As electronic documents and online data sharing dig a firm hold in the way enterprises approach commerce and internal processes, and as more users jump online for everything from tax filing to education, the issues surrounding online privacy have taken center stage in the past few years.
In a series of articles, I'll examine the pertinent customer privacy issues that CIOs need to be familiar with, outline why enterprises need to pay more attention to these issues, and offer tips and insight on how best to ensure data integrity and implement protection mechanisms.
Why CIOs should be more than just concerned
Companies that show little concern, or even demonstrate negligence, in maintaining customer privacy leave themselves open to the possible loss of customer loyalty and harm to the organization's public image. As a recent TechRepublic article, "Customer data privacy issues gaining ground," points out, these issues have propelled privacy concerns to the forefront of every enterprise. The debate, while ignited by Internet security concerns, is also affecting longstanding technologies such as phone services, as Gartner points out in a recent IT Debate column, "Debate swirls over control of customer data."
Second, companies have to abide by existing privacy laws and many more in the works. Failure to comply can result in civil and criminal penalties. Security and information breaches are prompting lawsuits from outraged users.
TechRepublic members tell us that privacy policies in their organizations are changing in response to these new pressures. In a TechRepublic poll, slightly more than half of the respondents reported that they have revamped privacy policies or are planning to revamp their policy in response to increasing concerns.
Mapping out the many issues
The first step in planning how you will handle customer privacy is to understand the current body of issues. These concerns can be categorized in the following areas:
- Deceiving customers: Many of these issues focus on privacy statements, or the lack of privacy statements. A privacy statement tells your customers how their personal and private data will be handled. This includes contact information as well as buying and use patterns. Companies have been found in the wrong if their privacy statements contained misleading information, the companies failed to live up to the privacy statement, or if the company provided inadequate disclosure about how data was collected or used.
- Handling children's information: There's great concern about how companies collect, maintain, and use information from children. Any site that caters to children 11 or under has to follow guidelines outlined in the Children's Online Privacy Protection Act (COPPA). For instance, collecting personal data from children may require parental consent. You can get a variety of information on this topic from the Federal Trade Commission's Kidz Privacy Web site.
Our series on privacy concerns won't be complete without input from TechRepublic members. Send us an e-mail and tell us how you're dealing with privacy issues and which tools you've chosen to use.
Some industries under privacy mandates
When it comes to collecting, storing, and sharing medical data, the privacy debate hit a fevered pitch in the past year.
The government has mandated that enterprises—including health care providers, insurance companies, and health care facilities—prove they're securing and protecting the confidentiality of patient data. The Health Insurance Portability and Accountability Act (HIPAA) addresses several other issues. For example, databases maintaining patient records can't be accessed through the Internet without appropriate security measures, such as using the Secure Sockets Layer (SSL) protocol to protect data transmission. To get more information on HIPPA, go to the Centers for Medicare and Medicaid Services website.
Health care isn't the only industry under the microscope. There are a slew of other issues to consider.
- Sharing customers' financial data: Financial institutions are allowed to share personal customer information to some degree. Enterprises can share a customer's payment history with other financial institutions for some specific purposes—for example, the customer may have applied for a loan at another financial institution. However, consumers have a right to some degree of privacy. A financial institution must notify consumers about how it plans to collect, use, and share their personal information. If it intends to use the information outside of the expressed bounds of federal law, consumers must be allowed to "opt out," or refuse to allow the information to be used. The two key federal laws to understand are The Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. You can get additional information on these laws at the FTC Privacy Initiative site.
- Profiling customers online: Profiling customers is a longstanding practice of businesses, marketers, and advertisers. The general concept behind profiling is to identify characteristics of consumers that will determine what their needs are and predict what their behaviors might be—most often, what they will likely buy. While this is a great concept for businesses, consumers often are concerned about how this information is collected and used. In 2001, there was a strong push for legislation in this area. Ultimately, the Network Advertising Initiative (NAI) proposed guidelines that were accepted by the FTC in lieu of formal legislation. These guidelines allow business and industries to police themselves. For further information, visit the NAI site.
- Cookie use: As users visit a Web site, cookies often are placed on their systems to gather information, such as the pages they visit on the site. The next time a user visits the site, the cookie can help the site's owner personalize information for the user (think Amazon.com), provide assistance in buying choices, and track popular Web pages. In addition to this fairly common technology, which can be blocked by standard Web-browsing clients, some sites employ more intrusive technologies, such as spyware. Spyware programs actually install themselves on a user's system and continually send data to a server about the user's surfing habits. It is used for marketing and advertising purposes, but obviously can be used for nefarious purposes as well. Neither cookies nor spyware are illegal (how they are used might be), but obviously, any kind of monitoring software might concern your users.
There will always be a struggle to balance privacy with other factors, such as the public good and the right of businesses to earn money.
In this struggle, businesses still have to satisfy their key stakeholders—investors, customers, and the community. The question is: How do we best accomplish this? In my next article in this series on privacy concerns, I'll explore some of the best practical methods for managing customer privacy and a few tools that will make the job easier.