22.4. Writing Your Online Statement
While each company has its own culture, practices, and economic situations, little is to be gained by providing customers with a lengthy discussion of developing the details of your internal policy. But the external statements we make to our customers are a different story. We will focus on developing your online privacy statement because the more we can use a standard framework for communicating our policies, the easier it will be for customers to understand what they need to understand. The online statement is critical because so many customers are particularly concerned about releasing their personal data over the Internet. If you have uncovered some areas where you are particularly vulnerable since you first created your internal policy, you can include information in the online statement about which areas you are working to improve. The goal is to write a true statement that is clear and complete, so you earn your customers' trust and get them to trust you with more of their online business and personal information.
The online statement should be created with the following points in mind:
Outline your company's commitment to respecting the privacy rights of your customers. Follow through on your promise with your actions. Make your privacy statement easy to find. Providing a direct link from your home page (and preferably from every page on your standard navigation banner) is a strong statement.
Organize your statement around the five key elements. Including these elements will ensure that you have thought about all the issues you need to cover, and it will help educate your customers as to what they should look for in a privacy statement.
Use simple, clear language. If your privacy statement reads like your Terms and Conditions document, then you have missed the boat (that is, unless your Terms and Conditions are also very easy to understand, and then you're way ahead of the game).
Provide an easy way to contact your company if a customer has concerns or questions about the privacy statement. Don't forget that you have to respond! This is a very sensitive issue with some customers. If they took the time to raise an issue or concern, you better follow up – or you've lost that customer plus everyone else he can influence.
Speak the truth. If you can't do it, don't say that you do. Nothing reduces trust quicker than a broken promise.
Include a date. This lets the customer know that privacy continues to be of current importance to you (at least as long as the date isn't two years old). It also lets customers know that your policies are active and will evolve over time.
There are some “privacy statement generators” available on the web that can also help you develop an online statement. I haven't found one that really creates a simple, readable, and understandable document that is organized around these five principles. However, these tools offer another good way to get started. Generator programs ask a series of questions about your information collection and management practices, and then produce a document that summarizes your responses. You can find a good example of a generator at the Direct Marketing Association web site:
You can also use existing privacy statements to help you create your own. You can easily find examples on your own, but I've listed a few here that cover a wide range of formats and content (from May 2001). I recently checked and some have been improved, but many are just the same.
Sony Corporation of America: Sony has imbedded its statement in its Terms and Conditions. Up until recently Sony's privacy statement included a single paragraph on children's privacy in addition to the paragraph quoted below.
Privacy Policy
This web site, including any subsite accessible through the homepage, (the “Site”) is published and maintained by subsidiaries, affiliates and/or related entities of Sony Corporation of America (“Sony”). You can e-mail us at [email protected]. When you enter any subsite accessible through this homepage, such subsite may have its own privacy policy, which is specific to such subsite. When you access, browse or use this Site you accept, without limitation or qualification, the terms and conditions of any privacy policies set forth in any subsite.
While the intent was clear, would this statement inspire your confidence? Happily, Sony has significantly updated its online privacy statement to cover the basic principles though it is still imbedded in the Terms and Conditions section.
Sun Microsystems: Sun has done a good job keeping its statement simple and organizing it around most of the basic principles (excluding oversight). This is a sound effort to get started and to honestly describe what they do and what they're working on. They also include a date on their statement. Unfortunately, this date is almost three years old! Does this feel like an up-to-date policy?
Amazon.com and Visa: Both of these companies have easily understandable statements organized around the basic elements, again excluding oversight. Visa in particular has done a good job of making the key elements very visible while still allowing the customer to drill down and get more detailed information. Visa has also added a section on “Customer Service and Recourse,” which is a step toward third-party oversight. When you are already doing the right things, there is no restrictive burden added by displaying a third-party “seal of approval.” Instead, it will build your customers' confidence and loyalty.
Intel, Kodak, and HP: These three companies have created fairly simple, understandable, online privacy statements that cover the five elements, including oversight. All carry a privacy seal. All directly link from the home page, and all have an obvious e-mail button for feedback. Intel's feedback request clearly tells the customer that if he is not satisfied with Intel's response, he should contact the seal provider via the supplied link. This is an excellent practice.
Table 22-1 contains a sample framework for a privacy statement that will help you ask yourself all the key questions. Your statement should address each of these elements and should reflect your own company's position on each point.
After you've created your initial policy and customer communication documents, you have at least made your customers aware of what you are doing. They can vote with their mouse or trash basket if they're not comfortable with the way you do business. But, because that's not really the outcome you're looking for, over time you will want to enhance your policy to improve your privacy practices and image. Because policy and internal practices must remain in perfect alignment, you will have to provide training to all individuals who interact with (capture, manage, use) customer data about your new policies. As in all other “people behavior” change management projects, you must have a way of measuring and enforcing results. Everyone in your company must understand and abide by your privacy policy.
Privacy Commitment (Brief statement of your overall position)
|
Notice (What information we collect and use)
|
Choice (How we determine what you will allow us to do with your data)
|
Access/Accuracy (How we plan to let you review and correct the accuracy of your data)
|
Security (How we physically protect your data)
|
Oversight (What options you have if we haven't lived up to our promises)
|