by David Haskin
It’s time to get serious about online privacy. For the past few years, businesses both big and small have been living in a fool’s paradise, figuring they could collect information on the Web and not be held responsible for what they do with it. Selling information to marketers, sharing it with partners, using it to spam almost everything been fair game. That’s all over now.
Businesses just wading onto the Web have one advantage: They haven’t done anything wrong yet. They can learn from the blunders of other businesses and big dot-coms that went before. But amid loud cries for regulation and consumer revolt, it’s hard to know where to start. What should a privacy policy say? What technology and policies are needed to keep those promises?
Perhaps for this reason, many businesses don’t do anything at all. Many small businesses ask Web visitors to leave credit card numbers, addresses, and other personal data, but still don’t promise to protect the privacy of that information. The Federal Trade Commission has found that less than 20 percent of sites meet reasonable privacy standards.
“On a scale of one to ten, privacy is a ten,” says Reed Jackson, president of Logothreads Inc., which sells business-casual logo sportswear on the Web. “Anybody who doesn’t have that attitude is shortsighted about the success of their business.”
Terry Pittman, a privacy advocate and president of BrightStreet.com, a promotions technology company, says his company’s extensive surveying and consumer testing has found that a clear, well-stated privacy policy really does improve business. “When a consumer comes to a site and considers whether to do business, a privacy policy can make the difference in whether they spend money with you or not,” Pittman says. Customers expect to know what a site is doing with all that data or they won’t do business with them at all.
Know What’s at Risk
Right now, most businesses’ primary concern is whether trying to reap the benefits of information they’ve gathered will drive away the very customers whose information they’re collecting. For instance, a site can enable users to “personalize” the site so they view only information of interest to them. Those personal preferences are red meat to marketing lions, so businesses must inform visitors if that information will be sold to others. According to Pittman, businesses have to be aware when they’re trading future customer trust for immediate revenue. “I discovered early on that we could do a lot of things with personal information without breaking the law, but it could cause consumers to not come back,” he says.
But besides being good business, protecting privacy on the Web also is good ethics and, increasingly, is essential for staying out of legal trouble. The rules of Web privacy are currently going through a critical phase, and lawmakers all over the country are brandishing bills that would enforce restrictions on what businesses can do with the confidential information they collect. Besides just worrying about negative reactions from potential (or soon-to-be-former) customers, businesses must be careful if they want to stay out of court.
The regulations about what companies can and should do are getting more tangled all the time, according to Kerry Kearney, an attorney who specializes in technology privacy issues for Reed, Smith, Shaw & McClay in Pittsburgh. This could be trouble for small businesses. “Big companies typically do a good job following the privacy laws, but small companies often have neither the time, resources, nor patience,” she says.
In May, the Federal Trade Commission called on Congress to approve stronger privacy regulations. The legislature has already passed a law restricting how information can be collected from children. Sites must get permission from parents, disclose exactly what they’re collecting (and why), and have some way to tell that the parents are really who they say they are. Of course, since on the Internet nobody knows if you’re a child, this could potentially affect just about every business. (A recent survey by a site called FollowUp.net found that a staggering 93 percent of child-oriented sites don’t comply with existing laws.)
In many industries, companies are already subject to great legal scrutiny. For instance, the Gramm-Leach-Bliley Act deals with online privacy provided by financial institutions and any online business that finances transactions, such as an auto dealer. Likewise health care businesses that collect data from Web visitors such as online pharmacies or even doctors’ offices are covered under the Health Insurance Portability and Accountability Act of 1995. That law covers a wide variety of issues, among them the confidentiality of online records.
Expect more legislation in the future. Some states are considering setting their own restrictions in fact, Michigan has started to go after some sites, even without an online privacy law, by invoking consumer protection statutes written before the advent of the Web. It’s also possible to be sued in civil court if somebody feels a site has invaded their privacy, Kearney notes. So create a solid policy and get your lawyers to sign off on it. Then be ready to live up to those promises.
Put the Technical Pieces in Place
Many of these new and proposed laws require sites to behave in certain ways that aren’t exactly easy to accomplish technologically. Every privacy plan will differ, but there are a few increasingly agreed-upon standards. [See “The Five Commandments”]. The most important and most difficult tasks here are ensuring security and providing access, according to Dennis Lee, director of training and research for IFsec, a New York information-security consulting firm. Both require you to make some potentially costly decisions.
Access means letting users see and change information you’ve collected about them. This requires that developers provide limited and secure access to the database so users can change that data. The level to which you control access is a key decision. “Do you want consumers to come in with a password, or is the information so secret that you must offer another level of proving their identity?” Lee asks. Typically that extra level of protection involves so-called digital certificates that verify a user is who he says. Prices vary widely, but expect to pay between $20 and $100 per user for this additional capability.
In either case, you or your host will need an industrial strength database to store the information. Even if you only require a password, that means setting up and maintaining a database containing those passwords, and that database must be secure, as well. That typically means encrypting the database contents so that, even if it is broken into, the information can’t be read, Lee says.
Finally, don’t forget the basic security issues that all Web sites must consider, urges Jim Finn, a principal of the Unisys Enterprise Security practice. Make sure you protect the data as it moves over the Internet with security protocols such as Secure Sockets Layer. Also, make sure you or your Web host use a strong firewall with intrusion-monitoring software. And Lee cautions that the biggest privacy and security issue is taking care of the internal passwords needed to access records. If the wrong person gets hold of it, the company’s customer records will be an open book.
