Why privacy is becoming a hot-button issue How giving customers a choice can mitigate privacy concerns Why 2001 may be the year for sweeping privacy legislation If you've ever felt sympathy with Scott McNealy's infamous statement, "Privacy is dead. Get over it", the following apparently true horror story might just change your mind.
In 1994 in the US, Beverley Dennis received a notice from a direct mail company promising her free samples and grocery coupons if she completed the customer survey. The survey, used by the company to keep its database up to date, probed for details about Dennis' preferred products, income and marital status. Dennis willingly disclosed all.
Which might have been fine had it not been for a deal between the direct mail company and the state of Texas that resulted in a convicted felon entering Beverley Dennis' responses into the database. Another prisoner - a rapist and burglar - paid 25 cents for Dennis' information and then used that information in the sexually explicit letter he wrote her. According to Bryan Belling, a partner at legal firm Abbott Tout, Dennis' fear and discomfort was compounded by the fact that the prisoner was due for release just four years later.
Now, at the very least, that makes for a case of noxious public relations on the part of the direct mail company.
Even in the Internet age, privacy matters. In fact, in an era where information is the new currency and the pursuit of information is getting fiercer by the day, it might even matter more now than it ever has before.
The simple fact is that privacy breaches can result in disastrous - even potentially deadly - unintended consequences. Law advisories, media stories and Web pages are full of privacy abuse horror stories. Information-gathering practices may have the potential to lift profits, but they can also easily backfire and end up alienating as least as many customers as they attract. Ergo, policies that breach customer privacy simply cannot be good business.
"Too intrusive practices drive customers away," notes GartnerGroup analyst Victor Wheatman.
Had Dennis lived in Australia and decided to take action against the company for breaching her privacy she most likely wouldn't have had a legal leg to stand on. The federal government's Privacy Amendment (Private Sector) Bill 2000, due to come into force later this year, has been derided by the Australian Privacy Foundation as "full of holes". However, erosion of trust and damage to corporate reputations can be just as devastating as legal action to companies that abuse their customers' trust, Andersen Legal partner Duncan Giles says.
"As many respected businesses have found in the last 12 months, the absence of strict legal sanctions is largely irrelevant; it is a failure to respond quickly and publicly to consumer concerns which runs the risk of significant damage to credibility, profitability and market position," Giles says. "There is clearly a significant amount of work to be done to achieve the level of protection consumers are beginning to demand." He says now is the time for business to act. Although the amendments to the Privacy Act are unlikely to become effective before the latter part of next year, it is likely that a significant amount of audit, remediation and training work will be required to ensure compliance by that time.
It is becoming increasingly obvious that organisations that ignore personal privacy issues will put themselves in harm's way.
End-user anxiety about personal privacy seems to be escalating even as Internet use continues to soar. Many Internet users loathe receiving unsolicited communications and increasingly insist the practice of covertly collecting Web surfer's personal data is an infringement of their right to confidentiality. It's getting harder and harder for telemarketers to cold-call customers without raising their ire. Some customers refuse to join loyalty programs because they worry about the way retailers store and process data for their own business uses without customer knowledge or consent. Customers are also increasingly con-cerned about the misuse of credit card numbers provided across the Internet and about identity theft.
On the plus side, the levels of concern ensure companies that take strong steps to protect their customer privacy find themselves in a win-win situation.
Web content editor Heidi Wessman Kneale of online insurance broker InsuranceMyWay says protecting custo-mer privacy is an excellent way to gain business, as well as an enhanced reputation for being trustworthy. And it is not just customer end users who care about privacy, Wessman Kneale insists. "We use a B2B business model as well as a B2C model. Other businesses will be more willing to enter alliances with us if we've got a good reputation," she says.
Jay Stanley is an analyst for Internet policy and regulation research in Forrester Research's Washington, DC, office. These days, he says, smart advertisers know that in order to win customer loyalty they must not only cater to their consumers' desires and offer good prices but also assuage their fears. Stanley claims some companies "are going out of their way to establish trust with customers. Indeed, some are leaving millions of dollars on the table by not using or selling lists."
In Australia, there are some companies doing exactly that. Delphi Enterprises operates an Australian Internet shopping mall hosting a steadily increasing number of shops securely selling top-quality goods internationally both to and from Australia. The potential is clearly there for Delphi to collect information goodies from a range of customers and sell it for substantial sums.
