Journal will reset priorities for Web marketing teams at many companies, including some mutual fund and exchange-traded fund (ETF) firms.

“Marketers are spying on Internet users,” said the Journal in an extensive report on its investigation of Internet tracking technology used by the 50 most popular U.S. Web sites plus WSJ.com.

Two financial sites—Chase.com and BankofAmerica.com—were included among the 50 reviewed. According to the Journal’s “exposure index,” users of Chase’s Web site have medium exposure and Bank of America low exposure to tracking technologies such as cookies, beacons and other trackers.

“The exposure index,” the Journal explained, “gives each site a score based on eight criteria in an analysis by Privacy Choice LLC: whether the site belongs to an industry self-regulating group; whether it lets users opt out of receiving cookies; whether it is part of an advertising or tracking network; whether it shares data it collects with others; whether it promises to keep user data anonymous; how long it retains user data; and how it handles sensitive data such as financial or health information.” Read more in the Journal's explanation of its methodology.

What Are You Collecting?

What visitor information are you collecting and using on your Web site? How would you do on the exposure index? These are questions you can expect from your Legal and Compliance officers—and clients.

Based on 2,900 readers who by Sunday night had taken the Wall Street Journal’s poll about tracking, 62% found the report “very alarming” and 24% were “somewhat concerned.”

We recommend that you:

Today: Download PrivacyChoice’s TrackerScan, which the Journal is referring readers to, to determine the extent to which a "site exposes visitors to intrusive monitoring." TrackerScan, a Firefox Web browser add-on, is a blunt instrument. The scan identifies code and scripts running on the site and then extracts information from a site’s privacy policies and from privacy policies of services that the site relies on.

In the spot-checking we did of asset manager sites, we found that scans of sites that use Google Analytics produced the warning: “You may not be anonymous (identity and activities may be connected).” The same message is produced for sites that use AddThis and ShareThis social sharing icons. A scan of one mutual fund company site tripped the same trigger that Chase.com does: “anonymizing IP address logs after 9 months and cookies after 18 months.” This was based on the site's reliance on Google (DoubleClick).

PrivacyChoice also offers an opt-out wizard, enabling users to opt out of all networks that provide opt-out cookies.

Also download Ghostery, another tool recommended in the Journal report. Ghostery reports Web “bugs” provides "a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity." Investment company sites’ use of Google Analytics, WebTrends and Eloqua all show up as bugs.

You need to see what’s being reported on your site and understand the source and the significance.

Over the weekend, media critic Jeff Jarvis dismissed the report with a widely tweeted article "Why Is The Wall Street Journal So Afraid of Cookies?" We recommend the article to you. But the facts of his argument may be besides the point of the work you will need to do to respond to internal and external queries.

This week: Dust off your privacy policy and read it. Client research we conducted last month revealed that many, many asset manager privacy policies haven’t been revised in years. WSJ report or no, it’s high time to synch your privacy policy with how your use of Web data has evolved.

Even if your site escapes TrackerScan or Ghostery’s detection, you are not in the clear if you’re employing tracking activity but just haven’t taken the time to update your disclosure. We realize that it’s tempting to cede the work of revising the language to Legal and IT but don’t. This is about the integrity of what you do. Marketing should be involved and accountable, we believe.

Fanning The Consumer Flame

Many consider Web analytics, let alone targeting technology, an arcane subject. The Wall Street Journal’s report goes to great measures to explain how targeting works, including providing interactive graphics on how to control one’s privacy online.

Watch the video below, which is well done but different than other WSJ videos—it has more of a consumer than a business feel to it. And, is it common for the Journal to publish a significant report (which it calls "What They Know"—the "they" presumably being companies) on a Saturday and not during the business week?

We hope that that analytics and content targeting does not become a contentious consumer protection issue. There is a case to be made that Web site users are better served by site publishers who can serve content based on previous traffic and information that the users knowingly consent to.

Ad targeting is more intrusive and tends to be less transparent. Yet just last week we read a Marketing Vox article about how the popularity of deal-of-the-day site Groupon might advance Internet user acceptance of ad targeting as a means of being served more useful, relevant offers.

Online ad targeting is under congressional review today and we see in the review the potential for knee-jerk judgments and broad grandstanding based on emotion and not understanding. Who knows—maybe the Journal’s report will do some good in educating and stimulating discussion between better informed opponents and advocates.

There will be much more to come on this and from many fronts. For now, our best recommendation is to make sure that you have a command of the data you're collecting, how and why and to participate in the explanation of your approach to users of your Web site.