Do Not Track Legislation: What Small Businesses Need to Know

Take these precautions so you don't have to worry about the potential harm do-not-track laws will do to your business
January 11, 2012

Is looming Do Not Track legislation making you nervous? What about stringent privacy rules enacted by the European Union? Business owners who depend on site analytics for everything from increased sales to customer satisfaction are justifiably leery of new laws that could make their jobs harder.

The Federal Trade Commission recommended the enactment of do-not-track legislation in 2011, and in February, the Do Not Track Me Online Bill of 2011 directed the FTC to prescribe regulations. In May, both houses of the U.S. Congress said they would draft do-not-track bills.

While most of the legislative effort is focused on large advertising networks that track users from site to site, do-not-track laws could create collateral damage for small businesses that use analytics or visitor tracking on their own websites, says Adam Blitzer, COO of Pardot, a company that offers cloud-based marketing automation software for SMBs.

"If you're a B2B company, not being able to track your prospects would be pretty painful," says Blitzer. "It would hurt your close rate and your ability to see prospect activity." In addition, most small businesses can't afford to run focus groups, so they use information gleaned from analytics to optimize the website.

Consumer confusion

Any time you add a new bell or whistle to your site or the browser, you risk making it harder for consumers to use your site, says Lorrie Faith Cranor, an associate professor of computer science and of engineering and public policy at Carnegie Mellon University.

Cranor, who directs the CyLab Usable Privacy and Security Laboratory, recently published a study called "Why Johnny Can't Opt Out." She found that, while consumers are increasingly interested in taking their privacy into their own hands, most tools and services, including the anti-tracking features built directly into Microsoft's Internet Explorer, Mozilla's Firefox, Google's Chrome and Apple's Safari Web browsers, are too complicated and confusing.

Cranor says, "I think it's unlikely that we will have do-not-track legislation in the next year. The bigger issue is getting on board with industry self-regulatory efforts."

For your advertising, she recommends you align with the industry's self-regulation efforts by implementing the Digital Advertising Alliance's Advertising Option Icon in all your ads. This icon, along with phrases such as "Why did I get this ad?;" "Interest Based Ads;" or "Ad Choices" provides enhanced notice to consumers that tracking is taking place.

She also suggests making your website privacy policy crystal clear. If you must have a lot of legalese, put a more readable layer on top of it.

"Have a simple, straightforward, consumer-friendly explanation about what you're doing. Tell them whether you are going to be sharing their data, with whom, and what are the uses of the data that go beyond what you absolutely need to do to process their transactions," Cranor advises.

Privacy Abroad

For those seeking customers in the EU, the European Union Privacy Directive, regulations are even tighter. The directive went into effect in 2011, but it's up to member states whether to enforce them, according to Pardot's Blitzer.

Now, Blitzer says, "You need to get explicit consent from website users before you start tracking them. The key sticking point is explicit consent. They have left it up to businesses to comply with that."

For example, a country in the EU might demand that, when a visitor hits a site for the first time, a pop-up message asks whether it's okay to track.

While Pardot's application allows site owners to enable such a pop-up, Blitzer says, "Most of our clients have not enabled this yet. They're waiting until they get their first cease and desist notice."

But there's evidence that, if asking for explicit tracking permission does become law in the U.S. or Europe, you need not fear the pop-up.

Nxtbook Media, a company that provides digital editions of magazines and catalogs, went ahead and implemented Pardot's pop-up function–and its marketing director, Marcus Grimm, hasn't found it putting off site visitors.

Grimm says that in the several months in which visitors have been presented with the request for tracking permission, only 4 to 5 percent have refused. While the company is B2B and has a trusted brand, he thinks another reason that most visitors have agreed is that the company took the time to make sure the wording of the pop-up makes them feel comfortable.

"We took the time to make the wording be educational, so that people do understand why we want to track them," Grimm says. "Talk about the benefit you're providing instead of making it look like a warning."

Party line

Even if you don't actively track visitors on your website, you may fall under do-not-track regulations because your third-party vendors do.

For example, Google Analytics tracks web visitors across sites–and the search giant is wrangling with EU regulators about it right now. Ad networks also offer behavioral targeting, the industry buzz word for tracking consumers.

If you rely on third-party vendors for your site analytics, Blitzer recommends that you keep an eye on whether they're staying ahead of privacy concerns. If you have one, talk to your account rep and ask what they're doing to now and to stay inside privacy guidelines in the next year or two. If your analytics are strictly self-serve, try reading the company blog.

When it comes to your company's internal privacy policy, make sure that there is someone designated to be in charge of it, Cranor recommends.

"It's easy for one side of the company not to know what the other side is doing," she says. For example, different product managers might use their personal judgment about what to do with consumer data. She advises, "There should be some holistic thinking about the data policy."

Image credit: Teo