However, according to director Mike McDonnell, Delphi knows the best way to build the business is through repeat customers - and that means respecting those customers' right to privacy. "I do not keep any customer data online and it therefore cannot be interfered with - even though it's unlikely that it would be. I can run my business without collecting data on customers and prefer this approach," McDonnell says.
Likewise, OPSM Protector has had a policy of strict customer privacy protection for the last 65 years. Its Web page guarantees customers that all personal information they provide in the course of doing business with OPSM will be handled with the utmost security and confidentiality at all times. To ensure that customers can opt out of direct mail practices, OPSM pledges that any information sent via e-mail to customers will include instructions for removing themselves from the e-mail list.
Only 14 per cent of sites surveyed said that they gave users the opportunity to have at least some personal information about themselves deleted from Web site records.
The survey results prompted Australia's national Internet and e-commerce representative body, the Internet Industry Association, to reiterate its warnings that unless online businesses moved to address privacy concerns, the information economy won't reach its full potential in Australia and will continue to lag behind the US.
"Consumer confidence is paramount if e-commerce is to grow here," says IIA executive director Peter Coroneos. "Their primary concerns remain privacy and information security. Interestingly, unlike other concerns relating to Internet use, worries about abuse of personal information do not seem to diminish as experience on the Net grows." Coroneos says industry must play its part in meeting those concerns by putting meaningful policies in place, then sticking to them.
Many of the world's biggest corporations have called for global standards to safeguard personal information on the Internet. The NAI, a group of third-party advertisers including 24/7 Media, DoubleClick, Engage and MatchLogic, is keenly aware of the public's growing unease. The organisation is striving to reassure the public by insisting private watchdog groups like TRUSTe and BBB (Better Business Bureau) OnLine can protect consumers' personal data.
At the same time, the chief executives of many of the world's biggest corporations - aware that angst about privacy might stultify e-commerce growth - have also called for global standards to safeguard personal information on the Internet. The Global Business Dialogue on E-Commerce (GBDE), a group of 72 corporations, including such corporations as Time Warner and Toshiba, says domestic laws alone cannot preserve the privacy of people's transactions or such personal information as medical histories.
Some Australian companies are rising to the challenge.
InsuranceMyWay collects large amounts of personal information including names, addresses, dates of birth, marital status, driving histories and health histories to pass on to an insurance company should the individual choose to apply for insurance.
"Some of the information - such as medical questions - is sensitive enough that some people won't even tell their spouses; but they need to tell us," Wessman Kneale says. "We want lots of people to trust us so they'll use our site and purchase insurance through us. In order to nurture that, we have to convince them that we care about them. We'll do our best to make sure that whatever they share is just between us and will only be used for select insurance purposes."
Like any good e-commerce business, InsuranceMyWay employs secure sites, firewalls and encryption to protect its data. However, it also goes further by insisting users must create a username and password whenever InsuranceMyWay does a quote or conducts any other exchange dealing with personal information. Each user has access to their information and can change it as necessary.
"Insurance companies are the only third parties we share any information with, and even then, on an individual basis," Wessman Kneale says. "We do not sell information to anyone, either singly or in bulk, nor, to my knowledge, do we plan to. Personally, I feel it would be unethical to give information to anyone but the individually requested insurance company, or to sell it to anyone."
For legal reasons, InsuranceMyWay has an option at the bottom of its customer profiles that asks whether the customer's information can be shared with third parties other than insurance companies. The default is set to "No". Meanwhile, Wessman Kneale is convinced much of the fear due to privacy concerns arises from ignorance.
"As site editor, I felt that if we had as much information as we could on the site about what we do to protect privacy, it would help ease some of the fears of potential customers," she says. "Most sites I've seen, including competitors' sites, don't seem to have as much information about their privacy and security as we do. I'm a big proponent of lots of information on our site - people are more likely to act if they are armed with lots of info."
Strong privacy policies are particularly important for companies that don't already have a well-recognised brand, notes principal research analyst Hank Prunckun at professional research service Slezak Associates. The company launched on the Internet less than two years ago.
"People coming to our Web site really don't know who we are or what we are; they're really taking it on face value that they can trust us," Prunckun says. "They don't really know anything about us, and therefore I think it is in our best interest as a business to be up front with people and to tell them what our values are. That way they can make up their minds whether they value that and they can make a decision as to whether they do business with us or not."
Slezak's Web page assures readers the company respects the privacy of its customers' customers by placing the highest level of importance on keeping customer information, especially credit card details, confidential by:encrypting all credit card information input before it is sent to Slezak using secure server software (SSL); limiting the information the business collects on its order form and client request form to that which is necessary for service delivery; preventing the business from using customer details in ways which are not related to providing the service requested; and preventing the business from selling, renting or trading customer information to third parties, especially marketing organisations that compile "mailing lists" and the like.
The policy pledges neither personal details, nor details of the services customers request, will ever be made available to a third party. Nor will customer e-mail addresses ever be used for the delivery of unsolicited e-mail.
"I definitely believe that any business that's serious about the primary business that it's in must decide whether it's in a business to offer that primary service or it's in the business to offload and sell the customer information that it has gathered," Prunckun says. "In our case, we've made that conscious decision that we're in a business to provide a professional service, not to capitalise on the selling of e-mail addresses and other marketing information. I think because of that - because we've concentrated on our primary job - that we definitely have an advantage over others."
His customers would probably agree.
Bitten by an ASP
Is your ASP respecting the confidentiality of your - and your customers' - data?
So many application service providers are breaching trust by selling customer data that - in the short term at least - there's a real danger those "rogue companies" may end up destroying the entire ASP model. Such, at least, is the concern of ibCOM CEO Mike Byers, who says too many ASPs see selling customer data as their chance to stay afloat in a competitive arena where margins are extremely tight.
As the chief executive of an ASP, Byers says one of the key concerns of his customers is moving their data out into a non-internal area. He says too many ASPs look on selling customer data as their chance to make money.
"It's a very young industry," Byers says. "The problem is, those ASPs are in two worlds. Because there is not a large amount of up-front money with ASP services [they get their money over time], usually the CEO and marketing people are looking for another revenue stream. They see all this data stored out there in terms of its potential to make them money. They're looking for money any way they can."
Byers cites the decision by Health Communication Network, one of Australia's first Internet providers of health knowledge, to onsell information in summarised form to pharmaceutical companies.
"It's just wrong," Byers says. "You can't get any more private data than health-medical records. When you have someone like the CEO of a health network proposing to sell data to pharmaceutical companies, even though it is in summarised form, it just sends shivers down all possible end-users' spines."
"The ASP industry really has to get serious about it and it has to get the message across that it is serious. Apart from doing the right things at the back-end and creating secure facilities, they have to promote the fact that they know what they're doing and that they understand that the issue of privacy is number one, and that they are doing something about it," he says.
A Matter of Policy
Model Privacy Statement
This privacy statement discloses the privacy practices for [Company X's URL]. This Web site has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe. You will be notified of:
1. Personally identifiable information about you that is collected from the Web site or through third parties 2. The organisation collecting the information 3. How the information is used 4. With whom the information may be shared 5. What choices are available to you regarding collection, use and distribution of the information 6. The security procedures that protect the loss, misuse or alteration of information under (Company X)'s control 7. How you can correct any inaccuracies in the information Information Collection and Use (Company X) is the sole owner of the information collected on this site. We will not sell, share or rent this information to others in ways different from what is disclosed in this statement.
Log Files We use IP addresses to administer the site, track user movement and gather demographic information for aggregate use. IP addresses are not linked to identifiable information.
Sharing We will share aggregated demographic information with our partners and advertisers. This is not linked to any personal information that can identify any individual person.
Links This Web site contains links to other sites. We are not responsible for the privacy practices of other sites. Read the privacy statements of each Web site that collects identifiable information.
Security This Web site takes every precaution to protect users' information. When users submit sensitive information via the Web site, their information is protected both online and offline. When our registration/order form asks users to enter sensitive information (such as credit card number and/or tax file number), that information is encrypted and is protected with the best encryption software in the industry - SSL. While we use SSL encryption to protect sensitive information online, we also protect user information offline.
Supplementation of Information To properly fulfil our obligation to customers, we supplement the information we receive with information from third-party sources. For example, to determine if our customers qualify for one of our credit cards, we use their name and tax file numbers to request credit reports. Once we do that, this document is destroyed.
Correction/Updating Personal Information If a user's personally identifiable information changes (such as a post code), or if a user no longer desires our service, we will provide a way to correct, update or remove that user's personal data.
Choice/Opt-out Our users are given the opportunity to opt out of having their information used for purposes not directly related to our site at the point where we ask for the information.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.