Online entrepreneurs have a problem: Consumers will shun Net companies that misuse their personal information, but in the virtual world, it's hard to tell the good guys from the bad.

What's an honest Net business to do? You can vouch for yourself. Post a statement on your site saying what you do with information you glean from customers. It has legal weight -- the Federal Trade Commission considers such statements formal commitments and can sanction violators for unfair trade practices.

Alternatively, get someone else to certify your good intentions with a privacy seal. A Web site boasting such an emblem reassures consumers that the site safeguards their data. Two well-known organizations offer them seals: Truste and the Better Business Bureau.

That does sound like the right thing to do. But are privacy seals worthwhile? They cost up to $5,000 a year, depending on your business' size. For no charge, you can download guidelines for drafting a privacy statement that covers the issues worrying consumers. One even comes from Truste. Microsoft's small-business service LinkExchange will soon offer one, too.

Privacy-seal programs are mainly selling their "brand" of business integrity. For 87 years, the BBB has been the standard-bearer for reliability and a vehicle for consumer complaints. Truste, an upstart founded in 1997, has already built a solid reputation as privacy watchdog for online businesses.

Here's what each offers. Truste's annual charges range from $299 to $5,000 for its seal. It has about 600 licensees, ranging from Microsoft to virtual mom-and-pops. Companies first download a 12-page licensing agreement from Truste's site. Among other things, site operators agree to disclose all information-collection practices. Companies must also let consumers refuse the use of their personal data for marketing. And they must keep information in a secure database. Companies then mail in the signed agreement, along with any privacy statement.

Truste then sends you a 14-page questionnaire asking about your information-collecting practices. If your company doesn't have a privacy statement, you must write one now. Truste directs you to its free online privacy wizard to help draft the statement.

After reviewing your submissions, a Truste representative tells you what needs fixing to meet the organization's standards. The process can take a couple of months, depending on how quickly you make changes. Once you pass muster, Truste E-mails you its insignia and a special "click to verify" mark, which takes consumers to Truste's secure servers, where they can read about your company's standing.

The process doesn't end there. Truste does at least two annual spot checks. Compliance officers, posing as consumers, visit the site to see if you honor your promises. If your privacy policy says consumers can refuse marketing E-mail, but you send it to them anyway, you'll hear from Truste. Should an investigation show you violate your policy and don't clean up your act, Truste will take its seal away.

The Better Business Bureau is a relative newbie in the area of Web ethics. It came out with its privacy seal in March. For the past two years, however, it has offered a "reliability seal" that businesses with a bricks-and-mortar presence can put on their Web sites, signifying that companies follow the BBB's general ethical business practices. The 135 local BBBs in the U.S. give reliability seals to companies that meet their standard after a personal visit. Currently, about 3,000 businesses display the seals on their sites.

The BBB's privacy seal has only 14 licensees so far, including Dell Computer Corp. and the credit bureau Equifax. But the BBB says several hundred companies have applied. BBB's annual fees are cheaper than Truste's -- between $150 and $3,000. Businesses send a short application and the fee. Next, they fill in a 15-page online privacy questionnaire (www.bbbonline.org), much like Truste's.

One difference: Applicants for the BBB seal will find no interactive guide to help them write one, just a sample they can use as a template. After you complete the questionnaire and submit your privacy statement, a BBB compliance staffer contacts you about changes. Once you've met BBB standards and signed the licensing agreement, the BBB sends its seal and "click to verify" mark. Like Truste, BBB does spot checks, but won't say how many per year. It will also revoke its seal for noncompliance.

A key facet of both programs is dispute resolution. If a consumer and business can't come to terms themselves, they investigate and determine who's at fault. Truste's decisions can be appealed to mediators at PriceWaterhouseCoopers or KPMG International. BBB says it's still forming its appeals board. The mediators also intervene if a business disputes changes Truste or the BBB demand to ensure privacy.

As a last measure, the watchdog groups can report a business that violates its privacy policy to the FTC for deceptive business practices. Truste says it has never referred any of its seal-holders to the commission.

As it does for conventional businesses, the BBB has decided to make complaints against its privacy-seal holders public -- they'll be posted quarterly on its Web site. Truste says it won't make complaint records public. "We always respond to whoever has lodged the complaint until that person is satisfied," says Anne Jennings, a Truste spokeswoman.

Studies suggest that privacy seals do reassure skittish consumers. AT&T Labs-Research recently released a late-1998 poll which showed 58% of the 381 U.S. Internet users it surveyed were more likely to give personal information to Web sites with both a privacy policy and a privacy seal. Only 28% said they would disclose data to sites that have neither. The findings dovetail with Boston Consulting Group's online poll of 15,000 Internet users last year, which found 63% abandon half the sites they visit when the sites don't disclose how they'll use personal information.

But not everyone is convinced of the value of seal programs. Jason Catlett, president of Junkbusters Corp., a Green Brook (N.J.) privacy protection Web site, believes Internet businesses use privacy seals to deflect moves in Congress to pass legislation protecting consumers against abuse of private information. "The seal programs are a direct response to the demand from public and Congress for real legal protections of privacy rights online," he says. "And to the extent that they manage to stave off legally enforceable privacy rights, they are doing the American public a disservice." Catlett adds that privacy seals would be more effective if strong Federal statutes existed for online privacy.

In March, Catlett filed a complaint with the FTC against Truste, saying it did not properly investigate privacy infringements by Microsoft Corp., a Truste member and financial contributor. Catlett's complaint said Microsoft's online registration process for Windows 98 generates a secret hardware identification number that Microsoft can use, among other things, to gather marketing information.

Truste says it did not reprimand Microsoft because the identification numbers had nothing to do with the Microsoft Web site. "Our due diligence was the most extensive of any investigation that we have done," says Susan Scott, the former executive director for the Cupertino (Calif.) group.

Catlett and other privacy experts recently wrote a letter to the BBB challenging its decision to grant Equifax a privacy seal. They say that an FTC investigation showed the credit bureau had a long history of violating the Fair Credit Reporting Act. The FTC says it had charged the company with "failing to assure the maximum possible accuracy of the consumer credit information it compiles and sells nationwide." Equifax, which settled the charges without admitting to any violations, says it was already in compliance with the FCRA by the time of the 1995 settlement. The BBB responded that its seal procedure only looks at the current privacy standards of companies online.

Some also say the BBB creates confusion with its two seals. Michael Rembisz, president and owner of Accutek Computers, a computer systems company in Winston-Salem, N.C., has had the Better Business Bureau reliability seal for two years. He has also posted his own privacy policy on his Web site. "If the business upholds the rules and regulations that the BBB has set down to be a member, they are already honoring ethics," he says. "Before you know it, you will have a Web site with 42 different seals." That would be overkill. But until Web companies do a better job of safeguarding privacy -- or Congress intervenes to make them do so -- skittish consumers will look for reassurance that business in this ephemeral medium can be trusted.

By Jeremy Quittner in New York
Jeremy_quittner@businessweek.com

To: TECHNOLOGY