Gwen Moran - When the words matter

 Books

 Entrepreneur Column

 Life As I Know It Humor Column

 Editorial

 Business and Career

 Travel and Lifestyle

 Women and Health

 Essays

 Humor

 Copywriting

 Copy Doctor

 Classes and Seminars

 About Gwen Moran

 Contact Information

 Resources for Writers

 Gwen's Favorite Links

 Home

You Are Your Customers' Keeper

By Gwen Moran

Jorian Clarke was feeling good that spring morning in 1996. Driving back to her Milwaukee office, she was thinking about the great client meeting that she had just wrapped up, and the successful second quarter looming ahead for her company. The ring of her mobile phone distracted her from her thoughts for a moment. Clarke had barely said "Hello" when the reporter from National Public Radio got right to the point.

"What do you think about this report that says you're using and manipulating children?"

"I almost drove off the road," recalls the president of Circle 1 Networks, the parent company of children's web sites KidsCom.com and KidsComJr.com. "[The Center for Media Education] had issued a report that companies were using the Internet to engage in false and deceptive advertising practices. We were the smallest company on the list."

The report alleged that a number of companies, including Kellogg's, Mattel and the parent company of KidsCom, among others, were improperly collecting private information about children and that these practices were in violation of Section 5 of the Federal Trade Commission Act, which deals with unfair and deceptive trade practices. According to Clarke, the report placed the company squarely in the middle of a Federal Trade Commission (FTC) investigation. In addition, a formal complaint was filed against the company. Clarke and her staff cooperated fully with the investigation, amending their information collection practices, and, ultimately, the FTC did not prosecute the company. The report and subsequent investigation, however, laid the groundwork for the 1998 Children's Online Privacy Protection Act (COPPA), one of the first and most sweeping pieces of privacy legislation, which prohibits the collection of personal information from children under the age of 13 without parental consent. While a typical bill often takes several years to make its way through the federal legislative process, COPPA was passed approximately four months after the FTC made its recommendations to Congress.

"It proves that Congress is willing to move at Internet speed if it perceives a need for privacy legislation," says Dr. Steven Lucas, chief privacy officer for The Privacy Council (www.privacycouncil.com), a Richardson, TX-based consulting, education and technology support firm. He and many experts agree that we're just seeing the tip of the iceberg when it comes to the responsibilities and liabilities that businesses will face when it comes to protecting private information collected online. Bloodthirsty privacy advocacy groups are pushing for tighter controls on what information can be collected and how it can be used while blowing the whistle on sites that are in violation of current laws. And in this case, size doesn't matter - the little guys are just as responsible for privacy protection as the sites with household names.

"The more important factor [than the size of the business] is what information does it collect and how does it use it," counsels Dana Rosenfeld, an attorney with the FTC. "If the site is in the business of gathering and using personal information, it will have more responsibilities than other companies."

That data collection usually happens in one of two ways, explains Richard M. Smith, chief technology officer of the Denver-based Privacy Foundation, a nonprofit organization which researches and publishes information about technologies that may invade personal privacy. Voluntary data collection happens when a consumer freely gives information to a site, often to complete a transaction. This information may include name, billing and shipping addresses, e-mail address, telephone number, credit card number and other information. Tacit data collection is done without the participation of the site visitor, usually through technological tools such as cookies, which are small pieces of text that are imprinted on a site visitor's hard drive. A cookie can track such data as how often a visitor returns to a site and which sections of the site are accessed, among other things. Cookies generally cannot identify individual users unless the user voluntarily gives that information to the site, for example by registering or placing an order.

Another popular tool is the clear GIF or Web bug, a tiny graphic on a Web page or e-mail that determines who is reading that data. The Web bug is often one pixel by one pixel and colorless, so therefore invisible, and can collect information such as the IP address of the computer accessing the site or e-mail, as well as the time that the information was accessed and the previous Web site visited. Tacit data collection is usually used to gather such aggregate information as levels of site traffic and how visitors are finding the site.

While most Web bugs are no more harmful than a cookie, some can also download personally identifiable information from the user. When voluntarily disclosed information is linked with tacitly acquired information without the customer's knowledge, that's a problem, says Lucas. Such misleading practices can put a site in violation of fair information practices in the eyes of the FTC. And that often means that the site is in violation of the law.

