Private Lives

Private Lives


Why privacy is becoming a hot-button issue How giving customers a choice can mitigate privacy concerns Why 2001 may be the year for sweeping privacy legislation If you've ever felt sympathy with Scott McNealy's infamous statement, "Privacy is dead. Get over it", the following apparently true horror story might just change your mind.

In 1994 in the US, Beverley Dennis received a notice from a direct mail company promising her free samples and grocery coupons if she completed the customer survey. The survey, used by the company to keep its database up to date, probed for details about Dennis' preferred products, income and marital status. Dennis willingly disclosed all.

Which might have been fine had it not been for a deal between the direct mail company and the state of Texas that resulted in a convicted felon entering Beverley Dennis' responses into the database. Another prisoner - a rapist and burglar - paid 25 cents for Dennis' information and then used that information in the sexually explicit letter he wrote her. According to Bryan Belling, a partner at legal firm Abbott Tout, Dennis' fear and discomfort was compounded by the fact that the prisoner was due for release just four years later.

Now, at the very least, that makes for a case of noxious public relations on the part of the direct mail company.

Even in the Internet age, privacy matters. In fact, in an era where information is the new currency and the pursuit of information is getting fiercer by the day, it might even matter more now than it ever has before.

The simple fact is that privacy breaches can result in disastrous - even potentially deadly - unintended consequences. Law advisories, media stories and Web pages are full of privacy abuse horror stories. Information-gathering practices may have the potential to lift profits, but they can also easily backfire and end up alienating as least as many customers as they attract. Ergo, policies that breach customer privacy simply cannot be good business.

"Too intrusive practices drive customers away," notes GartnerGroup analyst Victor Wheatman.

Shaky Foundations

Had Dennis lived in Australia and decided to take action against the company for breaching her privacy she most likely wouldn't have had a legal leg to stand on. The federal government's Privacy Amendment (Private Sector) Bill 2000, due to come into force later this year, has been derided by the Australian Privacy Foundation as "full of holes". However, erosion of trust and damage to corporate reputations can be just as devastating as legal action to companies that abuse their customers' trust, Andersen Legal partner Duncan Giles says.

"As many respected businesses have found in the last 12 months, the absence of strict legal sanctions is largely irrelevant; it is a failure to respond quickly and publicly to consumer concerns which runs the risk of significant damage to credibility, profitability and market position," Giles says. "There is clearly a significant amount of work to be done to achieve the level of protection consumers are beginning to demand." He says now is the time for business to act. Although the amendments to the Privacy Act are unlikely to become effective before the latter part of next year, it is likely that a significant amount of audit, remediation and training work will be required to ensure compliance by that time.

Anxiety Mounts

It is becoming increasingly obvious that organisations that ignore personal privacy issues will put themselves in harm's way.

"In a transparent economy, an absence of a ‘believable' privacy policy - or breach of it - will expose companies, creating all sorts of difficulties with respect to trust, credibility, reputation and the law," says Interactive Knowledge On-Line (IKO) CEO Aseem Prakash. "Privacy policy leads to trust. Trust creates loyalty and loyalty results in profitability."

End-user anxiety about personal privacy seems to be escalating even as Internet use continues to soar. Many Internet users loathe receiving unsolicited communications and increasingly insist the practice of covertly collecting Web surfer's personal data is an infringement of their right to confidentiality. It's getting harder and harder for telemarketers to cold-call customers without raising their ire. Some customers refuse to join loyalty programs because they worry about the way retailers store and process data for their own business uses without customer knowledge or consent. Customers are also increasingly con-cerned about the misuse of credit card numbers provided across the Internet and about identity theft.

On the plus side, the levels of concern ensure companies that take strong steps to protect their customer privacy find themselves in a win-win situation.

