Privacy Policy Best Practices
What makes a good privacy policy? The reasons for a policy are varied and have been changing since the inception of such policies. The rights of the consumer are the number one reason to have a policy. Policies were first developed from market pressures, but as laws change we will see a requirement for policies based on legislation. The consumer's first step in learning how his personal information will be used and stored is the public availability of the company's policy. The policy's first goal is to define what data is collected on the user. The second goal is to identify how that data will be used, and the third goal is to give the user the option of reviewing his data and to provide some compliance measures to ensure that the policy is adhered to. The user might not be told all the security features of the system that protects his data, but the policy should give some comfort to the consumer that privacy is a concern.
The rights of the user are determined by the policy. Questions a user should consider when reviewing a company's privacy policy include the following:
What types of information will be collected automatically from me (systems information, behavioral patterns, key word searches, and so on)?
What information will be stored on my computer (such as cookies or downloaded applet programs)?
What will registering with a site, whether for product use or using information on the site, track about me?
What will be done with my data after it is collected?
What information about my computer is collected?
How will my information be protected?
Can the company resell my information at a later time?
Can I unregister or opt out of marketing campaigns and e-mail lists?
Can I review the information collected about me?
Can I change or delete the information collected about me?
Compliance to a privacy policy is probably one of the most difficult tasks for a company. The original goal of privacy policies was to placate consumers and give them some comfort about their rights and the security of their data. Now, though, polices have taken on real meaning and in some cases, have the force of law behind them. If the policy defines how the company will treat your information, but the practical steps are not taken to ensure compliance with the policy, the company can face repercussions both legally and through consumer actions.
The two main methods of breaking policy rules are market pressures forcing a company to sell off assets or conduct business in a different manner that would affect user information and third-party forces that cause inadvertent disclosure and breaking of the policy rules. The case of eTour selling its customer information to Ask Jeeves is an example of the first scenario. Other companies that have tried to sell their customer databases because they have failed include Boo.com, Toysmart, and CraftShop.com. The legality of this is still being debated.
The way market pressures can force disclosure of information also means that consumers can force more privacy protections on the industry. The Network Advertising Initiative (NAI, http://www.networkadvertising.org/) was created by ad networks to oppose legislation in Congress aimed at making opt out automatic. But, NAI does provide consumers a function of opting out of advertisements based on browsing preferences. This is a self-regulatory measure, however. Opting out is usually a hidden or hard-to-find feature on the Web site because companies do not want the consumer to opt out. Collecting customer data is a default action of many sites, and in some cases, customers are not even given an option to opt out. If you do not understand how data is captured and used about you, you can't decide to opt out.
An example of the second method of breaking the rules of the privacy policy is being hacked by a malicious attacker. Bibliofind.com was recently hacked, and approximately 98,000 credit cards were compromised. The hack was several months old before it was discovered. After the hack was discovered, the site shut down and took its customer information off its servers. But it can only be assumed that the information was already copied by the attackers and stored on some server somewhere on the Internet. In cases such as this, the consumer will never know whether his information was compromised because of weak security at the site or because an attacker was extremely intelligent and came up with a never-before-seen attack or even if an internal employee or ex-employee gave access to some hacker. The following excerpt from the Privacy Policy of Bibliofind.com (now incorporated into Amazon.com) states the following:
“How Secure Is Information About Me?
“We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input.
“We reveal only the last five digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing.
“It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off when finished using a shared computer.”
Because this chapter was written after the Biblio.com hack, we do not know whether this was part of the original privacy policy. Amazon is providing a statement about the security of user information, but this is no guarantee that your personal information will stay secure after it makes it way onto a company's servers. Privacy policies are a guideline to what should happen rather than what actually happens. A company that is very strict about its policy will have the practical steps in place to ensure compliance to that policy.
All information about the user collected through use of a company's systems should be readily identified and understood by the user. A functional and usable privacy policy for any company wishing to ensure the privacy of its customers will
Take into account the needs of its target market; some customers might be more resistant to having their information captured.
Capture only necessary data from the consumers. Using surveys and requiring consumers to fill out questionnaires can capture a lot of unnecessary information.
Define why information is being collected.
Clearly identify what is done with the data after it is collected, how it is stored, and who has access to it.
Give the user a choice of opting out of any marketing based on the information he has submitted and keeping his information from being sent to others.
Comply with any laws regarding privacy and be familiar with pending legislation that can affect the business and consumer information.
Write a statement of the organization's commitment to data security.
Define the security measures in place to secure the customer information and what steps are in place to keep it secure on an ongoing basis.
Define how third parties will use the consumer information if they provide a business function to the company.
Provide for enforcement of the policy through internal control structures.
Explain how and whom to contact within the organization with privacy-related questions or concerns.
Make reference to the use of technologies such as cookies and log files.
Give the customer a choice in not revealing his information and the ability to see what data has been collected about him.
Keep the policy easy to read and understand.
Notify users that the site complies with all privacy laws.
Explain the consequences of an individual's refusal to provide information.
