The Digital Signage Insider

POPAI Code of Conduct: Taking a Stand on Digital Signage Privacy

Published on: 0000-00-00

In the past two months, I think I've seen more articles relating to consumer privacy and in-store tracking and measurement techniques published in major, mass-market publications than ever before. Starting with the Intel/Microsoft digital signage "platform" unveiled at the NRF in early January (which prominently featured gaze tracking and demographic analysis features), and continuing with the World Privacy Forum's recent report on the privacy implications of such systems (PDF format) last week, there's a lot of hype and misinformation surrounding the issue of consumer privacy and the effect that "active" digital signage may have on privacy in the near future. As one of the people who actually instigated this discussion a few years ago, I thought I'd try and set the record straight about what's going on in the industry, what the real concerns are, and what various industry groups are trying to do about it.

A brief history of the in-store privacy discussion

About four or five years ago, a number of companies came to market with products that could analyze live video feeds to see where people were looking (called "gaze tracking") and also recognize certain demographic characteristics of people caught on camera. Many of these companies originally devised their systems for military or civilian security use, and were seeking to adapt it for other purposes. By 2008, some of these companies were courting digital signage networks and software companies to integrate their wares. Their arguments for doing so were fairly straightforward. First, by identifying how many people were looking at a digital sign at a particular time, it would make the screen time that much more valuable for advertisers. Second, by identifying a person by demographic, the network could immediately display information thought to be relevant to that group. But people seemed to be glossing over the privacy implications of the technology, which led me to write an article explaining why digital signage networks must guarantee viewer privacy.

Image credit: Rob Pongsajapan
Over time, a number of articles appeared in the mainstream media (including the New York Times) asking whether this kind of tracking should be allowed without providing any notification to the people being recorded, whether its abilities should be restricted in some way, and what the ethical and legal implications of using such solutions were. About 18 months ago, Laura Davis-Taylor of Retail Media Consulting (and now CRI) and I both found ourselves fielding questions from potential customers over whether the ability to use gaze-tracking systems and other methods of collecting in-store demographic data were useful and/or ethical. Lacking sufficient domain knowledge to make an educated statement at the time, Laura and I brought the topic up at a regular meeting of POPAI's Digital Signage Advocacy group in mid-2008. POPAI decided to adopt the issue as its own. Over the ensuing months, I contacted a number of privacy and consumer advocacy groups and experts -- including Pam Dixon, author of the above-mentioned report from the World Privacy Forum -- to learn about the current state of affairs with regard to out-of-home consumer privacy. The field turned out to be much bigger, more complicated, and more riddled with existing laws and loopholes than I ever expected. But after working with the other members of POPAI's Digital Signage Advocacy group, we eventually authored a draft set of best practices for people involved with collecting and using "Observed Tracking Data" (OTD).

In early 2009, I spoke out again about the topic, this time asking if digital signage is invading consumer privacy. By mid-2009, the POPAI best practices document was finalized, and was reviewed by members of POPAI's board of directors, as well as POPAI's strategic planning committee. Dick Blatt (POPAI's President at the time) took the draft document to an informal working session at the FTC, which is the government body that manages most of the legislation surrounding consumer privacy. The FTC folks agreed that our draft was the correct first step toward the kind of industry self-regulation that, if properly managed, would keep members of our industry out of the FTC's targets later on. At roughly the same time, Nathan Purcell of DCSI reviewed a draft of the best practices document with former House of Representatives member Barry Goldwater Jr., one of the primary authors of The Privacy Act of 1974, and a recognized expert on consumer privacy matters. The positive feedback from both government-related endeavors led us to believe we were on the right track.

What are the best practices for collecting and using data?

