Privacy protection is the most important benefit a business can provide to its customers and trading partners. Savvy businesses are differentiating themselves by making privacy protection the cornerstone of their customer-centric business models. These businesses know that to shift from a product or market orientation to a customer-centric business model, privacy protection must be an integral part of the way they do business.
Businesses that have made and kept privacy commitments with their customers are rewarded with higher profit, because strong privacy protections instill customer loyalty and trust and can result in lower customer acquisition costs, improved brand reputation, and favorable press.
Understanding the Sources of Privacy
Underlying these privacy protection laws is a simple premise: a person has a reasonable expectation of privacy as a citizen, including while engaging in commerce. The person, under law, is a hypothetical reasonable man, and his privacy expectations are deemed to include protections from unwarranted intrusions into personal matters and protections from unnecessary disclosure and use of private (personally identifiable) information, including financial, personal, or medical data to third parties for unknown uses. Modern-day reasonable men are becoming keenly aware of unauthorized use of their information, even if the information was voluntarily disclosed to the company for another purpose.
Ownership Means the Right to Control
While customers believe they own their personally identifiable data, they also believe they have the right to control the disclosure, use, and dissemination of that information as an incident of ownership. These notions of ownership and control are especially true of personally identifiable information including drivers license numbers, social security numbers, credit card numbers, account numbers, and medical record/billing numbers, which are virtual proxies for their assignees. Given the rise of identity theft, stalking, unsolicited commercial email (spam), and the notorious security weaknesses of some high- profile Web sites, consumers are justifiably concerned about the unauthorized dissemination and use of these critical pieces of information. In response, millions of consumers have taken crude steps to protect their privacy while conducting commerce, including creating junk mail email accounts and populating Web site forms with bogus identity data. Given these consumer concerns, a company committed to practicing privacy must be prepared to afford customers control over their personally identifiable information, including the ability to access and update personally identifiable information that is incorrect.
Opt in vs. Opt out
While the notions of ownership and control seem self-evident, legislatures grappling with privacy protection laws are debating which presumptions should apply when a person
discloses personally identifiable information to a business during a commercial transaction. The opt in versus opt out debate pertains to whether customers are presumed to have opted in to the widespread use of their personal information and must affirmatively act to limit use, or whether the consumer is presumed to have opted out by default and must affirmatively permit (opt in to) any dissemination or use outside the scope of a particular transaction.
While the opt in/opt out debate continues, the presumption of opted in is contrary to the notions of ownership and control that most consumers have regarding their personally identifiable information. From a historical and legal perspective, there is scant support for the view that consumers have opted in to wide disclosure (waived their right to privacy) and must affirmatively assert that right by opting out of disclosure. In law, the general presumption is that a waiver of a legal right will not be presumed and must be either intentional or the product of gross neglect by the person whose rights are affected. With respect to privacy, the law has historically presumed that the context of an event determined a persons reasonable expectations of privacy regarding that event. For example, a customer purchasing fruit at an outdoor market could not have a reasonable expectation of privacy regarding that transaction, while a party negotiating a purchase of a business behind closed doors may have. Given that many Internet purchases are more akin to private, behind-closed-doors negotiations than outdoor public market purchases, businesses should presume that customers have high privacy expectations. Privacy expectations may be raised if encryption is used during the transaction.
Present a general statementMany privacy policies begin with a general statement of principles that the company supports with respect to privacy. A brief statement of policy and principles can go a long way to instill customer confidence and trust.
types of information to be collected on a data element level, a customer can make an informed decision prior to committing to an order. This is especially true of sites that collect significant customer information as a part of an enrollment process prior to placing an order. If your site collects a significant amount of personal information about consumers, this portion of the policy may also explain the use of that particular category of information. State with specificity the types and data elements collected during particular transactions.
