Call it a digital search party. For a week in mid-March, Georgetown University business professor Mary Cunlan and her posse of 20 graduate students are fanning out across the Internet. Their mission: To see how many of the companies they survey disclose what they do with visitors' personal information.

Such disclosures -- called information-use or privacy policies -- have become a hot issue for Web companies, small and large. Technology companies are devising ingenious ways to track and store data people disclose -- sometimes unwittingly -- as they roam the Net, information that can give small companies a much-needed edge as they compete with each other and big rivals. And technology is now also being used to assist sites in preparing privacy policies.

But consumers are increasingly concerned. On the hard-to-regulate Net, privacy policies are one of the few bulwarks against unauthorized exploitation of personal information -- the Federal Trade Commission has vowed to charge sites that don't honor them with deceptive business practices. Still, privacy policies are only a form of self-regulation.

RULES OF THE GAME. Web businesses have displayed a tin ear for the issue. Last June, the FTC found that 85% of over 1,400 sites surveyed collected personal information, but only 14% disclosed what they did with it. "People need to trust [sites], and they are not going to trust them until they're told the rules of the game," says Cunlan, who has studied consumer privacy and business for a decade.

Her $60,000 study, which will examine 300 randomly picked destinations from the 7,500 most-visited spots on the Web, is the latest, private-sector extension of "surf days" run by the FTC. Some of the Web's biggest names, such as Walt Disney and America Online, now dutifully post their policies. Still, the bulk of smaller Web publishers and merchants, perhaps unaware of the FTC's rumblings, have done nothing. If surveys such as Cunlan's show that most Web sites aren't cooperating, more stringent regulation will surely follow. "We haven't made any distinctions between larger and smaller businesses," reminds Dana Rosenfeld, the FTC's assistant director bureau of consumer protection.

Fear has moved the Web giants to try to convince smaller colleagues of the needs for privacy policies. Sensing the importance of this issue, Microsoft has gotten into the game, adding an online tool to help users write privacy policies to LinkExchange, a Microsoft promotional service for small businesses. The privacy policy "wizard" is licensed from TRUSTe, an independent group that monitors and verifies how Web sites use personal information online.

The LinkExchange tool is only in testing. However, Frontier Online test-drove a similar Web-based privacy-policy generator available directly from TRUSTe (www.truste.org). Here's how it works:

The generator's structure is simple: It asks you a series of questions and then builds the answers into a full privacy policy. It isn't a passive process, admits TRUSTe spokesperson Anne Jennings. "It doesn't come out perfect, but as a first draft," she says. Indeed, the final text is loaded with incomplete paragraphs and questions. "Every single paragraph had to be amended," says Jeff Endemann, vice-president of Erielink, a Cleveland Internet service provider who used the TRUSTe generator. His final assessment: "It's a nice way to at least get started."

GRID WORK. The first screen is the easiest to complete -- simply fill in contact information such as name, address, and E-mail. Things get fuzzier once you get to the second screen, which asks about a site's data-collection practices. The page is filled with a giant grid, in which users check off what type of information they collect and how they do it. For example, does a site demand personal information from a registration form, or ask for demographic data when conducting a contest? There are 25 different options here, and they tend to be confusing because TRUSTe doesn't define the terms, nor does it show examples of other successful privacy policies. That may prove frustrating for operators of many small Web sites, who may not be up on the latest E-commerce slang.

The third screen -- "Collection Details" -- gets into the nitty-gritty: Just how do you use Social Security numbers? To whom do you sell aggregated personal information? Does your site put "cookies" on visitors' hard drives? It takes a keen knowledge of the Web operation to answer the questions. Introspection is, of course, one of the purposes of the tool. "This is a good way to ask the right questions," says TRUSTe's Jennings.

The TRUSTe tool is unequivocal, though, about some points: It strongly reminds users about the FTC's Fair Information Practices, rules that let customers change or remove personal information from a third-party database. That's why TRUSTe requires policy writers to provide a contact name or address for site visitors wishing to "opt-out" of any data sharing the site may do with third parties. Of course, you could easily delete these sections before posting the policy online. But if you follow the TRUSTe model, be sure to make arrangements to honor those opt-out requests.

Keep in mind: Once you post a privacy policy, you're open to FTC legal action if you're found misleading consumers. That shouldn't scare you from writing one, says Jennings, but you should have a lawyer review your policy before you post it. "If companies misuse information, they're going to have trouble," says Bruce Ackerman, E-commerce manager at Orem (Utah)-based MyFamily.com, which ran its privacy policy by an attorney before posting it this January.

Free tools like TRUSTe's lend a much-needed helping hand to the well-intentioned. Yet, until software can automate business scruples, site operators will have only their good consciences to guide them -- something that won't be lost on consumers wondering it's safe to give their credit-card numbers.

By Dennis Berman in New York dennis_berman@businessweek.com

To: TECHNOLOGY