One statement that is found in many policy documents is the right of the site to change its policy at any time without giving notice to the consumers. If it changes the policy, how are consumers to know unless they read the policy constantly or the company sends out an e-mail to all its customers? If you submitted your information based on one policy and then that is changed, is there still an expectation of privacy? These types of issues have not yet been determined in the courts. This type of modification and divergence in company policy will affect consumer confidence in the company to keep its data secure and not sell it to the highest bidder. As it is, consumers have little assurance about the security of their data.
The problem faced by both companies and individuals is that there is no standard set of procedures for securing personal information. It's the Wild West of the electronic frontier and so far consumers have been losing the battle. Corporate America has not come up with a standard set of guidelines, and neither has the government. For other countries, the same problems apply. Privacy rights are violated on a daily basis both knowingly and unknowingly. If one company has the best privacy practices and then gets acquired by another company, all the consumer data now falls under the control of the acquirer, and the parent entity might not have such stringent privacy policies. When laws have not been written to address privacy, there is not much the consumer can do for legal recourse.
Large organizations can afford to have outside third-party organizations perform auditing of both their computer systems for security weaknesses and their policies for completeness. Smaller organizations can't typically afford these services, and the consumer has no knowledge of the security stance of the company. If companies have third parties advertising on their sites and collecting consumer information, does the site have any responsibility for what is done with that information? Are the security measures of these third parties audited, and are their privacy polices actually being followed? For the corporation to gain the trust of the consumer, the consumer must understand how his data is being handled. For sites that have been subjected to an audit of their privacy policies, the consumer can have some confidence that his data is taken seriously and that the site will try to adhere to what the policy states. The policies on audited sites are probably more defined and sensitive to the consumers' right to privacy, but this is usually a self-administered audit. The problem with this type of auditing is when companies are compromised or knowingly break their privacy policies even though they have the seal of approval from some auditing company. Consumers will put less faith in these seals because they can't force a company to adhere to them after the audit. In addition, if the company has weak security mechanisms and a hacker steals consumer information, the seal will be meaningless.
eBay uses TRUSTe as its auditors of its privacy policy. Part of the eBay privacy policy states the following:
“eBay Inc. is a licensee of the TRUSTe Privacy Program. What is TRUSTe? It is a non-profit organization dedicated to building trust in the Internet by having member organizations such as eBay disclose information practices. TRUSTe operates as a third-party “watch dog” by auditing our privacy practices to make sure that we are in compliance with TRUSTe's privacy standards.”
In 1999, eBay was hacked. Whether the TRUSTe seal of approval was on the site before or after the hack does not matter. What consumers will remember is that eBay was hacked and their personal information potentially compromised. Even though the seal of approval from any company does not cover all aspects of security and privacy, consumers will not know that and assume any seal that is on a site guarantees that all aspects of that site are secure and that their data is secure.
The government has not forced the issue of auditing of privacy polices as it has in auditing financial statements. Without government intervention, consumers must rely on the self-regulation and standards developed by the industry. A company can either rely on a third party to audit its policy and hope that third party does a good job to secure consumer information or audit the policy themselves, meaning there is no objective analysis of the privacy policy. Auditing the policy means more than just reading it and adding the appropriate statements to make it comprehensive. The practical aspects of actually complying with the policy—measures such as security controls, encryption techniques, and testing of site security—must be done to gauge compliance. Different industry segments will go about compliance with policies in various ways. Because no baseline standards exist for developing and testing for compliance in policy initiatives, each will differ and consumers will not have an understanding of what actually works and which polices they can rely on.
One step in the right direction for one industry segment is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It sets standards for patient information handling and dissemination. Organizations in the healthcare industry are being held accountable for how they mange consumer information and will be punished for breaking the laws set fourth in HIPAA. But the problem companies are facing with HIPAA is that the guidelines for how to actually comply with the act from a technology standpoint are not clear-cut. The American Hospital Association (AHA) has stressed an urgent need to suspend the rules governing “standards for privacy of individually identifiable health information” because it feels compliance is unfair. The AHA submits that the medical privacy rule needs to be fixed. As currently drafted, the rule frustrates patient care; complicates essential hospitals operations; threatens the financial viability of many of America's hospitals; and is needlessly complex, intrusive, and costly. The First Consulting Group (FCG) released a study in December 2000 that found that compliance could be as high as $22.5 billion over five years for hospitals to meet the requirements. Compliance can be approached from various points of view and cost different amounts of money because no standards have been set to implement practical compliance steps. We are still a long way from valid privacy polices that can be enforced.
Organizations creating, maintaining, using, or disseminating individually identifiable information should take steps to ensure that the data is accurate, complete, relevant, and timely. Data should not be collected that does not serve a specific purpose in the organization; plus, the information collected should be accessible by the user to ensure correctness of data and fix any problems found. Organizations should take other reasonable steps to ensure the quality of the data collected, including obtaining it from reliable and reputable sources. Full disclosure of what is done to the data collected as well as how long the data will be stored and used will provide consumers with a better understanding of how their personal information is being manipulated. Organizations need to dispel the fear, uncertainty, and doubt (FUD) factor about consumer's privacy issues. By allowing the consumer full access to the information collected about him, the organization can maintain an accurate database of information as well as gain the user's trust to keep that data secure and maintain a level of quality control over his personal information.