Privacy statements are quickly becoming the cornerstones of e-commerce Web sites. These policy declarations are designed to quickly provide visitors with information on how personal data is secured and used.
- First, if your company has already established a Web site, think about involving your audience by running a privacy survey before you commit to a policy. The opinion of market-specific Internet audiences can vary widely, but most Internet users are open to straightforward requests for information—as long as the information is used only by the company.
- Next, as you construct a privacy statement, make sure you clearly look at the policy content from different points of view. You will, of course, need to protect your company’s information needs. At the same time you’ll need to address your customer’s needs without making unreasonable promises. Read the privacy statement as if you were a first time visitor to the site and ask yourself if you’d trust the statement. This focus on intent will improve the statement’s effectiveness.
- When your privacy statement is ready, have it evaluated by a qualified lawyer. Also consider talking with an organization that can brand your site with a seal of approval (for example, The Better Business Bureau and TRUSTe ).
- And if your company is playing hardball with the big boys, you might even consider contacting a major accounting firm like PricewaterhouseCoopers or the American Institute of Certified Public Accounts . (You should expect to pay a considerable amount for this last type of evaluation. But, as Electronic Frontier Foundation president Tara Lemmey has been quoted as saying, “If you look at it as mission-critical to reduce liability for customers and investors, it’s really not that much.”)
- In addition, you should be forewarned that an evaluator’s report might require a rework of the privacy statement, a redesign of the company Web site or database, or even a reorganization of the company. So make sure you do the homework before the evaluation, and then keep an open mind.
Stick with the contract
In August 1998, GeoCities settled with the Federal Trade Commission in the first case of privacy violation handled by the U.S. regulatory agency. GeoCities’ violation consisted of misrepresenting the purpose for which it was collecting personal identifying information from children and adults. In this case, GeoCities lost twice: The company had to pay for litigation, and the Web site reportedly lost 15 percent of its customer base as a result. (For more information on this case, see the InternetWorld article “GeoCities Settles Dispute With Feds Over User Privacy” .)
The common use of privacy statements is, as yet, only one to two years old, so all the possibilities are still being discovered. The FTC’s case with GeoCities is one type of legal action; another type that hasn’t occurred yet is a class-action lawsuit. But the Internet’s user base makes it only a matter of time before a class-action suit destroys an otherwise successful company. The job of every CIO is to make sure that his or her company is never involved in such a suit.
Online Privacy Alliance
Bruce Spencer is a freelance technical writer who has been working in the information industry since 1983 and writing about the Internet since 1995.
Tell us what you think about Web site privacy statements by posting a comment below. If you have a story idea you’d like to share, please drop us a note .