Hi,
I was currently asked if it is possible to import all the web user
data into a backend system. The purpose would be to perform marketing
activities based on this data. The web user data would of course
enrich the CRM data a lot (expecially since it is systematically
collected without human interaction).
My gut feel tells me that there could be legal or business reasons not
to do this. I am fine with importing registration data such as email
address, phone numbers, and interests submitted by the users, but to
also include web activity, such as viewed product pages.
What I would like to get is answers to the following questions (for US and the EU):
1. Are there legal implications to connect registration profile data
with normal sales/customer data in the backend system?
2. Are there legal implications to connect web user data with
registration profile data *and* with normal sales/customer data in the
backend system?
Best Regards,
Tornell-ga |
Request for Question Clarification by
ephraim-ga
on
04 Aug 2004 04:41 PDT
Tornell,
Could you give a brief description of what you mean by "web user data"
and what type of web site this is?
I am assuming that you have a web site accessed by customers who are
required to login to the system with registration data. Would the
registration system on sites like http://www.nytimes.com fit the model
that you have in mind, assuming that the NYTimes would track the news
article that a logged-in user browses?
On another note: I am not a lawyer and Google Answers' policy does not
consider any information posted here to be legal advice. So, I'm more
than happy to research this and cite my sources on the subject, but if
you're looking for genuine legal advice, you will want to speak to a
real lawyer.
Also, do you require equivalent information from both the US and the
EU on this subject? I'm believe I can handle the US part, but I'm less
familiar with EU law on privacy (which I'm pretty sure is stricter
than US law), and this will take a little longer.
/ephraim
|
Clarification of Question by
tornell-ga
on
04 Aug 2004 06:43 PDT
Hi ephraim-ga,
thanks for the clarification request and for taking on this challenging question!
1. The web site is for an industrial company, where logged-in
registered users have access to special documents, product
information, software downloads, etc. So your comparison to NY Times
is accurate. These customers are also approaching the company by
phone, personal visits, etc, and from a marketing point-of-view it
would be nice to get the full contact history of each customer. The
sales people also want to know, which products each customer have
visited online, in order to more effectively approach them.
Examples of web user data: viewed products online, downloaded documents.
2. US/EU: Start with the US. Reveal your answer, so I can start
working on it, or post clarifications if needed. Then continue with
the EU. I do not expect the information provided to be exactly the
same for the US and for EU. However, EU is very important for the
company, and I need detailed information for this market as well as
for the US. I will not rate the answer, until everything is clarified.
If you throughout the process get the feeling that the question
expands in whatever direction, you can ask me to issue a new question.
3. I will not take your answer as legal advice, but as a starting
point for discussing the topic (or specific parts of it) with a
lawyer.
Regards,
tornell
|
Request for Question Clarification by
ephraim-ga
on
05 Aug 2004 06:33 PDT
I've done some work looking into this, but the topic is a very complex
issue. If any other researcher wants to take a crack at this, please
do, especially since I will be out of town and lacking computer access
for the weekend.
/ephraim
|
Clarification of Question by
tornell-ga
on
18 Aug 2004 14:29 PDT
Hi ephraim-ga,
are you still on the question?
Thanks for your efforts!
Thomas
|
Request for Question Clarification by
jbf777-ga
on
18 Aug 2004 17:40 PDT
Hello Tornell -
Do you plan on using this data for internal use only? I.e., you don't
plan on sharing any of the customer data with any other business
entity or individual, correct?
jbf
|
Clarification of Question by
tornell-ga
on
18 Aug 2004 23:42 PDT
Hi, only for internal use like targeted marketing etc. /tornell
|
Request for Question Clarification by
jbf777-ga
on
24 Aug 2004 10:58 PDT
Hello Thomas -
Is the server in the EU or US? Also, you might want to repost the
question soon, since it will expire in 9 days.
jbf777
|
Clarification of Question by
tornell-ga
on
24 Aug 2004 13:30 PDT
Hi jbf!
Thanks for taking on the question!
The servers are located in the US and in Switzerland (outside EU).
If you think you will be able to answer the question I will repost the question.
Regards, tornell
|
Hello Tornell -
Thanks for your question. There will be no need to repost, as I
finished it quicker than I thought. Please be sure to ask for any
clarification on the research below if needed.
