Probing PrivacyKeys to a Protective and Profitable Policy Consumers Can Trust
Unfortunately, privacy policies are not without risks. If you publish a policy, but fail to abide by it, you could be in trouble. When a programming error exposed the e-mail addresses of 600 people who had expressed an interest in Eli Lily's Prozac medication, some of them complained to the Federal Trade Commission (FTC), which imposed a 20-year oversight settlement on the company in January of 2002. The exposure was an accident, and the only people who saw the addresses were other people on the list, but here's what the Director of the FTC's Bureau of Consumer Protection, J. Howard Beales, III, said: "Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information."
The FTC takes its consumer protection mandate seriously, which it demonstrated when it forced privacy-related settlements on computer giant Microsoft and apparel company Guess. The latter faced charges that its Web site, guess.com, exposed consumers' personal information, including credit card numbers, to commonly known hacking attacks, contrary to security claims made in its privacy statement.
The FTC firmly established that companies must use reasonable or appropriate measures to prevent consumer information from being accessed, including protection against "known vulnerabilities." As Beales stressed, "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that. It's not just good business, it's the law."
Promises You Can Keep and They Can Understand
This approach reflects the dilemma companies face as consumer concerns push privacy up the agenda in more and more departments. A comprehensive, enterprise-wide statement of policies concerning PII could overwhelm the average consumer, leaving them no wiser about the company's position on the basic principles. Remember the privacy notices mailed out in 2001 by banks and credit card companies under the Gramm-Leach-Bliley Act, which required institutions to disclose their privacy policies? Many notices were sharply criticized as too long or too obscure. Trying to hedge your privacy bets in a legalistic privacy statement is not going to work.
Web Bugs, Beacons and Basic Practices
Ideally, a privacy statement on a Web site should be accessible from every page of the site, as part of the navigation bar. At a minimum, it should be accessible from the home page and any page that solicits or uses PII.
* Notice: State your intended use for the data before you collect it, including any potential secondary uses.
* Choice: Explain what choice people have in supplying the requested data, what they miss out on if they don't supply it, and what can be done with the data they supply (including secondary uses).
* Access: State your policy on the right of data subjects to see the data that you have about them, and to change it or delete it, if appropriate.
* Security: Describe how you protect the confidentiality, integrity and availability of the information, and what you do to keep the data accurate and up-to-date.
* Enforcement: Explain the mechanisms you use to make sure that these principles are upheld and to impose penalties if they are not.
What Data Do You Have?
For many companies, the biggest and most basic challenge of putting together a defensible privacy statement is determining what personal data the company is collecting and what is being done with it.
The solution: Map data flows. Many companies find that when they try to get a handle on privacy, no definitive documentation is available as to what data is being collected, how (or about whom) it's being collected, or where it's being stored or sent. The answers to these questions will shape the privacy statement, particularly notices to users about the data collected for any "downstream" or secondary implications, such as a data-sharing or cross-marketing agreement with another organization.
Someone needs to track exactly what happens to PII from the moment it enters the systemfor example, when it is entered in a form on a Web page. Some Web site forms simply send user input to a company e-mail address when the user clicks "Submit." A more sophisticated approach is to write the input to a file and make sure the file is not stored on the Web server for any length of time, but spooled to a properly fire-walled back-end server. Access to data on that server should be tightly restricted to employees who need to see it in order to perform their work.
Online/Offline: Where the Twain Shall Meet
can create an unacceptable delay (particularly as this can be resource-intensive, and may be delayed by budget concerns and interdepartmental wrangling).
The fact is, a company's handling of privacy issues can evolve over time to cover all the bases, but it makes sense to start at the point of greatest exposure. For many companies, this is the Web site.
Furthermore, until you have a clear idea of what PII the company currently handles and how, starting at the top can be riskyyou don't want to end up with a policy that is at odds with practices on which the company relies for operations.
* Respect for customer privacy has always been a priority at Sample Company.
* Sample Company respects the privacy of customers and maintains strict customer information privacy policies.
* Sample Company is committed to meeting customer expectations regarding the collection, control, use, transfer, storage and disclosure of personally identifiable information.
* At Sample Company, privacy means giving customers control over the collection, use and distribution of their personal information in order to build and maintain trust and loyalty.
Of course, one of the handy features of the Web is that it is self-documenting: You can read the privacy statements of all the companies you want, looking for ideas and language that suit your needs.
The language that comes below this top level of the statement will ultimately depend on the type of business you're in and the type of PII you handle. While some types of PII are obviously more sensitive than others, the message from recent court cases and legislative proposals is that consumers are becoming more and more sensitive to how any of their information is handled.
Smart companies will err on the side of caution when it comes to privacy to earn and retain the consumer trust that is essential to successful marketing.
Stephen Cobb is senior vice president in charge of research at ePrivacy Group, consultants and purveyors of privacy-
related solutions, including the Trusted Sender? and SpamSquelcher? tools for fighting spam (www.eprivacygroup.com). Cobb also is the author of the book "Privacy for Business: Web Sites & Email" (www.DrevaHill.com). He can be reached at (212) 655-9392.