The rise of email tracking runs parallel to the adoption of "rich email," or messages that incorporate the programming language most commonly used to display Web pages, known as HTML (Hypertext Markup Language). Such messages may include Web pages, audio and video in addition to ordinary text. According to a recent report from the industry trade group the Direct Marketing Association (DMA), 65 percent of online marketers regularly send HTML email to consumers or prospective customers. By incorporating HTML, the email acts like a Web page, requesting graphics and content from a Web server and counting as a "hit" to the company's Web site. Taking advantage of the technology, marketers can track how and when people respond to email, note where they click, and trace follow-up actions on their Web pages. They do this by embedding cookies or clear GIF images known as Web beacons, an action that isn't possible in a simple text message. On the simplest level, marketers may embed a numeric tracking code in the "from" line. This code is sent back to the Web site's service when the recipient visits the site from the email. More sophisticated tracking can involve cookies so that the Web site can detect whether the consumer visits the site days later. Cookies can also help determine how much revenue was booked on a Web site as a result of an email campaign by following the recipient throughout a visit. The monitoring technology can be planted on consumer hard drives at various stages in the process of delivering and reading an email. In many cases, cookies or Web beacons are set the moment the recipient opens the message or views it in the preview window of the email program. In other cases, cookies are set only when the person clicks on an embedded link that leads to a Web site -- an action some argue is part of the Web experience and is the purview of Web privacy policies. Digital Impact, an email marketing services company, uses a range of tactics to measure the effectiveness of campaigns for its customers, which include Citigroup, Bank of America, Wal-Mart, Target and the Gap. Since its launch in 1998, Digital Impact has sent about three billion commercial emails. Gerardo Capiel, chief technology officer and co-founder of Digital Impact, said that while about 70 percent of the email the company sends for customers is HTML, less than 30 percent of HTML email includes tracking technology. Capiel said the company asks that its customers address email communications in their privacy policies. "We don't set a cookie when you open the email, but you might get one when you click through," he said. "It's really a question of how aggressive the marketer wants to get to track revenue." Capiel said the company only sends messages to consumers who have opted to receive communications from the client. Still, he acknowledges that people can be sensitive to cookies. "You may end up irking some customers," he said. Experian, another email marketing services company, started using cookies this year to better track digital communications for its customers. According to its privacy policy, it uses cookies and Web beacons to monitor when an email was opened, how many times an email recipient forwarded the message, and which Web addresses were clicked on, among other actions. Christine Frye, chief privacy officer of Experian's e-marketing services unit, said the company has started working with customers to educate them on updating their privacy policies to include email tracking. So far, "they've been very receptive to that," she said. She would not name any Experian customers. Such techniques have become pervasive enough to attract the attention of browser and email software makers. Some email programs already include settings allowing consumers to block cookies. Microsoft's Internet Explorer 6.0, for example, offers controls for cookies on the Web and via the company's Outlook and Outlook Express email programs. Turning on the "prompt for cookies" setting can reveal the stunning extent of the problem, unmasking unsolicited HTML email messages that try to lay down cookies on a hard drive. According to Microsoft, IE 6, Outlook and Outlook Express block cookies by default in HTML mail and place such mail automatically in a secure "restricted" zone. The settings have not always proven effective, however -- well-known security expert Richard Smith has reported at least one bug that allows cookies to be planted through Outlook despite the default settings. Rajeev Dujari, development manager on IE 6 for Microsoft, countered that Outlook is designed to let consumers read email in different security zones and control cookies through privacy settings. But he admitted that consumers need to better educate themselves to set a defence against increasingly invasive marketing tactics. "Our default is around cookies being part of a Web experience rather than an email experience," Dujari said. "When consumers get email, people don't usually expect a cookie." Spreading the word
There's a fine line between spam and commercial pitches from an online retailer that ask for permission to send a message. In both cases, the message may plant a cookie on the receiver's hard drive, but the spammer, by definition, has done so without any pre-established relationship. Still, consumers at the receiving end of both kinds of messages are often not notified of monitoring -- either in the mail or in Web privacy policies -- nor given the option to block cookies in the future, privacy experts said. Direct marketers are just starting to pay attention to this area. Pat Faley, vice president of ethics and consumer affairs for the DMA, a 5,000-member organisation of retailers, said the group urges members to include in all email a link to their privacy policies. She added that members should "definitely disclose email tracking practices in their Web site privacy policy." Email marketing also raises sticky questions for marketing services companies, which deliver ads into rich email. Although these companies typically guarantee anonymous data collection, it theoretically would be easy to tie that data back to an email address in an email-based marketing campaign, according to privacy experts. DoubleClick, a heavyweight in Web ad delivery and email marketing, offers a service called DartMail that lets companies manage, deliver and track email marketing campaigns. The technology allows customers to add software such as cookies or Web beacons to a campaign and track the effectiveness of a promotion. DoubleClick said that data it collects online is kept separate from data collected through email. J.Crew is a customer of DoubleClick's DartMail, but the retailer does not specifically address email monitoring practices in the privacy policy published in its Web site. The policy says only that "in some instances, we may use third-party companies to help us serve you better. These companies may be given access to some or all of the information you provide to us and may use cookies on our behalf." J.Crew did not immediately respond to requests for comment. To be sure, some retailers are starting to refer to email monitoring in privacy policies. Amazon.com, for example, mentions that it may use tracking methods via email to determine preferences for future communications. Still, privacy advocates said email privacy practices are largely under-disclosed compared with other media such as the Web. "Email privacy hasn't been on the radar until recently," said Larry Ponemon, chief executive of the Dallas-based Privacy Council, a knowledge management and technology company. He added that most companies still don't fully understand how email plays a role in privacy and security. One problem with the disclosure of email privacy stems from the large percentage of email marketing campaigns that are conducted at arm's length through third-party providers. As a result, companies that retain email marketing services may not always be fully aware of the practices employed on their behalf. Although many major companies outsource their email marketing to companies that openly admit to using cookies and other tracking techniques, the privacy policies published online by these companies do not always address the issue of email monitoring. "There's a lot less transparency around what's happening in email marketing than with Web content," said Alex Fowler, senior director of policy and advocacy at Zero-Knowledge Systems. Walmart.com, for example, delivers opt-in email marketing through third-party providers. It does not mention email monitoring in its privacy policy, however, which was last updated 8 December, 2000, according to its Web site. In an interview, Walmart.com spokeswoman Cynthia Lin confirmed that the company tracks customers through email using "software technology." Still, she said, the company's privacy policy is adequate. For one thing, the company does not use cookies, she said. In addition, she said that any data gathering that occurs after consumers leave the email client is not technically part of the email experience, even if the original Web link is embedded in an email. Once consumers are whisked to the Web, all of the company's practices are covered by its Web policy, which clearly states that the company never sells or rents customer information. "When customers do get those emails and click on links within them, we are able to track that information," she said. "We have made every effort to make our security and privacy policy as clear as possible to our customers."
Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.