Web content editor Heidi Wessman Kneale of online insurance broker InsuranceMyWay says protecting custo-mer privacy is an excellent way to gain business, as well as an enhanced reputation for being trustworthy. And it is not just customer end users who care about privacy, Wessman Kneale insists. "We use a B2B business model as well as a B2C model. Other businesses will be more willing to enter alliances with us if we've got a good reputation," she says.

Jay Stanley is an analyst for Internet policy and regulation research in Forrester Research's Washington, DC, office. These days, he says, smart advertisers know that in order to win customer loyalty they must not only cater to their consumers' desires and offer good prices but also assuage their fears. Stanley claims some companies "are going out of their way to establish trust with customers. Indeed, some are leaving millions of dollars on the table by not using or selling lists."

In Australia, there are some companies doing exactly that. Delphi Enterprises operates an Australian Internet shopping mall hosting a steadily increasing number of shops securely selling top-quality goods internationally both to and from Australia. The potential is clearly there for Delphi to collect information goodies from a range of customers and sell it for substantial sums.

However, according to director Mike McDonnell, Delphi knows the best way to build the business is through repeat customers - and that means respecting those customers' right to privacy. "I do not keep any customer data online and it therefore cannot be interfered with - even though it's unlikely that it would be. I can run my business without collecting data on customers and prefer this approach," McDonnell says.

Likewise, OPSM Protector has had a policy of strict customer privacy protection for the last 65 years. Its Web page guarantees customers that all personal information they provide in the course of doing business with OPSM will be handled with the utmost security and confidentiality at all times. To ensure that customers can opt out of direct mail practices, OPSM pledges that any information sent via e-mail to customers will include instructions for removing themselves from the e-mail list.

"OPSM's privacy policy means just that - privacy," says OPSM development manager Peter Haggitt. "Over the last 65 years, our policy of absolute customer privacy has made OPSM one of the most trusted brands in Australia. OPSM enjoys lifelong customer relationships, and in this context maintaining customer privacy is not only an ethical obligation but good business."

Yet companies like Delphi and OPSM are seemingly the exception to the rule. The recent Andersen Legal Internet Privacy Survey 2000 found 72 per cent of sites surveyed collected personal information, yet only 51 per cent had a published privacy policy and only 28 per cent of those sites notified users about the specific personal information collected.

In addition, 71 per cent of Web sites with a stated privacy policy said that personal identifying information can be disclosed to third parties, even though one in three of those sites offered users no choice with respect to that disclosure. Worse, 43 per cent of sites that collected personal information did so even though the user had not actively provided that information.

Only 14 per cent of sites surveyed said that they gave users the opportunity to have at least some personal information about themselves deleted from Web site records.

The survey results prompted Australia's national Internet and e-commerce representative body, the Internet Industry Association, to reiterate its warnings that unless online businesses moved to address privacy concerns, the information economy won't reach its full potential in Australia and will continue to lag behind the US.

"Consumer confidence is paramount if e-commerce is to grow here," says IIA executive director Peter Coroneos. "Their primary concerns remain privacy and information security. Interestingly, unlike other concerns relating to Internet use, worries about abuse of personal information do not seem to diminish as experience on the Net grows." Coroneos says industry must play its part in meeting those concerns by putting meaningful policies in place, then sticking to them.

Many of the world's biggest corporations have called for global standards to safeguard personal information on the Internet. The NAI, a group of third-party advertisers including 24/7 Media, DoubleClick, Engage and MatchLogic, is keenly aware of the public's growing unease. The organisation is striving to reassure the public by insisting private watchdog groups like TRUSTe and BBB (Better Business Bureau) OnLine can protect consumers' personal data.

At the same time, the chief executives of many of the world's biggest corporations - aware that angst about privacy might stultify e-commerce growth - have also called for global standards to safeguard personal information on the Internet. The Global Business Dialogue on E-Commerce (GBDE), a group of 72 corporations, including such corporations as Time Warner and Toshiba, says domestic laws alone cannot preserve the privacy of people's transactions or such personal information as medical histories.

