Managing Online Privacy

e-Commerce has grown faster and larger than anyone could ever have predicted. By its nature, e-commerce is intricately linked to consumer privacy, and privacy concerns are at an all-time high.

A recent Business Week/Harris poll revealed that two-thirds of users currently not “online” would be more likely to start using the Internet if the privacy of their “personal information and communications would be protected.”

Privacy concerns will only continue to grow along with e-commerce. Having the best technology is no longer the key to success in the online world. e-Businesses that take consumer privacy seriously will leave their less-responsive competitors behind. And at a time when identity theft is a common occurrence and major concern, consumers are demanding reliable and trustworthy relationships from e-vendors.

Why Effective Online Privacy Statements are Critical

Two important reasons for designing an effective online privacy statement dominate all planning of such an offering.

The first is to ensure continued consumer patronage. Without customers, e-businesses cannot survive. Consumers are far savvier regarding privacy matters than they were a few years ago. A good online privacy statement could increase business. A BCG Consumer Survey found that companies that disclose their information gathering and dissemination practices have a 200% to 300% better chance of landing a customer and getting repeat business. (See www.lightos.com/trasp1.html.) Businesses that stay a step ahead in the privacy game will often gain the customers of competitors who fail to take online privacy seriously.

The second reason why designing an effective online privacy statement is important is that failing to do so can expose an entity to potential legal liability. Statements that don't accurately reflect a business' actual practices are ones sure to invite legal troubles. Remember: It is not enough to post an online privacy statement; any privacy statement should:

• reflect best practices;
• meet applicable regulatory requirements; and
• accurately reflect back-end data management practices.

A company's policy and practices must also accurately reflect what is listed in the posted online policy. The Federal Trade Commission (FTC) has cited several companies whose online privacy statements did not accurately reflect the firms' privacy practices. Also, companies must be aware that certain types of e-businesses may be subject to specific legislation that requires particular privacy protocols. The Gramm Leach Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA) all require some sort of specific privacy requirement.

7 Essential Elements for All Privacy Statements

Notice. Web sites should provide clear and conspicuous notice of their information practices. The notice should emphasize that protecting consumer privacy is a priority. Sites should include language that encourages consumers to read the entire policy statement in order to fully understand the companies' privacy practices.

Data Collected. Web sites should state what data is collected, how the data is collected (directly or indirectly, eg, through use of cookies) and how the data is used (including whether data is disclosed to other entities, such as third parties). The FTC lists a definition of a cookie on its Web site. Companies should consider doing the same thing when drafting an online privacy statement.

Choice. Web sites should allow consumers to limit how their information can be used after collection, including (at a minimum) the opportunity to opt out of any secondary usage.

Access. Companies should provide consumers with reasonable access to the personal data that has been collected throughout the Web site and permit consumers to correct or delete such data.

Security. The Web site should specify which security steps have been taken to protect personal information disclosed or collected on the site. Web sites should also provide reasonable protections against consumer data being accessed, used or disclosed without the proper permissions.

Exceptions. Web sites should state any exceptions to privacy practices they list.

Regulatory compliance. Certain entities may need to add language to their privacy statement to meet applicable regulatory requirements, such as those of particular legislation to which the entity may be subject.

Enforcement of Privacy Statements

The FTC pledges that it “makes sure companies keep the promises they make to consumers about privacy and in particular the precautions they take to secure consumers' personal information. … Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information.”

To date, the FTC has charged Guess Inc., Microsoft Corp. and Eli Lilly and Co. regarding what the agency perceived as false claims pertaining to information security, and reached consent agreements settling the disputes, with each agreement outlining steps the companies agreed to take concerning data security. The FTC notes that consent agreements are for settlement purposes only and do not constitute an admission by any company involved that a law was broken.

The FTC also brought and eventually settled charges against a few companies for allegedly falsely stating that information collected would be used solely for educational purposes.

The companies cited were accused of selling the information they collected to commercial marketers. (See www.ftc.gov/privacy/privacyinitiatives/promises_enf.html.)

Self Regulation vs. Government Regulation

The online industry has been advocating self-regulatory models that rely on participation in seal programs, such as TRUSTe (see http://www.truste.org/), WebTrust (see http://www.webtrust.net/) and BBBonline (see http://www.bbbonline.org/). Such programs typically establish minimum disclosure standards for privacy notices, requiring that such notices address specific areas of information use and handling, and adhere to fair information practices.

It is crucial for e-businesses to perform adequate self-regulation; if they don't, then government regulation will be inevitable. A vast majority of users feel that legislation should be enacted to protect personal privacy ' 39% and 33% agreeing strongly and somewhat, respectively, that new laws should be passed to protect privacy on the Internet. (See http://www.cse.stanford.edu/class/cs201/projects-97-98/databases-in-cyberspace/links.html.) Future legislative proposals may attempt to regulate certain means of information-collection, such as compiling profiles from consumers' online navigation and purchasing habits.

Few online businesses will survive without customers who feel confident about the security of the information they disclose while purchasing goods and services online. Gone are the days when lengthy privacy statements written in legalese and buried at the bottom of a busy home page were sufficient ' or companies believed were sufficient ' to put consumers on notice regarding privacy practices. e-Business has changed. Privacy is no longer just one consideration out of many in doing business online, but a critical aspect of every e-business.

