Practicing Privacy: Elements of a Privacy Protection Policy

Compliance / Privacy
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Privacy protection is the most important benefit a business can provide to its customers and trading partners. Savvy businesses are differentiating themselves by making privacy protection the cornerstone of their customer-centric business models. These businesses know that to shift from a product or market orientation to a customer-centric business model, privacy protection must be an integral part of the way they do business.

Businesses that have made and kept privacy commitments with their customers are rewarded with higher profit, because strong privacy protections instill customer loyalty and trust and can result in lower customer acquisition costs, improved brand reputation, and favorable press.

A privacy policy isn’t another stale page on your company Web site that is drafted by corporate counsel and ignored in practice. A true privacy policy is like a constitution that articulates a framework of general principles the company will follow to protect customer privacy. In simple terms, the privacy policy is a set of promises and guarantees regarding the security of customer information. If you participate in the framing of your company’s privacy policy, your task is like that of the original framers of the U.S. Constitution. As a framer, you must decide what protections your company will afford customer data, how that data will be used, and how it will be secured. Other decisions include determining the proper scope of data collection, data retention, and data security.

The constitutional metaphor should not be quickly dismissed, because the business consequences of a poorly written, vague, or incomplete policy are significant. As customers in both the B2B and B2C segments become more Internet-savvy, they are scrutinizing company privacy policies when making purchasing and partnering decisions. A vague, ambiguous, or illusory privacy policy will result in the loss of potential and actual customers and increase customer acquisition costs. Further, as government regulation creeps into the consumer information privacy arena, perceived violations of privacy policies may have legal ramifications.

A poorly drafted or unintelligible privacy policy will not instill customer trust and confidence in the company’s privacy practices. From the customers’ perspective, arbitrary or inconsistent protection of their information may be a greater affront than the absence of privacy protection. Your company’s good will, customer loyalty, and significant

investments in brand development will be undermined if privacy policies are haphazard, illusory, or inconsistent. A poorly drafted policy does not give the necessary guidance and clarity to all parts of the company. Ambiguity will breed confusion and inconsistent implementation of the privacy policy across the company.

Accordingly, great care must be taken when drafting a privacy policy. It should not be drafted by IT alone, since all departments will be responsible for living by it and enforcing it. A true privacy policy will be the work of a committee of company leaders who agree that privacy will become a part of their mission. IT will likely have primary enforcement responsibility with respect to infrastructure privacy controls, including customer data collection, data security, and data dissemination. A chief privacy officer may be selected or recruited to spearhead company privacy efforts and sponsor and manage all privacy-related projects.

Understanding the Sources of Privacy

Before a complete privacy policy can be drafted, one should understand the source of the “right to privacy” itself. The right of privacy flows from the nebulous “reasonable expectations” of the customer. Ironically, the framers of the U.S. Constitution omitted any express privacy provisions; judges have implied a “penumbra” of privacy protection from the other protective provisions of the Constitution. The various states, and later federal legislation, have created specific rights to privacy, often in limited contexts. Many of the recent privacy protection laws are legislative responses to failures of the business community to take privacy protection seriously and integrate sufficient protections into their business operations.

Underlying these privacy protection laws is a simple premise: a person has a “reasonable” expectation of privacy as a citizen, including while engaging in commerce. The person, under law, is a hypothetical “reasonable man,” and his privacy expectations are deemed to include protections from unwarranted intrusions into personal matters and protections from unnecessary disclosure and use of private (personally identifiable) information, including financial, personal, or medical data to third parties for unknown uses. Modern-day “reasonable men” are becoming keenly aware of unauthorized use of their information, even if the information was voluntarily disclosed to the company for another purpose.

Ownership Means the Right to Control

While customers believe they “own” their personally identifiable data, they also believe they have the right to control the disclosure, use, and dissemination of that information as an incident of ownership. These notions of ownership and control are especially true of personally identifiable information including driver’s license numbers, social security numbers, credit card numbers, account numbers, and medical record/billing numbers, which are virtual proxies for their assignees. Given the rise of identity theft, stalking, unsolicited commercial email (spam), and the notorious security weaknesses of some high- profile Web sites, consumers are justifiably concerned about the unauthorized dissemination and use of these critical pieces of information. In response, millions of consumers have taken crude steps to protect their privacy while conducting commerce, including creating junk mail email accounts and populating Web site forms with bogus identity data. Given these consumer concerns, a company committed to practicing privacy must be prepared to afford customers control over their personally identifiable information, including the ability to access and update personally identifiable information that is incorrect.