Get Partners to Cooperate
Because of all of these technological concerns, the details of a privacy policy can actually have quite an effect on how the rest of the site is put together. Any business that goes on line faces the decision of whether to create and host the site internally or bring in outside vendors such as Web designers and hosting services. The privacy plan should affect that decision, according to Lee.
“If you want the most flexibility and control over the information you collect, then keep it in-house,” Lee says. “At the end of the day, you’re the one who’s responsible.” If you do take the outsourcing route, however, make sure the developers and hosting service have stringent privacy and security policies of their own.
Many small businesses also test the e-commerce waters by creating online storefronts with vendors such as Yahoo Shopping. These storefronts are reasonably sophisticated, easy to set up even by non-technical users, and comparatively inexpensive. Unfortunately, those that use such a service have no control over the privacy and security policies, yet remain responsible to customers for them. Lee urges businesses to make certain that the service has a clearly-posted privacy policy and to fully understand how the site handles security issues. He says that, in general, big-name vendors like Yahoo Stores are very secure and do a good job with privacy issues.
Build Privacy Into the Business Plan
Because of all the potential costs involved in truly following through on a privacy policy, and because it directly affects the nitty-gritty of a business’ MIS system and strategy, it’s best to think about privacy as soon as possible. There are many benefits to developing a privacy plan even before developing a Web site — if possible. In any case, understand the business issues related to your privacy policy and include them in the business plan for the site.
“Your costs increase if your system doesn’t take privacy into account,” says Erika Bustos, strategic services manager for Knowledge Strategies Group of New York. “It will take longer and will be more expensive later.”
Another reason to create a privacy policy early is to allow time to consider the revenue implications of various options. This can be important for planning and working with investors and the financial community. Businesses that choose to sell information should state that fact in their privacy policies. Of course, that may result in lower sales because customers will be less likely to use the site.
Almost all companies want information for their own marketing purposes, and thus should state that clearly in their policies. Take into account how the promises the privacy policy makes may affect other aspects of the business. “Make sure you run it past representatives of the departments that are touched by the policy,” Pittman says.
Finally, start creating the privacy policy sooner rather than later because the cooperation of all employees is essential to true security. Without employee buy-in, the privacy policy will be little more than window dressing.
Get Everyone Involved
Everyone who works with the information should understand that the company made promises about what they’d do with it, and that they’re responsibility for keeping them. Make sure that employees fully understand the policy by posting it internally as well as on the site.
Still, you can’t play it too safe: Make sure anyone who doesn’t need that information can’t get access to it. “We very much limit access on the internal side to one person at a time,” says Adam Weinberg, director of marketing for Idleinventory.com, a service that facilitates sales of medical equipment. “There is a very limited number of people who will access it.”
Perhaps the best step a business can take to follow through on its promises is appointing what might be called a privacy czar. “This person’s name should go on the site as the person consumers can contact,” Pittman says. “If you do a good job, that person will get only an e-mail or two a week. That’s not much work, but those messages will help you understand how people respond to it.”
That person must also coordinate among the person maintaining the site, the employees using the information, and the executive team. The CEO should be included, because ultimately a company’s commitment to privacy has to start at the top. “The CEO has to say this is important before everybody will take it seriously,” Pittman says.
—————————-The Five Commandments
THE EASIEST way to start creating a privacy plan is to use a template. Many are freely available from the online world’s self-regulating “seal” organizations, such TRUSTe, which monitors Web privacy [see “Sealed Tight?”].
However, consider these as nothing more than starting points. Every business and site is different: Your policy must reflect the business’ plans and visitors’ concerns.
Still, there are broad outlines of what constitutes a good privacy policy. Pittman, who is on the board of directors of TRUSTe, lists five rules essential for any privacy policy.
* It must be easily accessible from every page on the site. A link to it may be placed at the bottom of the page, but it should be clearly visible to all users. “If your customers have to dig for it, it’s not a good policy,” Pittman says.
* The policy should clearly specify what types of data are collected and who, if anyone, it will be shared with.
* Consumers should have a choice about how a site can use their personal information. For instance, they should be able to opt out if they don’t want to be marketed to.
* Consumers should have access to their information and the ability to change it. As with the policy itself, this should be easy for consumers to access.
* The privacy policy must include contact information for someone in your organization if users have concerns or complaints about privacy issues.
—————————-Sealed Tight?
MANY SITES use so-called “seal programs” to guide the development of their privacy policies and assure visitors their information is safe. Seal programs require sites to adopt privacy policies and offer varying levels of monitoring and auditing to ensure sites comply. In return, the site displays a logo, or seal, that tells users the site is privacy-friendly.
“It’s like a seal of good housekeeping,” says Larry Ponemon of auditing firm PricewaterhouseCoopers. The best-known are TRUSTe (www.truste.org), Better Business Bureau OnLine (www.bbbonline.com) and BetterWeb (www.betterweb.com).
The three programs vary. BBBOnLine requires you to fill out a questionnaire and post an online privacy policy it grants the seal if it finds you’ve set up sufficient policies and are adhering to them. It also offers dispute settlement help when users complain about privacy issues. TRUSTe works similarly and provides periodic reviews of your site. BetterWeb, which is a service of PricewaterhouseCoopers, includes comprehensive auditing services and covers a wide variety of business issues, in addition to privacy.
These programs aren’t free. BBBOnLine costs between $150 and $3,000 per year, depending on sales. TRUSTe’s fees range from $199 per year to about $7,000 and BetterWeb, with its more extensive auditing, starts at about $15,000.
Advocates insist the seals inspire confidence in site visitors . However, not everybody believes a seal is essential. Jackson of Logothreads says his company started with a seal program but didn’t continue with it because they received no customer feedback about it one way or the other.