Define the ownership of collected informationA statement of ownership will assure customers that your company is not acting as a loss-leader front for a larger corporate entity or direct marketing firm. Identify the collecting company entity and state whether the entity is a subsidiary, partner, or affiliate of any larger entity.
Explain sharing practicesSharing practices are one of the main reasons Congress is taking action to regulate privacy. Carefully consider the ways your company shares information with partners, affiliates, and related entities, and articulate the policy so that customers can make an informed decision regarding their purchases. If your company shares information, articulate which information is shared and identify what, if any, customer-specific (personally identifiable) information is shared and for what purposes. If only aggregate information (summary information about the customers in total) is shared, identify the types of aggregate information shared and the purposes for the sharing.
Discuss the sharing of collected information with third parties (aggregate information)Sharing information with third parties is the most controversial aspect of electronic commerce. While data sharing has been occurring for many years, customers are becoming increasingly sensitive to potential misuses of their personally identifiable information. These concerns are compounded by the ability of modern data warehousing technologies, which can amalgamate data from disparate and third-party sources and compile a complete customer profile, including shopping behavior and lifestyle information. Many consumers are skeptical of privacy practices that permit open sharing of personal information across partners, affiliates, subsidiaries, and related companies. Take time to elaborate your companys sharing policies with third parties, and carefully consider whether sharing information with third parties will undermine your customer-centric focus.
Customers confidence will increase if they know that their information will not become a saleable asset should the company fail or have cash flow problems.
Discuss customer updating of collected personal informationMany of the bills pending before Congress contain provisions that would force companies to permit a consumer to view and update any personally identifiable information kept by a company. Given the rise of identity theft and increasing consumer interest in privacy, most Web sites will need to provide update access to this information. If security precautions are required prior to granting access, identify the security precautions your company will follow before it divulges passwords or permits update access to personal information.
Identify technologies used to collect informationCongress and consumers alike are increasingly concerned with stealthy information collection technologies, including
cookies, server logs, spyware, clickstream data, site registration, Web bugs, and the like. Identify the technologies your site will use to collect information and the purposes for which the information is collected. Explain the use of these technologies in lay terms that an unsophisticated customer could understand.
Opt in/opt out of future campaignsArticulate in detail whether your companys privacy policies assume that customers have opted in or out of promotional campaigns and other uses of their information.
Give a link disclaimerIf your site links to third-party sites, inform customers that your company is not responsible for, nor dictates, the privacy practices in place for those external sites. The same is true for banner advertisements that may be displayed on your site.
Explain data security measuresIf your company uses security mechanisms to protect customer data (for example, Secure Sockets Layer and encryption), articulate those measures in detail. This section of the policy can build customer trust by demonstrating that data security measures are being employed.
Identify company contacts for privacy issuesIdentify the person(s) responsible for handling privacy related issues for your company, and provide complete address and telephone information.
marketplace in which businesses and consumers can buy product from many sources. In many cases, a competitor may be able to provide higher quality, lower price, or both. Those companies that distinguish themselves with superior privacy protections will likely win the confidence of fickle customers. Without respect for a customers expectations of privacy, many businesses will fail to compete in the global marketplace, especially during tight economic times.
Privacy protection is a win-win for IT. Unlike other technology projects, the successful implementation of privacy initiatives can have a measurable effect on customer trust, loyalty, and sales and distinguish your company from its increasing competition.
REFERENCES AND RELATED MATERIALS
BBBOnLine (Better Business Bureau) home page: www.bbbonline.com
Electronic Frontier Foundation home page: www.eff.org
Electronic Privacy Information Center home page: www.epic.org
Federal Trade Commission home page: www.ftc.gov
Privacy & American Business home page: www.pandab.org
Privacy Council home page: www.privacycouncil.com
PrivacyExchange.org home page: www.privacyexchange.org
Privacy Foundation home page: www.privacyfoundation.org
Privacy Rights Clearinghouse home page: www.privacyrights.org
TRUSTe home page: www.truste.com