The POPAI document is called "Best Practices: Recommended Code of Conduct for Consumer Tracking Research", and you can download the full 11-page document directly from their website (PDF format). In general, we tried to focus on the four or five things most likely to get you in trouble with your local, state or federal government, your customers, or both. If you are planning to collect, store, process or use any kind of surveillance-like data gathering (especially with technology that can uniquely or individually identify consumers, which we'll cover in a minute), then you really need to:
  • Disclose data collection methods: Put up some signs, make some pamphlets available, put up a web page. I know that this will be anathema to retailers, but our expectation -- which is mirrored by the FTC's own recommendations to related industries -- is that the more potentially privacy-invading the tracking technique, the more good you can do by plainly disclosing it ahead of time.

  • Get customer consent to be monitored: I know this isn't going to be practical in all cases, but again, giving your clientele a modicum of power inside your venue translates to an improved sense of trust and a stronger customer relationship.

  • Know the difference between unique and individual identification: In short, unique identification means that you can track an individual apart from other individuals as they travel through the venue. Individual identification means that you can take that tracking data and correlate it to a specific person, either via some personal information like a name or address, or via an account number.

  • Allow customers to opt in (or opt out) of more intrusive monitoring practices: Like getting consent, I know this isn't going to be practical or even possible in many cases. But the opt-in (and even more so, the opt-out) is the thing that will keep our industry out of the hands of regulators.

  • Practice cross-channel and cross-domain marketing constraints. This is another area that may get our industry into trouble in the future. Imagine a scenario where a cross-retailer loyalty program can track an individual as he goes from the supermarket to the dry cleaner to an apparel store to a big-box retailer. Such a system would clearly be able to collect a vast amount of personal information. Just as the FTC is currently trying to limit the ability of Internet marketers to track consumer behavior over a large variety of Internet properties, they will certainly try to do the same thing in the real world at the first sign of trouble.
The fact is, there's a lot more to following best practices for consumer privacy than what we crammed into the 11 pages of the POPAI Code of Conduct. A lot of it comes down to common sense. Before you implement a system that shows different ads based on viewer gender, ask yourself whether the ads that show up (or don't) could even remotely be considered discriminatory. Ask whether the techniques used to identify the viewer might be considered invasive. And ask whether a shopper might want to opt-out if they knew what was taking place.

Quis custodiet ipsos custodes? (or: Who will watch the watchers?)

Who's watching the watchers, you ask? My personal belief is that we'll eventually need a fully independent, non-commercial, global not-for-profit organization set up to align shopper and marketer interests. POPAI would be a great choice for this role given its current global presence, non-profit status, and clear interest in seeing the digital signage industry continue to expand and flourish. (For a truly excellent analysis of why our industry needs a non-profit advocacy organization like POPAI at the helm, I highly recommend Ken Goldberg's recent article on the subject.) For now, given the early stage that we're at and the hard time we're having just getting the message out, I think such a move is a bit premature. But rest assured that government and private entities alike are keeping a very close eye on what's going on with real-world consumer marketing programs, and that one of them will ultimately pounce.

So, that's the digital signage privacy debate in a nutshell. If you're angry or upset about it, I guess you can blame me, since I'm as responsible as anybody for perpetuating the discussion. And if you think it's a non-issue, then at least you can take solace in the fact that I'm wasting my time on it.

But if you're the least bit concerned, or you're a major brand or retailer thinking about implementing tracking mechanisms, or you're a company that deals with gaze tracking, RFID tracking, mobile tracking or anything like that, then I highly recommend you spend a few minutes with us at the Digital Signage Expo, where we'll be doing a seminar on the best practices for using observed tracking data. Here are the details:

Opt-in or Opt-out? Navigate the Consumer Privacy Issue for Future Profit
Seminar #S21
Thursday, February 25 at 8-9 AM

Hope to see you there!

What do you think of the new POPAI guidelines? Leave a comment and let me know.

Subscribe to the Digital Signage Insider RSS feed

Looking for more articles and research? Our newest articles can always be found at Digital Signage Insider, but there are hundreds of additional research articles in our historical articles archive.

You may also be interested in M2M Insider: our blog about M2M and the Internet of Things.