ask the experts

Apr 01, 2001 9:30 PM  By

If you are responsible for online privacy issues in your company, your mantra should be “Know, say, do.” Know what your company is doing, say what your practices are, and make sure you do what you say.

First, you have to know what kind of consumer information your company is gathering and how it is being used. Are you using cookies on your Website to track individuals? Are you gathering personally identifiable information through registration forms? Are you matching your online data with data gathered from offline channels or third parties? Do you use any outside service providers to store your data, or do you sell the data to any third party? Do you allow consumers to make choices about how you collect and use their data? Finding these facts may require that you get very friendly with your technical staff, marketing departments, and business development people. Uncovering all your firm’s data practices can be quite a struggle, but you can’t write a meaningful privacy policy if you don’t know what is going on.

Next, you have to say what your practices are in a privacy policy that is prominently linked from your home page. Drafting this document can be a real challenge: It must be detailed and clear while also being as concise as possible. You need to be detailed to minimize any charge that you have not been candid, particularly if your practices make extensive use of consumers’ personal information. But you also need to be clear and persuasive so that consumers can understand the benefits to them of your practices without being scared away. And if you can’t explain your practices without sounding scary to consumers? Then perhaps it is time to rethink them.

Finally, you must ensure that you are actually keeping the promises you make in your policy. This involves frequent return visits to those folks you interviewed in step one, to find out if anything has changed. It should also involve educational programs to make sure that everybody who plans new programs or touches consumer data in any way knows the company’s commitments and how they’re expected to adhere to them. If your data gathering is very extensive or complicated, you may even need to engage an outside auditor to make sure you are indeed keeping your word.

The process of establishing a privacy policy and the efforts necessary to abide by it require buy-in from all levels of your organization, from the board of directors to the mailroom clerk. But the commitment is worth it, because it only takes one slip-up for you to become the next fresh meat for privacy advocates, the media, federal regulators, a class-action attorney, or your state’s attorney general. The scrutiny required to develop a good set of privacy policies and the tenacity required to keep to them are, in the end, quite small compared to the loss of customer (and investor!) confidence.

Ray Everett-Church, Esq., is CEO of PrivacyClue (, a privacy-oriented consulting firm in San Jose, CA.

One survey found that 92% of consumers are fearful about the potential misuse of their data. The Forrester Group estimated that consumer fears about privacy cost online retailers $3 billion, or about 10% percent of total sales, in 1999. Certainly something was behind what may be the most remarkable statistic in e-commerce: More than three-quarters of all shoppers abandon their shopping carts without making a purchase.

So you would be wise to adopt best privacy practices and aggressively tell your customers about them. A growing number of companies recognize the need for the first, but most fall short with respect to the second.

A strong privacy policy must be both inward-facing and outward-facing. The fundamental inward-facing policy is to set limits on the data collected and used. Technology has made it so easy to collect data that many companies are tempted to collect more information than they are likely to ever use. So limit the collection of data to what is necessary and in proportion to the original purpose. Advise customers of the categories of intended use, such as market research or product design.

Perhaps the most difficult aspect of data management is getting rid of “information.” The enormous capacity of modern storage systems allows companies to keep virtually unlimited amounts of individual customer data. Don’t do it. Data should not be kept in an identifiable form any longer than needed for the original purpose. Aside from the potential for privacy abuse, the longer data are held, the less valuable they become, and the more they cost the company. Even straightforward data such as addresses become obsolete in a society in which people are constantly moving.

The two fundamental outward-facing policies are notice and choice. Tell consumers what data are being collected and why. Your customers should know how you use the information, who controls it, and who receives it. Then customers can choose whether to provide you with the data or to allow you to share the information with other companies. All data should be kept up to date, with frequent review and corrections as needed.

Finally, your privacy policy is part of your marketing. Emphasize your privacy policies to your customers. Even though privacy is a major potential differentiator for competing companies, there is a tendency for too many degrees of separation between the marketing and IT departments managing the privacy policy. Privacy notices are buried on Web pages as almost an afterthought.

The only way customers will know you respect their privacy is if you tell them. Communicate your privacy policies through every touch point with your customers. Display them prominently on your home page, mention them in your e-mails, and include them in all mailings. Remind your customers of your respect for their privacy in both your promotions and your billings.

Peter Heffring is president of the CRM division of NCR Corp. (, a transaction and data warehousing solutions provider based in Dayton, OH.