Discretion and Disclosure: The Keys to a Net Privacy Policy
With consumer-privacy groups on high alert and governments all over the world
threatening regulation of commercial Web sites, a small business should give
serious thought about the information it collects, uses, and distributes online.
It should be paying particular attention to how users themselves, many of whom
distrust computers, perceive the site's attention to privacy. A site that
misuses customer information will quickly tarnish its reputation, with word of
the indiscretion spreading widely via E-mail, electronic newsgroups, and
privacy-alert Web sites.
Here are just a few situations where a privacy policy -- or lack of one -- comes
into play:
- If your Web site requests personally identifiable information (any
information used to pinpoint a person, such as a name, address, or telephone
number)
- If it collects data on visitors' purchasing or browsing habits
- And especially if it accepts credit-card or any other financial information
A few recent examples show how powerful negative publicity can be. In July,
America Online announced that it would sell the telephone numbers of its
subscribers (provided on initial signup with the service) to telemarketers.
After a loud public outcry, AOL backed down. In another case, Onsale.com, a
well-known Web site devoted to online auctions, got embroiled in a
privacy-related fracas when it admitted that it harvested E-mail addresses of
the customers who used eBay.com, one of its major competitors, and sending the
users E-mail promoting Onsale.com's services. Subsequently, eBay announced that
it was reconsidering making E-mail addresses public, and Onsale.com itself
announced that it would take positive steps to protect its own users' private
information from capture. Similar (and largely unfounded) fears about online
credit-card fraud have dampened consumers' use of the Internet for retail
purchases. Over 46% of Net users still say they find Web security insufficient,
according to a World Research Inc. survey.
Government and industry groups are growing increasingly interested in online
privacy, and they're making noise about passing new limits, particularly in
situations regarding children. The Federal Trade Commission has held several
conferences on childrens' online privacy, promising legislative action unless
private industry agrees to acceptable self-regulation. Meanwhile, the FTC
announced plans for a "systematic review of Web sites' information-collection
practices in March, 1998, to report to Congress on the extent to which Web
sites, including children's Web sites, are posting privacy policies."
The Better Business Bureau's Children's Advertising Review Unit (CARU) has
recently updated its long-standing guidelines for advertisers to include
new-media concerns. The CARU guidelines, which are voluntary, can be found
online at www.bbb.org/advertising/caruguid.html.
What can a small business do to protect and honor users' legitimate privacy
needs, while still collecting online information that is not only necessary for
business but may also have value on its own? The brief answer is a combination
of discretion and disclosure. Discretion means that a site should be careful
only to collect the private information it finds truly necessary. Discretion
means that the site, once it collects the private information, should take
industry-standard precautions to keep it out of the wrong hands. For example,
any site collecting credit-card or other sensitive information should install
Secure Socket Layer encryption technology, developed by Netscape Communications
Corp. and now built into most browsers (including Microsoft's Internet
Explorer), to automatically scramble the transmission and prevent interception.
If the business itself is not technically sophisticated enough to operate an
SSL-capable server, it can outsource this task to the company responsible for
hosting the site or to a dedicated transaction-processing company.
The site owner should also ensure that users do not casually place private
information in public view, since any problems arising from that placement could
be blamed on the site owner. For example, General Motors' Saturn division, in a
previous version of its site, had an "Extended Family" section in which people
were encouraged to publicly post private information (from the car they owned to
their age and location to occupation and spouse's name). There were no obvious
disclaimers about the risks of making the information available. Beyond being a
great source of data for competing car companies (which could learn when leases
would expire), it had real potential for abuse by criminals who might
impersonate or defraud those whose information was posted. If someone have been
injured as a result of information posted on this site, it's certainly possible
that Saturn could have been blamed for failing to warn people about the
potential danger.
Discretion also means being smart about how you use information you legitimately
assemble. You may get the urge to send daily promotions to every E-mail address
your site collects. But Netizens are easily annoyed, and a stream of advertising
E-mails is not likely to win friends. If you choose to send promotional E-mails,
try to send them only to users who have expressed specific interest in receiving
them, and make it very easy to unsubscribe either through a simple form on the
Web site or an E-mail address.
One other note: While some direct marketers will claim that their bulk E-mail
lists are composed of both qualified and interested consumers, these lists are
often simply harvested from public sources. Using them will generate only more
bad will for your company. Don't buy them.
The counterpart of discretion is disclosure. Whatever personal information is
being collected by your site and however you plan to use that data, be sure to
tell users about those plans up front. Often this is as simple as posting "we
are collecting this information for our own use and will not release it to
anyone." But sometimes this may include letting people know that their names may
be shared with other companies. Currently, the general practice whenever
detailed personal information is collected is to provide users with an "opt-out"
checkbox to block the selling of information or the sending of promotional E-mails.
While privacy advocates have proposed mandating "opt-in" instead (so that only
those users who expressly grant permission can be mailed or have their names and
addresses shared), this has not been uniformly required. For now, industry
self-regulation is viewed as a reasonable alternative to government involvement:
Groups such as TRUSTe (www.truste.org) are developing privacy-policy
audits, while a high-profile online industry consortium is developing the Open
Profiling Standard to permit standardized disclosure and control of information
by users (see developer.netscape.com/ops/ops.html for details), and the
World Wide Web Consortium (the overall standard-setting body of the Web) has
proposed a Platform for Privacy Preferences (see www.w3.org/P3P/).
Remember, be sensitive not only to users' fears about the misuse of personal
information but also to the genuine cost and inconvenience that can be
associated with "junk mail" and the actual risks if criminals gain access to
private data about individuals. By taking care to act responsibly and informing
your customers of what information you are collecting and how it will be used,
you will discourage burdensome and overreaching government regulation. And
you'll build a friendly Internet presence for your business. As commerce
continues to move to virtual storefronts, that could mean the difference
between customers who trust you and a large number of noncustomers who don't.
By Jonathan I. Ezor
Ezor (jonathan.ezor@poppe.com) is director of legal affairs for Poppe Tyson
Inc., a global strategic interactive-services company based in New York City.
The opinions expressed here do not necessarily reflect those of Poppe Tyson or
its affiliates
To: TECHNOLOGY
|
