Online privacy - who has the right to know?

At the start of September, online retailer Amazon.com emailed its customers to inform them it was changing its privacy policy. The new policy set out exactly how the company would use customers' data, but crucially removed the option (still available at Amazon.co.uk) for users to specify that they did not want Amazon to share their information with third parties.

Shortly afterwards, two online pro-privacy organisations, Junkbusters (www.junkbusters.com) and the Electronic Privacy Information Center (www.epic.org), withdrew from Amazon's Affiliate Programme - and a news story was born.

Last week, UK-based campaign group Privacy International joined the fray, claiming that Amazon.co.uk was sharing customer data with its US subsidiary, possibly in contravention of European data protection legislation.

Amazon seemed surprised by all the press attention, pointing out that it had, in fact, more than half a million affiliates, and that for two of them to leave was hardly significant. The company also claimed that its privacy policy was now more stringent than before, because it spelt out exactly how customer information could be used.

Tip of the iceberg
To be fair to Amazon, the criticisms made by privacy advocates (and others) could be levelled at thousands of online companies. During the past few months alone, lesser-known dotcoms such as Alexa, Toysmart, Bankrupt and Doubleclick have likewise become embroiled in a series of disputes.

But campaigners realise that a big name equals a big story, and believe that making an example out of Amazon will help highlight the wider issues surrounding consumer privacy online - namely, what information companies collect, buy and hold about us, how they use that information, and whether or not they need to ask our permission to do so.

However, there is a fundamental difference in approach to privacy between Europe and the US. In Europe, legislation is more stringent and requires companies to gain the consent of individuals before they can pass information on to third parties. Online, this is most commonly obtained through the website registration process, where a checkbox enables users to 'opt out' of having their data passed on to third parties.

But in the US there is little in the way of legislation to protect consumers. Self-regulation is the order of the day, and consequently commercial organisations are more or less free to collect and use customer data in whatever way they see fit.

Indeed, conventional ebusiness wisdom in the US states that people are happy for companies to collect information about their interests and buying habits, so that they can be targeted more effectively with 'personalised' marketing.

But last month, a survey of more than 2000 US consumers found that the vast majority favoured the introduction of much stronger consumer protection than even that which exists in Europe. The Pew Internet and American Life Project found that 86 per cent of users were in favour of 'opt in' privacy policies that require internet companies to explicitly ask permission before collecting and using personal information.

In addition, a string of surveys on both sides of the Atlantic have pointed to privacy concerns as being one of the main reasons many people avoid carrying out commercial transactions online. The most recent of these, released at last week's Global Privacy Summit in Washington, found that 61 per cent of internet surfers (of a sample of 800) refused to undertake ecommerce because of privacy and security fears.

On the same day that this survey was released, customer relationship management consultancy Peppers & Rogers Group released its latest One To One Online study, which evaluates the marketing practices of top website providers. It found that only half of the top sites allowed users to opt out of having their data shared with third parties - and that was after having creamed off the most exemplary customer-focused ones.

So it is clear that Amazon is not alone.

Cold comfort to European users
The fact that European users have the benefit of legislation to protect their privacy is of little comfort when most spend a significant amount of time surfing US-based sites, which have little, if any, respect for keeping their personal information secret.

And it doesn't matter if consumers refuse to give out this information or not. Invisible 'cookies' can track their online behaviour, and there is no guarantee that such data will not be married up to personal details such as address and phone number. Indeed, it was precisely this practice that caused online marketer Doubleclick to come under fire recently.

So how can users protect themselves? Altering your browser to refuse cookies is one option, but many less experienced internet users do not know that such a choice exists, let alone how to do it. In addition, this can restrict your access to certain sites and result in irritating dialog boxes popping up every few seconds.

Other organisations such as Junkbusters provide software that will intercept cookies without disrupting your web surfing. But again, inexperienced users would have trouble locating, downloading and installing such software.

The only viable long-term solution would appear to be for the US to introduce similarly stringent legislation to that currently existing in Europe. And fortunately, the Amazon controversy may spur US politicians to do precisely that.

In the past, a number of initiatives have been proposed and discussed, but subsequently shelved due to lack of interest or because of industry pressure. But now the US Federal Trade Commission (FTC) is pushing Congress to introduce online privacy legislation. And just this week, a proposal was made in the US Senate by Republican Senator Fred Thompson and Democrat Herb Kohl to establish a Congressional commission to study internet-related consumer privacy issues.

It also seems that the industry is coming round to the idea that legislation is inevitable. In the last hour of last week's Global Privacy Summit, Mozelle Thompson - a speaker from the FTC - asked the audience how many of them thought such legislation was bound to follow. Almost everyone raised their hands. While a fair proportion of the audience were privacy advocates, the majority were actually business representatives.

But even if legislation is enacted, it needs to be enforced - something that may prove somewhat trickier. So the byword for online consumers is caution. Only use online organisations you trust, do all you can to protect your own privacy, and - as ever - always read the small print.