Privacy Policies: Cut the Mumbo Jumbo


By Jane Black Kathy Davis needs a job -- but not badly enough to make her feel comfortable with recruiting firm Robert Half International's (RHI) privacy policy. In exchange for shopping her résumé around the Spokane (Wash.) area, Accountemps (a division of RHI) wants "perpetual, nonexclusive, irrevocable, royalty-free worldwide license and right...to use, copy, modify, display, distribute, download, store, reproduce, transmit, publish, sell, resell, adapt, create derivative works in any manner [with the information]...forever and worldwide."

RHI executives insist they won't use Davis' -- or anyone else's -- information for nefarious purposes. Reesa Staten, vice-president for corporate communications at RHI, says personal information collected on the Accountemps site is viewed only by staff or potential employers the candidate expresses interest in working for. O.K. -- so why doesn't the company come right out and say that? According to Staten, the policy is "necessarily broad" because it is written to apply to all of RHI's corporate divisions. "It's a fairly standard policy," she says.

LEGAL COVER. Sadly, that's true. Most U.S. businesses that have privacy policies still don't tell you how your data will actually be used. "I call it the big legal-umbrella strategy," says Michael Beresik, national director for PricewaterhouseCooper's privacy practice. "These policies are designed by attorneys to give companies the greatest possible latitude to gather and share information inside and outside the company. It covers them for anything they do or might conceivably do down the road."

Let me make it clear: I have absolutely no reason to believe RHI is abusing customer data, and I'm positive the company doesn't intend to. But if it -- and the legions of companies that have similar all-inclusive privacy policies -- has no intention of sharing or selling customer data, why not just say so? RHI is consistently rated one of America's most admired companies by Fortune, yet it makes no apology for not telling customers specifically what it does -- or doesn't do -- with their data.

At present, only certain business sectors, such as financial services, are required to regularly alert customers about their data-collection practices. E-commerce companies, too, are required to post privacy policies, though they don't have to tell customers if and when the policy changes. Recruiters, on the other hand, aren't required to advise customers about their policies. And many companies that do have privacy policies are assuming that most people don't really read them, says Larry Ponemon, CEO of the Privacy Council, a Dallas-based consultancy that advises corporations on privacy and business ethics. "Hence, there is little consequence for them if they take a 'user beware' position," he says.

"WE CAN DO BETTER." Remember the privacy notices mailed by financial-services companies to U.S. consumers last summer in accordance with the federal Gramm Leach Bliley Act? "Acres of trees died to produce a blizzard of barely comprehensible privacy notices," Federal Trade Commission Chairman Timothy Muris said of the letters in an Oct. 4 speech. "Indeed, this is a statute that only lawyers could love -- until they found out it applied to them. We can do better."

He's right. According to Beresik, companies are experimenting with ways to make privacy policies legally compliant and consumer-friendly. Some are providing "executive summaries" of the legalese that allow consumers to get a sense of what companies do with data. If that raises a red flag, they can read the full policy for more detail. Others are working on creating a standard notice, sort of a nutrition label for privacy. But privacy isn't quantitative, so it's hard to imagine how a standard label would read.

How about just making it simple? Compare the policy of Express Personnel Services, an Oklahoma City-based staffing agency with more than 400 branch offices around the world, to that of Accountemps: "The information you provide when applying for a job online is kept confidential. The information is only viewed by Express employees and employees of Express affiliates. The information is never sold to or traded with outside companies and will only be used for the purpose of job placement and demographic information."

SMART BUSINESS. Bea Battistoni, Express Personnel's vice-president for strategic initiatives, says the policy is easy to understand because it wasn't written by lawyers. "The legal department is not involved in the writing -- though they do look over it to make sure we don't do something crazy," she laughs. "We set our policy based on what's fair for the customer. We think that will bring us business."

Many companies are doing what Express Personnel has done. Too bad more businesses don't realize that such an approach is not only good for the public but good for them, too. Companies shouldn't hide behind legalese and throw around words like "forever."

What they should do is write privacy policies that demonstrate a commitment to managing personal data in ways that protect the consumer, not in ways that give companies legal cover to profit from their customers' personal data. Privacy policies of U.S. corporations ought to commit to making clear what they will do -- not what they might-possibly-could-someday do. Black covers privacy issues for BusinessWeek Online. Follow her twice-monthly Privacy Matters column, only on BusinessWeek Online


Cash Is for Losers
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus