Elise Berkower

Vendors that provide Internet technology products or services sometimes find themselves in the strange position of suggesting that changes be made in their clients' Web site privacy policies. As Privacy Compliance Officer for a company that has, over the years, offered ad-serving, volume email delivery, Web site analytics and search technologies, among other services, I have had to explain to our clients why our contracts require them to disclose in their privacy policies their use of our technologies. Once they understand the implications of the use of online technologies, however, they recognize that they need to view the data collected from their online technology vendors in the same way that they examine their offline vendors' information collection practices: They need to understand what kinds of information are collected and processed on their behalf, and how that information "gets" to the vendor.

While clients may recognize the general best practices of giving their online visitors meaningful notice and choice about the kinds of information that are collected about them when they visit their Web sites, how such data are collected and what is done with that information, clients may not be aware that there are laws and formalized industry guidelines that cover the disclosure of the use of certain Internet technologies. In addition, recent decisions, consent decrees and settlements indicate that regulators may hold vendors responsible for clients' use of their products/technology (and vice versa).

Laws and Industry Guidelines

The EU Telecommunications Directive (2002/58/EC) requires Web site operators to disclose their use of "non-obvious technologies" to gather information from visitors, and provide visitors with a means of exercising choice with regard to such data collection. These technologies include cookies and Web beacons (a/k/a "pixel tags"). In addition, industry best practices in the U.S. (i.e., the Web Beacon Guidelines and the Direct Marketing Association's Online Marketing Guidelines), and some self-regulatory schemes - such as the Network Advertising Initiative's (NAI) Self-Regulatory Principles - similarly support a Web site's disclosure of the use of Internet technologies such as cookies and Web beacons. Most ad-serving, email delivery, search, and Web site analytics solutions - and just about every technology that enables personalization - utilize cookies and/or web beacons or similar "non-obvious technologies."

Regulatory Activities

Within the past year, the Federal Trade Commission and the New York state Attorney General have obtained settlements or consent decrees that hold businesses responsible for the information collection practices of their "partners" (read: customers and vendors) and "affiliates." These "you are your brother's keeper" cases arguably impose reciprocal obligations on both Internet technology vendors and their clients.

When clients were made aware of the laws, industry practices and regulatory developments, they invariably understood the need to ensure that their privacy policies adequately disclosed their use of our technology at their Web sites. They also recognized that technology vendors are in the best position to understand their own technology and the implications of its use. Most technology vendors, through industry groups or directly, are in the trenches legislatively and with regulators and are more familiar with the necessity of adequate disclosures. Poorly worded state anti-spyware legislation, for example, could negatively affect technology vendors' products or their clients' use of them.

Depending upon the product or service, we have offered clients either suggested disclosure language or the elements that should be included in such a disclosure. Once the client has understood why a change was needed, the modifications to its privacy policy were usually a collaborative effort. Because nuances of some technologies can be difficult to grasp, it sometimes took two or three drafts to satisfy both sides.

Suggestions for the Application Service Provider Technology Vendor

  • For your own protection, include a provision in your contracts that requires your clients to accurately disclose in their Web site privacy policy the use of your product or service.
  • If you are encountering reluctance from your client about changing its privacy policy, try to escalate the discussion to your client's privacy specialists, if any, or legal department.
  • Walk them through how your technology works and its privacy implications.
  • Emphasize that any material changes in the kinds of user data collected or ways they are used cannot be retroactive - data collected under a different privacy policy should not be loaded into your system if they will be used in a different way than was promised when they were acquired.
  • Maintain a compliance program that prevents a client from "going live" until its privacy policy adequately discloses the use of your technology.

Suggestions for the Vendee

  • Ask the vendor if it is a member of an industry group that has "best practices" guidelines or other self-regulation.
  • Ask the vendor what types of technology its product uses (i.e., cookies, Web beacons, JavaScript) and whether personally identifiable or non-personally identifiable information is collected during the process.
  • Have the vendor walk you through exactly how the product would work on your site, including what information about your visitors would be implicated.
  • Find out if the technology needs to use personally identifiable information for it to work the way your company wants. Most Web site analytics, email delivery, and many search products need to use some sort of personally identifiable information for them to work satisfactorily - but may be able to be adjusted to give you more comfort with the process.
  • If the vendor's product does use a cookie, find out from which domain the cookie is set. If the domain will be established just for you, then it is less likely that information collected from your site would be available to the vendor's other clients than if the domain is used by multiple clients.
  • If the product uses cookies, ask the vendor to see the P3P policy (or policies) for the cookies. (The P3P policy will identify the owner of the data linked to the cookie, the categories of data and whether there is an opt-in or an opt-out related to that cookie.)
  • Ask if the vendor can review your existing privacy policy to see if what its technology will do is already covered by the way other vendors' services are described. If it isn't, ask for help in conveying how the technology will work. Some technology vendors provide suggested disclosure language (i.e., the NAI suggested disclosure for Online Preference Marketing).

Ensuring that the use of Internet technologies is disclosed adequately to visitors is a Win-Win-Win situation: consumers are appropriately informed and feel more comfortable about visiting a Web site, and both the Web site and the technology vendor are recognized as responsible cyber-citizens and can also benefit from the consumers' greater comfort.

Elise Berkower, an attorney and CIPP, served as DoubleClick's Senior Privacy Compliance Officer for six years, helping DoubleClick's ad serving, search, Web site analytics, email and direct marketing clients address privacy issues. She recently joined Chapell & Associates, the leading strategic consulting firm focusing on privacy, marketing and public policy, as its Executive Vice President of Privacy Strategy. She participates in many privacy and technology industry groups, and is a member of the Advisory Board of The Privacy Advisor. She can be reached by email at elise@chapellassociates.com.



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»