It's time to get serious about online privacy. For the past few years, businesses both big and small have been living in a fool's paradise, figuring they could collect information on the Web and not be held responsible for what they do with it. Selling information to marketers, sharing it with partners, using it to spam almost everything been fair game. That's all over now.
"On a scale of one to ten, privacy is a ten," says Reed Jackson, president of Logothreads Inc., which sells business-casual logo sportswear on the Web. "Anybody who doesn't have that attitude is shortsighted about the success of their business."
Know What's at Risk
Right now, most businesses' primary concern is whether trying to reap the benefits of information they've gathered will drive away the very customers whose information they're collecting. For instance, a site can enable users to "personalize" the site so they view only information of interest to them. Those personal preferences are red meat to marketing lions, so businesses must inform visitors if that information will be sold to others. According to Pittman, businesses have to be aware when they're trading future customer trust for immediate revenue. "I discovered early on that we could do a lot of things with personal information without breaking the law, but it could cause consumers to not come back," he says.
But besides being good business, protecting privacy on the Web also is good ethics and, increasingly, is essential for staying out of legal trouble. The rules of Web privacy are currently going through a critical phase, and lawmakers all over the country are brandishing bills that would enforce restrictions on what businesses can do with the confidential information they collect. Besides just worrying about negative reactions from potential (or soon-to-be-former) customers, businesses must be careful if they want to stay out of court.
The regulations about what companies can and should do are getting more tangled all the time, according to Kerry Kearney, an attorney who specializes in technology privacy issues for Reed, Smith, Shaw & McClay in Pittsburgh. This could be trouble for small businesses. "Big companies typically do a good job following the privacy laws, but small companies often have neither the time, resources, nor patience," she says.
In May, the Federal Trade Commission called on Congress to approve stronger privacy regulations. The legislature has already passed a law restricting how information can be collected from children. Sites must get permission from parents, disclose exactly what they're collecting (and why), and have some way to tell that the parents are really who they say they are. Of course, since on the Internet nobody knows if you're a child, this could potentially affect just about every business. (A recent survey by a site called FollowUp.net found that a staggering 93 percent of child-oriented sites don't comply with existing laws.)
In many industries, companies are already subject to great legal scrutiny. For instance, the Gramm-Leach-Bliley Act deals with online privacy provided by financial institutions and any online business that finances transactions, such as an auto dealer. Likewise health care businesses that collect data from Web visitors such as online pharmacies or even doctors' offices are covered under the Health Insurance Portability and Accountability Act of 1995. That law covers a wide variety of issues, among them the confidentiality of online records.
Expect more legislation in the future. Some states are considering setting their own restrictions in fact, Michigan has started to go after some sites, even without an online privacy law, by invoking consumer protection statutes written before the advent of the Web. It's also possible to be sued in civil court if somebody feels a site has invaded their privacy, Kearney notes. So create a solid policy and get your lawyers to sign off on it. Then be ready to live up to those promises.
Put the Technical Pieces in Place
Many of these new and proposed laws require sites to behave in certain ways that aren't exactly easy to accomplish technologically. Every privacy plan will differ, but there are a few increasingly agreed-upon standards. [See "The Five Commandments"]. The most important and most difficult tasks here are ensuring security and providing access, according to Dennis Lee, director of training and research for IFsec, a New York information-security consulting firm. Both require you to make some potentially costly decisions.
Access means letting users see and change information you've collected about them. This requires that developers provide limited and secure access to the database so users can change that data. The level to which you control access is a key decision. "Do you want consumers to come in with a password, or is the information so secret that you must offer another level of proving their identity?" Lee asks. Typically that extra level of protection involves so-called digital certificates that verify a user is who he says. Prices vary widely, but expect to pay between $20 and $100 per user for this additional capability.
In either case, you or your host will need an industrial strength database to store the information. Even if you only require a password, that means setting up and maintaining a database containing those passwords, and that database must be secure, as well. That typically means encrypting the database contents so that, even if it is broken into, the information can't be read, Lee says.
Finally, don't forget the basic security issues that all Web sites must consider, urges Jim Finn, a principal of the Unisys Enterprise Security practice. Make sure you protect the data as it moves over the Internet with security protocols such as Secure Sockets Layer. Also, make sure you or your Web host use a strong firewall with intrusion-monitoring software. And Lee cautions that the biggest privacy and security issue is taking care of the internal passwords needed to access records. If the wrong person gets hold of it, the company's customer records will be an open book.
Get Partners to Cooperate
"If you want the most flexibility and control over the information you collect, then keep it in-house," Lee says. "At the end of the day, you're the one who's responsible." If you do take the outsourcing route, however, make sure the developers and hosting service have stringent privacy and security policies of their own.
Build Privacy Into the Business Plan
"Your costs increase if your system doesn't take privacy into account," says Erika Bustos, strategic services manager for Knowledge Strategies Group of New York. "It will take longer and will be more expensive later."
Get Everyone Involved
Everyone who works with the information should understand that the company made promises about what they'd do with it, and that they're responsibility for keeping them. Make sure that employees fully understand the policy by posting it internally as well as on the site.
Still, you can't play it too safe: Make sure anyone who doesn't need that information can't get access to it. "We very much limit access on the internal side to one person at a time," says Adam Weinberg, director of marketing for Idleinventory.com, a service that facilitates sales of medical equipment. "There is a very limited number of people who will access it."
Perhaps the best step a business can take to follow through on its promises is appointing what might be called a privacy czar. "This person's name should go on the site as the person consumers can contact," Pittman says. "If you do a good job, that person will get only an e-mail or two a week. That's not much work, but those messages will help you understand how people respond to it."
That person must also coordinate among the person maintaining the site, the employees using the information, and the executive team. The CEO should be included, because ultimately a company's commitment to privacy has to start at the top. "The CEO has to say this is important before everybody will take it seriously," Pittman says.
----------------------------The Five Commandments
THE EASIEST way to start creating a privacy plan is to use a template. Many are freely available from the online world's self-regulating "seal" organizations, such TRUSTe, which monitors Web privacy [see "Sealed Tight?"].
However, consider these as nothing more than starting points. Every business and site is different: Your policy must reflect the business' plans and visitors' concerns.
* It must be easily accessible from every page on the site. A link to it may be placed at the bottom of the page, but it should be clearly visible to all users. "If your customers have to dig for it, it's not a good policy," Pittman says.
* The policy should clearly specify what types of data are collected and who, if anyone, it will be shared with.
* Consumers should have a choice about how a site can use their personal information. For instance, they should be able to opt out if they don't want to be marketed to.
* Consumers should have access to their information and the ability to change it. As with the policy itself, this should be easy for consumers to access.
MANY SITES use so-called "seal programs" to guide the development of their privacy policies and assure visitors their information is safe. Seal programs require sites to adopt privacy policies and offer varying levels of monitoring and auditing to ensure sites comply. In return, the site displays a logo, or seal, that tells users the site is privacy-friendly.
"It's like a seal of good housekeeping," says Larry Ponemon of auditing firm PricewaterhouseCoopers. The best-known are TRUSTe (www.truste.org), Better Business Bureau OnLine (www.bbbonline.com) and BetterWeb (www.betterweb.com).
These programs aren't free. BBBOnLine costs between $150 and $3,000 per year, depending on sales. TRUSTe's fees range from $199 per year to about $7,000 and BetterWeb, with its more extensive auditing, starts at about $15,000.
Advocates insist the seals inspire confidence in site visitors . However, not everybody believes a seal is essential. Jackson of Logothreads says his company started with a seal program but didn't continue with it because they received no customer feedback about it one way or the other.