The Fine Art of Privacy Policy
by Stephen Cobb, originally appeared in Inside Direct Mail
Any company marketing to consumers today needs a privacy policy. In some markets, like healthcare and financial services, a privacy policy is a legal requirement. Even without a legal requirement, a privacy policy is advisable for two reasons. First, to help you win the trust of consumers who are increasingly reluctant to entrust their information (the information that makes marketing work) to companies that don’t have a privacy policy. Second, a privacy policy can protect you in the event someone takes exception to what you do with their data.
Unfortunately, a privacy policy is not without risks. Fail to abide by your published privacy policy and you could be in trouble. When a programming error exposed the email addresses of 600 people who had expressed an interest in Eli Lilly’s Prozac medication, some of them complained to the Federal Trade Commission (FTC), which imposed a twenty-year oversight settlement on the company in January of 2002. The exposure was an accident and the only people who saw the addresses were other people on the list, but here’s what the Director of the FTC's Bureau of Consumer Protection, J. Howard Beales, III, said:
"Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information."
The FTC takes its consumer protection mandate seriously, having forced privacy-related settlements on computer giant Microsoft and jean maker Guess. The latter faced charges that it’s web site, guess.com, exposed consumers' personal information, including credit card numbers, to commonly known hacking attacks, contrary to security claims made in its privacy statement. The FTC firmly established agency that companies must use reasonable or appropriate measures to prevent consumer information from being accessed, including protection against “known vulnerabilities.” Here is Beales again:
"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that. It's not just good business, it's the law."
So, the challenge that companies face is to write a privacy policy that accurately reflects how personally identifiable information (often referred to as PII) is treated by the company, without making any promises the company cannot keep. In fact, you probably need two documents: a privacy policy, which is often a collection of policies, used for internal governance and guidance; and a privacy statement/notice that is published on your web site. This double document approach is not a case of corporate double-talk, but a practical way to establish your company’s privacy stance internally (the privacy policy/policies), while conveying the essence of that stance to the public (the privacy statement/notice).
This approach reflects the dilemma companies face as consumer concerns push privacy up the agenda in more and more departments. A comprehensive, enterprise-wide statement of policies concerning PII could overwhelm the average consumer, leaving them no wiser about the company’s position on the basic principles. Remember the privacy notices mailed out in 2001 by banks and credit card company under the Gramm-Leach-Blilely Act? Many were sharply criticized as too long or too obscure. Trying to hedge your privacy bets in a legalistic privacy statement is not going to work.
Practical Issues: Web Sites
Ideally, a privacy statement on a Web site should be accessible from every page of the site, as part of the navigation bar. At a minimum it should be accessible from the home page and any page that solicits or uses PII. It should say how the site implements the company’s overall privacy policy, particularly with respect to Web-related data such as cookies, Web bugs, Web beacons, visitor tracking, email addresses, and so on. It should address the five main principles of fair information practice:
Notice: What you are going to data for should be stated before you collect it, including any secondary uses you intend to make.
Choice: What choice do people have about whether or not they supply data to you, what they miss out on if they don’t, and what can be done with the data they supply (including secondary uses of their data).
Access: How you address the right of data subjects to see the data that you have about them, and change it or delete it if appropriate.
Security: How you protect the confidentiality, integrity, and availability of the information, and what you do to keep the data accurate and up-to-date.
Enforcement: What mechanisms you use to make sure that these principles are upheld, and to impose penalties if they are not.
For many companies the biggest obstacle to putting together a defensible privacy statement is the very practical one of determining what personal data the company is collecting, and what is being done with it. The answer is to map data flows. Many companies find that when they try to get a handle on privacy, no definitive documentation is available as to what data is being collected, or how, or about whom it is being collected, or where it is being stored, or sent. The answers to these questions will shape the privacy statement, particularly notices to users about the data collected any “downstream” or secondary implications, such as a data-sharing or cross-marketing agreement with another organization.
Someone needs to track exactly what happens to PII from the moment it enters the system, for example when it is entered in a form on a Web page. For example, some Web site forms simply email user input to a company email address when the user clicks “Submit.” A more sophisticated approach is to write the input to a file and make sure the file is not stored on the Web server for any length of time, but spooled to a properly fire-walled back-end server. Access to data on that server should be tightly restricted to employees who need to see it in order to perform their work.
So here are the main points that need to be documented (consider using a large whiteboard to sketch this out):
- Identification of the entity collecting the data.
- Identification of the intended use of the data.
- Identification of any potential recipients of the data.
- The nature of the data collected and the means by which it is collected, if not obvious (for example, passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information).
- Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information.
Use the resulting map to write an appropriate Web site privacy statement and then make sure it fits into broader company privacy policy. Bear in mind that the FTC considers privacy policies posted on a company’s Web site to be equally applicable to the company’s off-line data collection, use, and disclosure practices—unless the company clearly states that the Web site privacy policy applies only to its online activities.
Of course, you can work this problem in the opposite direction, from a detailed and comprehensive internal privacy policy document to the Web site privacy statement. But several practical obstacles exist. Most companies need a Web privacy statement sooner rather than later. Performing a full-scale privacy review as a prelude can create an unacceptable delay (particularly as this can be resource intensive and may be delayed by budget concerns and inter-departmental wrangling).
The fact is, a company’s handling of privacy issues can evolve over time to cover all the bases, but it makes sense to start at the point of greatest exposure. For many companies this is the Web site. Furthermore, until you have a clear idea of what PII the company currently handles and how, starting at the top can be risky—you don’t want to end up with a policy that is at odds with practices on which the company relies for operations.
When you do get to the highest level, your company’s overall privacy policy can be as short as a single sentence and should not be more than 50 words at the most. What you are aiming for is something that sums up the company’s attitude to privacy in words that the CEO is prepared to recite publicly and sign personally. Consider these four examples:
• Respect for customer privacy has always been a priority at Sample Company.
• Sample Company respects the privacy of customers and maintains strict customer information privacy policies.
• Sample Company is committed to meeting customer expectations regarding the collection, control, use, transfer, storage and disclosure of personally identifiable information.
• At Sample Company, privacy means giving customers control over the collection, use, and distribution of their personal information in order to build and maintain trust and loyalty.
Of course, one of the handy features of the Web is that it is self-documenting: you can read the privacy statements of all the companies you want, looking for ideas and language that suits your needs.
The language that come below this top level of statement will ultimately depend on the type of business you’re in and the type of PII you handle. While some types of PII are obviously more sensitive than others, the message from recent court cases and legislative proposals is that consumers are becoming more and more sensitive to how any information about them is handled. Smart companies will err on the side of caution when it comes to privacy in order to earn and retain the consumer trust that is essential to successful marketing.
Stephen Cobb