The answer to your question(s) is: you can do what you're looking to
do without federal restriction in the US; you can also do it in the
EU, but only if the user knows he's being tracked and is given a
provision to refuse it.
In the US, there is some legislation concerning children's privacy,
financial privacy (for financial institutions), and credit reporting.
Save these, there are no specific federal laws (yet) in the US with
regard to Internet privacy that you should be concerned with.
You can see the Federal Trade Commission's current privacy initiatives
at this link:
http://www.ftc.gov/privacy/
As a courtesy, notwithstanding, you'll find most commercial sites in
the US have a "privacy policy" that delineates the site's activity in
this regard.
Here's a link to Amazon.com's privacy notice, as an example:
http://www.amazon.com/exec/obidos/tg/browse/-/468496/102-1447376-0774502
Note this section:
Automatic Information: We receive and store certain types of information
whenever you interact with us. For example, like many Web sites, we use
"cookies," and we obtain certain types of information when your Web browser
accesses Amazon.com. Click here to see examples of the information we
receive.
With regard to the EU, there *are* specific laws regulating privacy.
The legislation is found in article 5(3) of the European Community's
Privacy and
Electronic Communications Directive, found at this link:
http://europa.eu.int/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf
3. Member States shall ensure that the use of electronic
communications networks to store information or to gain
access to information stored in the terminal equipment of a
subscriber or user is only allowed on condition that the
subscriber or user concerned is provided with clear and
comprehensive information in accordance with Directive 95/
46/EC, inter alia about the purposes of the processing, and is
offered the right to refuse such processing by the data
controller. This shall not prevent any technical storage or access
for the sole purpose of carrying out or facilitating the transmission
of a communication over an electronic communications
network, or as strictly necessary in order to provide an information
society service explicitly requested by the subscriber or
user.
Directive 95/46/EC mentioned above can be found at this link:
http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
(1) "The provision [not only applies] to so-called spyware (hidden
espionage programs) and Trojan horses (programs hidden in messages or
in other innocent looking programs) but also to cookies (tracking
devices which register users? preferences as they visit websites).
... Article 5(3) of the Privacy and Electronic Communications
Directive requires that gaining access to or storing information on a
user's terminal equipment (a PC, mobile phone or other device) is only
allowed if the user is given clear information about the purpose of
any such invisible activities and is offered the right to refuse it.
This will enable the user to decide which forms of access to his
equipment are acceptable and which are not. [Such activity] includes
profiling for marketing, checking of access permission for restricted
services or recording user preferences. Some of these purposes are
perfectly harmless or even useful for the user, while other objectives
are very harmful and threatening. A major concern in all cases is that
users are very often not aware of the fact that others gain access to
their PCs and store information or programs on it, so they have no
means to control, let alone stop such activities."
(1) Today's Framework - Privacy Protection
http://europa.eu.int/information_society/topics/ecomm/all_about/todays_framework/privacy_protection/index_en.htm#spyware
To get very detailed information on all current privacy laws in the US
and EU, you'll want to check out the $40 Privacy Law Sourcebook (2003)
from the Electronic Privacy Information Center
(http://www.epic.org/bookstore/pls2003/)
Select search strategy
????????????????????????????????????????????????????????????????????????????
EU cookies
US cookies
cookies privacy US law
Additional links
????????????????????????????????????????????????????????????????????????????
Internet Law Journal
http://www.heydary.com/laws.html
Safe Harbor
800-USA-TRADE
Net Attorney
www.netatty.com/privacy/privacy.html
About Cookies
http://www.aboutcookies.org/cookielaw.asp |
Request for Answer Clarification by
tornell-ga
on
24 Aug 2004 22:46 PDT
Hi jbf,
thanks for a fast answer. Here is my first clarification question
(there might me another one or two when I start digging into the
PDF's):
If the company is only tracking registered users, that have to agree
to tracking in the registration process, would this be ok? If they do
not agree to tracking they cannot get registered.
Regards, tornell
|
Clarification of Answer by
jbf777-ga
on
25 Aug 2004 13:22 PDT
Tornell -
I conferred with Cedric Laurant, a Policy Counsel rep of the
Electronic Privacy Information Center, for confirmation on this one:
the answer is that this is OK from a legal standpoint.
It is your private site, and you are giving users the option of using
it under a specific stipulation. They have the right to decline being
tracked, you have the right to prohibit them from using your site.
Let me know if you require anything else.
jbf777
|