“Opt in” vs. “Opt out”

While the notions of ownership and control seem self-evident, legislatures grappling with privacy protection laws are debating which presumptions should apply when a person

discloses personally identifiable information to a business during a commercial transaction. The opt in versus opt out debate pertains to whether customers are presumed to have opted in to the widespread use of their personal information and must affirmatively act to limit use, or whether the consumer is presumed to have opted out by default and must affirmatively permit (opt in to) any dissemination or use outside the scope of a particular transaction.

While the opt in/opt out debate continues, the presumption of opted in is contrary to the notions of ownership and control that most consumers have regarding their personally identifiable information. From a historical and legal perspective, there is scant support for the view that consumers have opted in to wide disclosure (waived their right to privacy) and must affirmatively assert that right by opting out of disclosure. In law, the general presumption is that a waiver of a legal right will not be presumed and must be either intentional or the product of gross neglect by the person whose rights are affected. With respect to privacy, the law has historically presumed that the context of an event determined a person’s reasonable expectations of privacy regarding that event. For example, a customer purchasing fruit at an outdoor market could not have a reasonable expectation of privacy regarding that transaction, while a party negotiating a purchase of a business behind closed doors may have. Given that many Internet purchases are more akin to private, behind-closed-doors negotiations than outdoor public market purchases, businesses should presume that customers have high privacy expectations. Privacy expectations may be raised if encryption is used during the transaction.

Any company with a serious commitment to instilling customer trust and practicing privacy will presume that a customer has opted out of wide disclosure by default. This presumption is true for third-party disclosure, even to partners, affiliates, and parent companies, especially if the customer has had no prior dealings with those entities. Companies with a commitment to privacy will also ensure that their partners, affiliates, and parent companies don’t receive extraneous information or misuse information transmitted to them as an end run around the company privacy policy.

Elements of a Good Privacy Policy

A good privacy policy will address four key areas: The collection, use, dissemination, and protection of personally identifiable customer information. Additional topics include detailing how customers can correct or update their identifiable information, the technologies that are being used to collect behavior (clickstream) information, and how partners, affiliates, parent companies, successors, and assignees can use customer information. The following is a list of tips for developing a good privacy policy:

• Present a general statement—Many privacy policies begin with a general statement of principles that the company supports with respect to privacy. A brief statement of policy and principles can go a long way to instill customer confidence and trust.

• Define the terms—Like any contract, unique terms such as personally identifiable information must be defined. Unlike traditional contracts, warranties, or disclaimers, the terms and language in a privacy policy must be written so that the public and company employees can easily understand the definitions. And, unlike other contracts, sentences should be drafted to promote disclosure, so that a customer can make an informed decision regarding whether to purchase from your company. The notion of informed consent is key to instilling customer trust. Customers must feel they understand how their information will be used and can make an informed decision whether to do business under those circumstances.

• Identify the types of information collected—Many customers review privacy policies prior to using a company Web site for a purchase. If your privacy policy articulates the specific

types of information to be collected on a data element level, a customer can make an informed decision prior to committing to an order. This is especially true of sites that collect significant customer information as a part of an “enrollment” process prior to placing an order. If your site collects a significant amount of personal information about consumers, this portion of the policy may also explain the use of that particular category of information. State with specificity the types and data elements collected during particular transactions.

• Define the ownership of collected information—A statement of ownership will assure customers that your company is not acting as a loss-leader front for a larger corporate entity or direct marketing firm. Identify the collecting company entity and state whether the entity is a subsidiary, partner, or affiliate of any larger entity.

• Identify how the company will use collected information—This section is the heart of the privacy policy and should provide details pertaining to information use. Again, use plain language.

• Explain sharing practices—Sharing practices are one of the main reasons Congress is taking action to regulate privacy. Carefully consider the ways your company shares information with partners, affiliates, and related entities, and articulate the policy so that customers can make an informed decision regarding their purchases. If your company shares information, articulate which information is shared and identify what, if any, customer-specific (personally identifiable) information is shared and for what purposes. If only aggregate information (summary information about the customers in total) is shared, identify the types of aggregate information shared and the purposes for the sharing.

• Discuss the sharing of collected information with third parties (aggregate information)—Sharing information with third parties is the most controversial aspect of electronic commerce. While data sharing has been occurring for many years, customers are becoming increasingly sensitive to potential misuses of their personally identifiable information. These concerns are compounded by the ability of modern data warehousing technologies, which can amalgamate data from disparate and third-party sources and compile a complete customer profile, including shopping behavior and lifestyle information. Many consumers are skeptical of privacy practices that permit open sharing of personal information across partners, affiliates, subsidiaries, and related companies. Take time to elaborate your company’s sharing policies with third parties, and carefully consider whether sharing information with third parties will undermine your customer-centric focus.

