Hitmetrix - User behavior analytics & recording

Privacy Policies: A Trap for the Unwary

Privacy issues, such as a marketer’s ability to collect and use information about consumers, are not new. But the Internet has turned privacy from an afterthought for consumers to a critical concern.

Because of the growing number of privacy complaints from consumers, law enforcement officials and legislators are striving to enhance privacy protection. Legislatures in other countries, such as European Union members, have passed sweeping privacy requirements. In the United States, formal privacy laws generally have been limited to areas of enhanced vulnerability, such as children under 13 (COPPA), financial data (Gramm-Leach-Bliley) and health-related information (HIPAA).

With new laws in California and Pennsylvania, the trend may be moving toward the European philosophy. In most other situations, U.S. companies still are allowed to self-regulate privacy, usually through publishing privacy policies. Consumers expect every online business to prominently feature a privacy policy on its Web site.

However, a surprising number of privacy policies share a serious and often costly flaw: They are simply and unintentionally wrong. Rather than being an accurate description of the information flow through the company, they paint an overly rosy picture of minimal collection and even less disclosure, either because the writer doesn’t know what the company’s true practice is or because the policy is based on language cut and pasted from another Web site.

Consider a statement that many direct marketers make in their privacy policies: “We will not share your information with any third parties.” What about the hosting company on whose computers the site is run? What about the delivery company bringing the purchase to the consumer’s door? Doesn’t it get the consumer’s home address from the marketer? What about the credit card processing firm arranging payment?

The marketer probably shares the consumer’s information with many third parties in the process of doing business, but it isn’t doing anything wrong and the consumer probably wouldn’t even object to the sharing. The company’s own privacy policy, though, says differently.

A similar situation arises in data collection. A marketer’s privacy policy may state, “we collect your personal information through our Web site.” Yet the marketer also may get information from the consumer via telephone calls, e-mails, postal letters, purchased third-party databases, faxes and a whole host of other channels. There, too, the marketer hasn’t done anything wrong per se, but the policy, however well-meaning, is simply wrong.

Consumers who take the time to read privacy policies may be comforted by stringent though incorrect statements, but consumer protection officials take a much less generous view. Even without a specific statute discussing privacy policies, attorneys general have levied fines against companies whose practices violated their own policies, under the general guise of consumer protection. For example, US Bancorp paid a $4 million fine in 2000 to various state AGs for selling customer names to a telemarketer in violation of its privacy policy. The Federal Trade Commission also has made a point of suing marketers that violate their own policies, including Guess and Eli Lilly.

Even if violations do not result in fines, the bad press can prove costly. Companies from Victoria’s Secret to JetBlue have gotten scathing attention in the media for privacy breaches. Even rumored breaches can be costly. In 1996, Lexis/Nexis was falsely rumored to be revealing Social Security numbers and mothers’ maiden names in one of its databases. The furor cost Lexis/Nexis heavily in customer service and damage control and prompted Congress to discuss legislation strengthening privacy rules.

As of Feb. 1, marketers who violate their privacy policies may face additional liability. A new Pennsylvania law, formerly known as SB-705, punishes any business that “knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public,” with fines of up to $500 per violation.

A variation previously was enacted in California requiring that an operator of a Web site or online service that collects personal information from California residents through the Internet must conspicuously post its privacy policy on its Web site.

Considering the potential costs, embarrassment and legal problems of publishing an incorrect privacy policy, how can marketers minimize risks while still following good practices? The best approach is to conduct a comprehensive privacy audit, focusing on how information comes into the company, how it’s used internally and how (and to whom) it goes out again. This can be done by the company, or in connection with attorneys or other privacy specialists. Once the company has a clear “map” of consumer information flow, it can create (or revise) a privacy policy that is reassuring and accurate.

At a minimum, every company should examine its privacy policy and delete overly broad statements that are almost certainly false. It’s better to say too little about how information is used than to say too much and be wrong.

Total
0
Shares
Related Posts