Privacy guidelines proposed by the GBDE called for Internet vendors to clearly state policies on the uses of personal data and to give customers both a chance to keep details private and a contact for privacy complaints. Although according to IKO's Prakash, a privacy policy alone is not enough. "It's hard yakka to build and maintain trust online," he says. "Like respect, trust is to be earned and cannot be dictated or commanded or forced. Nevertheless, while a privacy policy is not the answer, it is a starting point."

Some Australian companies are rising to the challenge.

InsuranceMyWay collects large amounts of personal information including names, addresses, dates of birth, marital status, driving histories and health histories to pass on to an insurance company should the individual choose to apply for insurance.

"Some of the information - such as medical questions - is sensitive enough that some people won't even tell their spouses; but they need to tell us," Wessman Kneale says. "We want lots of people to trust us so they'll use our site and purchase insurance through us. In order to nurture that, we have to convince them that we care about them. We'll do our best to make sure that whatever they share is just between us and will only be used for select insurance purposes."

Like any good e-commerce business, InsuranceMyWay employs secure sites, firewalls and encryption to protect its data. However, it also goes further by insisting users must create a username and password whenever InsuranceMyWay does a quote or conducts any other exchange dealing with personal information. Each user has access to their information and can change it as necessary.

"Insurance companies are the only third parties we share any information with, and even then, on an individual basis," Wessman Kneale says. "We do not sell information to anyone, either singly or in bulk, nor, to my knowledge, do we plan to. Personally, I feel it would be unethical to give information to anyone but the individually requested insurance company, or to sell it to anyone."

For legal reasons, InsuranceMyWay has an option at the bottom of its customer profiles that asks whether the customer's information can be shared with third parties other than insurance companies. The default is set to "No". Meanwhile, Wessman Kneale is convinced much of the fear due to privacy concerns arises from ignorance.

"As site editor, I felt that if we had as much information as we could on the site about what we do to protect privacy, it would help ease some of the fears of potential customers," she says. "Most sites I've seen, including competitors' sites, don't seem to have as much information about their privacy and security as we do. I'm a big proponent of lots of information on our site - people are more likely to act if they are armed with lots of info."

Strong privacy policies are particularly important for companies that don't already have a well-recognised brand, notes principal research analyst Hank Prunckun at professional research service Slezak Associates. The company launched on the Internet less than two years ago.

"People coming to our Web site really don't know who we are or what we are; they're really taking it on face value that they can trust us," Prunckun says. "They don't really know anything about us, and therefore I think it is in our best interest as a business to be up front with people and to tell them what our values are. That way they can make up their minds whether they value that and they can make a decision as to whether they do business with us or not."

Slezak's Web page assures readers the company respects the privacy of its customers' customers by placing the highest level of importance on keeping customer information, especially credit card details, confidential by:encrypting all credit card information input before it is sent to Slezak using secure server software (SSL); limiting the information the business collects on its order form and client request form to that which is necessary for service delivery; preventing the business from using customer details in ways which are not related to providing the service requested; and preventing the business from selling, renting or trading customer information to third parties, especially marketing organisations that compile "mailing lists" and the like.

The policy pledges neither personal details, nor details of the services customers request, will ever be made available to a third party. Nor will customer e-mail addresses ever be used for the delivery of unsolicited e-mail.

"I definitely believe that any business that's serious about the primary business that it's in must decide whether it's in a business to offer that primary service or it's in the business to offload and sell the customer information that it has gathered," Prunckun says. "In our case, we've made that conscious decision that we're in a business to provide a professional service, not to capitalise on the selling of e-mail addresses and other marketing information. I think because of that - because we've concentrated on our primary job - that we definitely have an advantage over others."

His customers would probably agree.

Bitten by an ASP

Is your ASP respecting the confidentiality of your - and your customers' - data?