• Cover the potential destruction of collected information—Many failing and failed dotcoms have created privacy firestorms by selling customer information when revenues drop or when the company is liquidated. While Congress is moving to limit these practices, a good privacy policy will address this issue in a forthright manner.

Customers’ confidence will increase if they know that their information will not become a saleable asset should the company fail or have cash flow problems.

• Discuss customer updating of collected personal information—Many of the bills pending before Congress contain provisions that would force companies to permit a consumer to view and update any personally identifiable information kept by a company. Given the rise of identity theft and increasing consumer interest in privacy, most Web sites will need to provide update access to this information. If security precautions are required prior to granting access, identify the security precautions your company will follow before it divulges passwords or permits update access to personal information.

• Identify technologies used to collect information—Congress and consumers alike are increasingly concerned with stealthy information collection technologies, including

cookies, server logs, spyware, clickstream data, site registration, Web bugs, and the like. Identify the technologies your site will use to collect information and the purposes for which the information is collected. Explain the use of these technologies in lay terms that an unsophisticated customer could understand.

• Opt in/opt out of future campaigns—Articulate in detail whether your company’s privacy policies assume that customers have opted in or out of promotional campaigns and other uses of their information.

• Give a link disclaimer—If your site links to third-party sites, inform customers that your company is not responsible for, nor dictates, the privacy practices in place for those external sites. The same is true for banner advertisements that may be displayed on your site.

• Discuss notification of changes to privacy policies—A privacy policy is illusory and will not instill consumer trust if it states that it can be changed without notice. State the circumstances under which the company privacy policies can change, and identify the notice methods that will be used to inform customers of changes to the policy. Consider whether prior notice combined with a waiting period would reinforce your company’s commitment to fair information practices, informed consent, and customer privacy.

• Explain data security measures—If your company uses security mechanisms to protect customer data (for example, Secure Sockets Layer and encryption), articulate those measures in detail. This section of the policy can build customer trust by demonstrating that data security measures are being employed.

• Identify company contacts for privacy issues—Identify the person(s) responsible for handling privacy related issues for your company, and provide complete address and telephone information.

Privacy policies are evolving in response to customer and legislative pressures. The References and Related Materials list at the end of this article includes links to resources to assist your company with its privacy initiatives and the development of a comprehensive privacy policy.

Practicing Privacy

As an IT professional, you’re on the front line of privacy policy enforcement. Your department has the ability and the responsibility to implement infrastructure changes that protect privacy and provide security.

Implementation of a privacy policy is a cross-company project. An analysis of existing procedures and systems will have to be undertaken to determine the scope of data collection, the uses of data, data sharing, and data security practices. In many instances, additional functionality must be added to Web sites to allow customers to update their personally identifiable data.

Enforcement may challenge the diplomacy skills of IT. For example, if your marketing or sales units or affiliates are accustomed to unfettered access to company data (perhaps through query tools), imposing access and use restrictions consistent with the privacy policy may be met with resistance.

Some may believe that the obligations of implementing and enforcing a comprehensive privacy policy may be too onerous and may interfere with your department’s mission and goals. Others may believe that policy implementation and enforcement will drain resources needed from other higher-profile—and presumably higher-value—projects. One need only to look at the bigger picture to understand that these responsibilities are concurrent with the mission of IT. The Internet has created a global

marketplace in which businesses and consumers can buy product from many sources. In many cases, a competitor may be able to provide higher quality, lower price, or both. Those companies that distinguish themselves with superior privacy protections will likely win the confidence of fickle customers. Without respect for a customer’s expectations of privacy, many businesses will fail to compete in the global marketplace, especially during tight economic times.

Privacy protection is a win-win for IT. Unlike other technology projects, the successful implementation of privacy initiatives can have a measurable effect on customer trust, loyalty, and sales and distinguish your company from its increasing competition.


• BBBOnLine (Better Business Bureau) home page:
• Electronic Frontier Foundation home page:
• Electronic Privacy Information Center home page:
• Federal Trade Commission home page:
• Privacy & American Business home page:
• Privacy Council home page:
• home page:
• Privacy Foundation home page:
• Privacy Rights Clearinghouse home page:
• TRUSTe home page: