Policy Analysis - ESPN.com Privacy Policy

T. Matthew Howell

INLS 187

Benjamin Brunk

11 November 2004

Analysis of ESPN.com Privacy Policy

INTRODUCTION
As Americans spend more time on the Internet, the issues of privacy and anonymity become more and more important. The client-server nature of the websites makes the tracking of individual visitors much easier than tracking customers who walk into a physical store or tune into a certain television station. Cookies, IP logging, and http headers are just a few of the ways that individuals can be tracked by websites. Some websites even offer downloads of tools that offer desirable functionality but also report back on the users online habits. It is becoming more important for users and companies to pay attention to privacy policies. In the 2004 Online Customer Respect Survey, the top reason for consumers leaving one website for a competitor's (assuming equal products and services) was bad or non-existent privacy policies.

ESPN
I wanted to review a site that in some way impacted me. ESPN's website is one that I visit on a daily basis. It is, in fact, my homepage in Mozilla. The website is part of the Go network by the Walt Disney Company.

OVERVIEW

The privacy policy (WDIG Privacy Policy) for ESPN.com is actually a blanket privacy policy for multiple Walt Disney Company websites. The policy only applies to personally identifiable information that is collected. As I understand it, the privacy policy still allows these websites to collect and use in any way they choose information that can not be directly tied to you. While this may not pose a threat to individual people it may still bother visitors if they knew that their habits could be tracked, just not tied to them. The policy is geared to users who have registered as members of the websites but is also applicable to guests who do not register. I believe this bias is due to the fact that the policy is mostly about personal information which is only available from those that have registered.

Collection
The privacy policy does a good job of explaining to the reader how and what information is collected. They describe information provided by the guests in forms, IP logging, cookies, and web beacons. The policy also discloses that information is often collected by advertisers on the sites. In an eye-opener for me, Disney also mentioned that they may associate information from third parties with information that they collect themselves. In a positive light, when discussing cookies the privacy policy informs the reader that many browsers can change how cookies are accepted and advises consulting the Help menu.

Use
The privacy policy states that personal information may be used by the entire Walt Disney Family of Companies as well as by licensees and co-branding participants. In these cases the privacy policy still enforces how the information may be used. However, information (except email address) may also be shared with other third parties so that they may send you promotional materials. In these cases their use of the information is only governed by their own policies. The other way that personal information is transferred is through the sale of whole companies. Disney states that any information acquired will be handled in accordance with the privacy policy and any contract that sells information with a business will include provisions to ensure that the information remains subject to Disney's policy.

Opt-Out
Disney offers users the option to opt-out of receiving promotional offers. Three levels are available: not receiving from third parties, not receiving from Walt Disney Family of Companies, not receiving from a specific Walt Disney company. These opt-out choices are only applicable to the information collected at the specific site. The choice must be made at each Disney site that is visited. If opt-out is selected at some point after initial registration then it may take 90 days for opt-out to take full effect.

CRITIQUE

In order to give structure to the examination I will focus on the following aspects:

Clarity - how understandable is the policy for a common person?

Accountability - how do they know they are acting in accordance with their policy?

Scope - who and what information does the policy cover?

Update - is the policy updated and, if so, how often?

Security - how is the information protected and safeguarded?

Clarity
The privacy policy is clear and understandable. It is longer than the policies on many sites; on my computer it would have been 17 printed pages. This length is a bit daunting and may impact whether users read it all the way through or even start. It also assists readers by explaining terms like web beacons and informing them of options like disabling cookies. Additionally, the policy is broken into eight parts in a question-and-answer format. This provides two benefits. First, it provides some mental breaks for users reading it straight through. Second, it gives the ability to jump to certain information to those who may only be looking for one thing.

Scope
This privacy policy "applies only to personally identifiable information collected on the Web sites where this Privacy Policy is posted". As stated later, the policy also covers information that comes to the Walt Disney Family of Companies through the purchase of other businesses. A distinction is also made between information collected by licensees and co-branding participants which is subject to the privacy policy and information collected by third parties advertising on the sites which is not.

Accountability
Disney provides no information in their policy as to how they ensure that the policy is followed. Readers are provided with an email address and postal address to which they can send questions or comments about the policy. In addition, the Walt Disney Family of Companies have the TRUSTe Web Privacy Seal meaning that they follow some standard principle in their privacy practices. One of these stipulations is a link to TRUSTe where consumers can report concerns they have about whether their information was handled in a manner inconsistent with the policy. (It should be noted that there are debates about the trustworthiness of TRUSTe. One example may be found at Just How Trusty Is Truste?)

Update
The privacy policy does not describe any process for regularly reviewing the policy. It is stated that the policy may be updated at any time. Changes take affect 30 days after users are notified by email or the updated policy is advertised on the website. Disney reserves the right to apply the updated policy to information gathered before the update unless the account is cancelled.

Security
Disney does not state how they secure personal information when it is being transmitted nor when it is stored. They do say that security and confidentiality is important to them but only state that "technical, administrative, and physical security measures" are in place. Strangely, the privacy policy contains a sentence that almost seems like an apology for a future compromise. "Please be aware though that, despite our best efforts, no security measures are perfect or impenetrable." While true, it seems odd that this would be included.

SUGGESTIONS

The privacy policy for the Walt Disney Family of Companies is pretty substantial. It covers many topics and is much more thorough than other privacy policies that I have seen. I do believe that there are multiple ways that the policy and practices can be improved. To be forthcoming, these observations come from the user perspective rather than the company's. There may be good business reasons why these suggestions would not be good to adopt.

Specifics on information
The privacy policy does not explicitly state the pieces of information that are gathered. It would be nice to know if whether the name of my internet service provider was something that was being gathered and stored.

Non-personal information
The privacy policy does not spend much time discussing how non-identifying information is handled. Little bits of information are given about the topic but the privacy policy primarily covers identifying information.

Link location
On the ESPN.com website the link is in a small, light-colored font in the middle of a paragraph at the bottom of the page. It is a full page down from the last piece of dynamic content. Such a location does not provide the user with a sense of how important the privacy policy is. Placement near the top of the page (even if it doesn't stand out more than currently) would be a nice improvement.

Remove (re-label) previous versions
After not seeing the privacy policy link on a quick glance at ESPN.com I searched on Google for "espn privacy policy". The first result was GO NETWORK and ESPN.COM PRIVACY and SAFETY POLICY which I began reading. Later I went and found the link on the ESPN.com site which took me to WDIG Privacy Policy. It would have been nice if the older policy had been removed, replaced with the new policy, or renamed to express that it was no longer applicable. These efforts would keep anyone searching for the policy (or coming from an old link to it) from being mislead by the old policy.

Bernard, Allen. Privacy, Responsiveness Top Online Concerns. (2004, June 28). Retrieved November 6, 2004, from http://www.cioupdate.com/research/article.php/3374501

Boutin, Paul. Just How Trusty is Truste? (2002, April 9). Retrieved November 8, 2004, from http://www.wired.com/news/exec/0,1370,51624,00.html

GO NETWORK and ESPN.COM PRIVACY and SAFETY POLICY. (1999, September 9). Retrieved November 5, 2004, from http://espn.go.com/sitetools/s/privacy.html

WDIG Privacy Policy. (2003, November 6). Retrieved November 5, 2004, from http://disney.go.com/corporate/legal/wdig_privacy.html