Collaboration

Avoid pitfalls when implementing privacy policy statements

Developing a privacy policy statement is more than just a promise to the user. It's also a contract that brings along with it legal obligations. Bruce Spencer explains why this is an area that should not be taken lightly.


Privacy statements are quickly becoming the cornerstones of e-commerce Web sites. These policy declarations are designed to quickly provide visitors with information on how personal data is secured and used.

To counter the negative attitude toward information gathering, companies are posting privacy policy statements that detail how they use information gathered on Web sites. In surveys, Internet users overwhelmingly respond favorably to privacy statements, which make privacy statements seem like an automatic plus for the vitality of Web sites. In fact, 65.7 percent of Web sites now include a privacy statement on their Web site, according to The Georgetown Internet Privacy Policy Study . But CIOs must look past the panacea of privacy statements and also weigh the negative attributes of these online documents.

Decisive implementation
Implementing a privacy statement is not a step that CIOs should take lightly. On the Internet, a privacy policy statement is nothing less than an extremely public legal document and a contract with the consumer. Many companies who wouldn’t think of making public their general company operating policies have posted privacy statements that commit them to how, when, where, and what data they will use from the site. Obviously, the importance of customer data mining in today’s breakneck Internet markets makes access to the right data imperative. Before you implement a privacy statement, there are several factors you’ll want to consider.
  • First, if your company has already established a Web site, think about involving your audience by running a privacy survey before you commit to a policy. The opinion of market-specific Internet audiences can vary widely, but most Internet users are open to straightforward requests for information—as long as the information is used only by the company.
  • Next, as you construct a privacy statement, make sure you clearly look at the policy content from different points of view. You will, of course, need to protect your company’s information needs. At the same time you’ll need to address your customer’s needs without making unreasonable promises. Read the privacy statement as if you were a first time visitor to the site and ask yourself if you’d trust the statement. This focus on intent will improve the statement’s effectiveness.
  • When your privacy statement is ready, have it evaluated by a qualified lawyer. Also consider talking with an organization that can brand your site with a seal of approval (for example, The Better Business Bureau and TRUSTe ).
  • And if your company is playing hardball with the big boys, you might even consider contacting a major accounting firm like PricewaterhouseCoopers or the American Institute of Certified Public Accounts . (You should expect to pay a considerable amount for this last type of evaluation. But, as Electronic Frontier Foundation president Tara Lemmey has been quoted as saying, "If you look at it as mission-critical to reduce liability for customers and investors, it's really not that much.")
  • In addition, you should be forewarned that an evaluator’s report might require a rework of the privacy statement, a redesign of the company Web site or database, or even a reorganization of the company. So make sure you do the homework before the evaluation, and then keep an open mind.

Stick with the contract
The main pitfall of any privacy statement is a failure to meet its policies. A privacy statement breach occurs when a company expressly states that it will only use information in a particular manner and then does otherwise. Breaking a privacy policy statement can result in two significant problems: the loss of site visitors and the possibility of lawsuits. A simple case study explains why breaking a privacy statement can be so devastating.

In August 1998, GeoCities settled with the Federal Trade Commission in the first case of privacy violation handled by the U.S. regulatory agency. GeoCities' violation consisted of misrepresenting the purpose for which it was collecting personal identifying information from children and adults. In this case, GeoCities lost twice: The company had to pay for litigation, and the Web site reportedly lost 15 percent of its customer base as a result. (For more information on this case, see the InternetWorld article "GeoCities Settles Dispute With Feds Over User Privacy" .)

The common use of privacy statements is, as yet, only one to two years old, so all the possibilities are still being discovered. The FTC’s case with GeoCities is one type of legal action; another type that hasn’t occurred yet is a class-action lawsuit. But the Internet’s user base makes it only a matter of time before a class-action suit destroys an otherwise successful company. The job of every CIO is to make sure that his or her company is never involved in such a suit.

Additional resources
Online Privacy Alliance

TRUSTe

The Privacy Page

PrivacyTimes.com

Yahoo!’s Privacy Policy page

TRUSTe’s Privacy Statement Wizard

Bruce Spencer is a freelance technical writer who has been working in the information industry since 1983 and writing about the Internet since 1995.

Tell us what you think about Web site privacy statements by posting a comment below. If you have a story idea you’d like to share, please drop us a note .

Editor's Picks

Free Newsletters, In your Inbox