So many application service providers are breaching trust by selling customer data that - in the short term at least - there's a real danger those "rogue companies" may end up destroying the entire ASP model. Such, at least, is the concern of ibCOM CEO Mike Byers, who says too many ASPs see selling customer data as their chance to stay afloat in a competitive arena where margins are extremely tight.

As the chief executive of an ASP, Byers says one of the key concerns of his customers is moving their data out into a non-internal area. He says too many ASPs look on selling customer data as their chance to make money.

"It's a very young industry," Byers says. "The problem is, those ASPs are in two worlds. Because there is not a large amount of up-front money with ASP services [they get their money over time], usually the CEO and marketing people are looking for another revenue stream. They see all this data stored out there in terms of its potential to make them money. They're looking for money any way they can."

Byers cites the decision by Health Communication Network, one of Australia's first Internet providers of health knowledge, to onsell information in summarised form to pharmaceutical companies.

"It's just wrong," Byers says. "You can't get any more private data than health-medical records. When you have someone like the CEO of a health network proposing to sell data to pharmaceutical companies, even though it is in summarised form, it just sends shivers down all possible end-users' spines."

He says any serious business in the ASP space should have a chief privacy officer and a documented privacy policy.

"The ASP industry really has to get serious about it and it has to get the message across that it is serious. Apart from doing the right things at the back-end and creating secure facilities, they have to promote the fact that they know what they're doing and that they understand that the issue of privacy is number one, and that they are doing something about it," he says.

A Matter of Policy

A privacy policy is the foundation on which every company's privacy strategy is built as well as the means by which it is communicated to customers and business partners. The following is an excerpted sample policy provided by TRUSTe, an organisation that helps companies formulate and administrate effective policies. Included are comments from Bob Lewin, CEO and executive director of TRUSTe. For more comprehensive information on building privacy policies, visit

Model Privacy Statement

This privacy statement discloses the privacy practices for [Company X's URL]. This Web site has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe. You will be notified of:

1. Personally identifiable information about you that is collected from the Web site or through third parties 2. The organisation collecting the information 3. How the information is used 4. With whom the information may be shared 5. What choices are available to you regarding collection, use and distribution of the information 6. The security procedures that protect the loss, misuse or alteration of information under (Company X)'s control 7. How you can correct any inaccuracies in the information Information Collection and Use (Company X) is the sole owner of the information collected on this site. We will not sell, share or rent this information to others in ways different from what is disclosed in this statement.

Log Files We use IP addresses to administer the site, track user movement and gather demographic information for aggregate use. IP addresses are not linked to identifiable information.

Sharing We will share aggregated demographic information with our partners and advertisers. This is not linked to any personal information that can identify any individual person.

Links This Web site contains links to other sites. We are not responsible for the privacy practices of other sites. Read the privacy statements of each Web site that collects identifiable information.

Security This Web site takes every precaution to protect users' information. When users submit sensitive information via the Web site, their information is protected both online and offline. When our registration/order form asks users to enter sensitive information (such as credit card number and/or tax file number), that information is encrypted and is protected with the best encryption software in the industry - SSL. While we use SSL encryption to protect sensitive information online, we also protect user information offline.

Supplementation of Information To properly fulfil our obligation to customers, we supplement the information we receive with information from third-party sources. For example, to determine if our customers qualify for one of our credit cards, we use their name and tax file numbers to request credit reports. Once we do that, this document is destroyed.

Correction/Updating Personal Information If a user's personally identifiable information changes (such as a post code), or if a user no longer desires our service, we will provide a way to correct, update or remove that user's personal data.

Choice/Opt-out Our users are given the opportunity to opt out of having their information used for purposes not directly related to our site at the point where we ask for the information.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about 24/7 MediaAndersenAndersenByersDoubleClickForrester ResearchHealth Communication NetworkibComIIAInteractive Knowledge On-LineInternet Industry AssociationNAIPrivacy FoundationTime WarnerToshibaTRUSTe

Show Comments