For more information on the FTC's privacy agenda, check out the following links:

• www.ftc.gov/privacy/index.html
• www.ftc.gov/opa/2001/10/privacyagenda.htm

e-Commerce has grown faster and larger than anyone could ever have predicted. By its nature, e-commerce is intricately linked to consumer privacy, and privacy concerns are at an all-time high.

A recent Business Week/Harris poll revealed that two-thirds of users currently not “online” would be more likely to start using the Internet if the privacy of their “personal information and communications would be protected.”

Privacy concerns will only continue to grow along with e-commerce. Having the best technology is no longer the key to success in the online world. e-Businesses that take consumer privacy seriously will leave their less-responsive competitors behind. And at a time when identity theft is a common occurrence and major concern, consumers are demanding reliable and trustworthy relationships from e-vendors.

Why Effective Online Privacy Statements are Critical

Two important reasons for designing an effective online privacy statement dominate all planning of such an offering.

The first is to ensure continued consumer patronage. Without customers, e-businesses cannot survive. Consumers are far savvier regarding privacy matters than they were a few years ago. A good online privacy statement could increase business. A BCG Consumer Survey found that companies that disclose their information gathering and dissemination practices have a 200% to 300% better chance of landing a customer and getting repeat business. (See www.lightos.com/trasp1.html.) Businesses that stay a step ahead in the privacy game will often gain the customers of competitors who fail to take online privacy seriously.

The second reason why designing an effective online privacy statement is important is that failing to do so can expose an entity to potential legal liability. Statements that don't accurately reflect a business' actual practices are ones sure to invite legal troubles. Remember: It is not enough to post an online privacy statement; any privacy statement should:

• reflect best practices;
• meet applicable regulatory requirements; and
• accurately reflect back-end data management practices.

A company's policy and practices must also accurately reflect what is listed in the posted online policy. The Federal Trade Commission (FTC) has cited several companies whose online privacy statements did not accurately reflect the firms' privacy practices. Also, companies must be aware that certain types of e-businesses may be subject to specific legislation that requires particular privacy protocols. The Gramm Leach Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA) all require some sort of specific privacy requirement.

7 Essential Elements for All Privacy Statements

Notice. Web sites should provide clear and conspicuous notice of their information practices. The notice should emphasize that protecting consumer privacy is a priority. Sites should include language that encourages consumers to read the entire policy statement in order to fully understand the companies' privacy practices.

Data Collected. Web sites should state what data is collected, how the data is collected (directly or indirectly, eg, through use of cookies) and how the data is used (including whether data is disclosed to other entities, such as third parties). The FTC lists a definition of a cookie on its Web site. Companies should consider doing the same thing when drafting an online privacy statement.

Choice. Web sites should allow consumers to limit how their information can be used after collection, including (at a minimum) the opportunity to opt out of any secondary usage.

Access. Companies should provide consumers with reasonable access to the personal data that has been collected throughout the Web site and permit consumers to correct or delete such data.

Security. The Web site should specify which security steps have been taken to protect personal information disclosed or collected on the site. Web sites should also provide reasonable protections against consumer data being accessed, used or disclosed without the proper permissions.

Exceptions. Web sites should state any exceptions to privacy practices they list.

Regulatory compliance. Certain entities may need to add language to their privacy statement to meet applicable regulatory requirements, such as those of particular legislation to which the entity may be subject.

Enforcement of Privacy Statements

The FTC pledges that it “makes sure companies keep the promises they make to consumers about privacy and in particular the precautions they take to secure consumers' personal information. … Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information.”

To date, the FTC has charged Guess Inc., Microsoft Corp. and Eli Lilly and Co. regarding what the agency perceived as false claims pertaining to information security, and reached consent agreements settling the disputes, with each agreement outlining steps the companies agreed to take concerning data security. The FTC notes that consent agreements are for settlement purposes only and do not constitute an admission by any company involved that a law was broken.

The FTC also brought and eventually settled charges against a few companies for allegedly falsely stating that information collected would be used solely for educational purposes.

The companies cited were accused of selling the information they collected to commercial marketers. (See www.ftc.gov/privacy/privacyinitiatives/promises_enf.html.)

Self Regulation vs. Government Regulation

The online industry has been advocating self-regulatory models that rely on participation in seal programs, such as TRUSTe (see http://www.truste.org/), WebTrust (see http://www.webtrust.net/) and BBBonline (see http://www.bbbonline.org/). Such programs typically establish minimum disclosure standards for privacy notices, requiring that such notices address specific areas of information use and handling, and adhere to fair information practices.

It is crucial for e-businesses to perform adequate self-regulation; if they don't, then government regulation will be inevitable. A vast majority of users feel that legislation should be enacted to protect personal privacy ' 39% and 33% agreeing strongly and somewhat, respectively, that new laws should be passed to protect privacy on the Internet. (See http://www.cse.stanford.edu/class/cs201/projects-97-98/databases-in-cyberspace/links.html.) Future legislative proposals may attempt to regulate certain means of information-collection, such as compiling profiles from consumers' online navigation and purchasing habits.

Few online businesses will survive without customers who feel confident about the security of the information they disclose while purchasing goods and services online. Gone are the days when lengthy privacy statements written in legalese and buried at the bottom of a busy home page were sufficient ' or companies believed were sufficient ' to put consumers on notice regarding privacy practices. e-Business has changed. Privacy is no longer just one consideration out of many in doing business online, but a critical aspect of every e-business.

For more information on the FTC's privacy agenda, check out the following links:

• www.ftc.gov/privacy/index.html
• www.ftc.gov/opa/2001/10/privacyagenda.htm