"I can sum up fair information practices as say what you do and do what you say," he explains. "If I say I'm going to collect your data and sell it to the first person that comes along with a dollar, and you agree to that, then I can sell the information to the first person that comes along with a dollar, as long as doing so doesn't violate any existing laws."

One of the easiest ways to clearly inform your site's visitors about information practices is to post a thorough and accurate privacy policy on your site which states how you collect information and what you do with it. In fact, privacy policies have become the latest must-have text for online businesses. Just ask Mike Thompson. The president and CEO of Alexandria, VA-based Clip Genius, LLC (www.clipgenius.com), an online media clipping service, spent several months and thousands of dollars developing a privacy policy that would explain the site's policies on information gathering and usage in clear and easy-to-understand language. Still, the temptation to make up some of those costs by selling information to other companies was definitely there.

"We were approached by a direct marketing company that told us once we collected at least 2,000 business e-mails we could cycle them out every three weeks for some bizarre amount of money," Thompson says. "So many people online feel that is a violation of their privacy that it makes better sense to be more protective rather than to risk losing customers."

Lucas adds, "[Your privacy policy] should not be a legal document that acts as CYA. It should be a marketing tool. It should be used to educate the consumer on what information the site collects and how it is used."

How Much Protection Is Enough?

In addition to limiting the amount of information collected from users to the bare essentials and perfecting his privacy policy, Thompson has taken a number of other steps to guarantee the safety of private information within his offices. The company's accounting system is housed in a different physical location than the servers that house the operational data on a computer with no Internet access. User-specific data is housed on a server located in a locked room where all of the information is encrypted and a limited number of employees have password access. A designated staff person regularly searches for and updates security patches for network and other software. The server and all hard-copy data are located in locked rooms with limited employee access. Combinations are digital so that if an employee leaves the company, they can be changed in a matter of seconds.

Think Thompson's gone overboard? Lucas doesn't. In fact, he says, the biggest threat to privacy security is on your payroll.

"Seventy percent of security breaches are internal," explains Lucas. "The same amount of data is lost from external hacking as is lost from fires or floods."

Following Thompson's lead, businesses need to think beyond technological and on-site safeguards for private information. In addition, online businesses need to consider the privacy policies of vendors or strategic partners who may have access to their customers' information, even if those businesses do not have an online presence. For instance, if your business subcontracts a service such as its billing, it's important to have an agreement about how the information will be kept confidential.

At What Price Privacy?

But good privacy practices don't come cheap. While security patches for various software packages are usually free, you need to designate a consultant or staff member to monitor new patches several times a week. Hourly fees for services like encryption, securing firewalls and other programming functions can range from $75 to $100 per hour or more. Reconfiguring your office to limit physical access to private information can cost as little as the cost of a few new locks to footing the bill for more drastic security measures such as alarm systems and redesigning office space to include physical barriers.

"We've spent in excess of $10,000 in hard cash [on privacy measures]," Thompson says. "Once you start including programmer time, we've probably spent in excess of $25,000. It adds up. When you're a start-up, those hard dollars hurt."

Those numbers pale in comparison to the privacy price tag of Clarke and her team, who spent nearly $125,000 on measures to bring the KidsCom sites into compliance with COPPA. This includes the staff time that is spent logging parental consent for young children to share certain information with the site, as well as hardware and software security and other measures that Clarke declined to disclose. According to Clarke the well-intentioned privacy legislation has driven many small children's sites out of business.

"The cost has definitely driven out many of the small publishers. Those who are left are those who have a greater motivation than profit and the large corporations," she says. "Any time you try to do something with legislation, it has unintended consequences."

Privacy and the Law

If that's true, we're in for a bumpy ride. According to Lucas, the 106th session of Congress spent 51 days of the legislative agenda discussing the more than 100 privacy-related bills. Chris Hoofnagle, legislative counsel to the Electronic Privacy Information Center (EPIC), puts that number at more like 65 to 70 bills. Still, add to that the more than 1,000 bills being hammered out at the state level, and it looks like businesses will need to pay more attention to privacy whether they like it or not. Washington, DC-based Hoofnagle believes that most legislation will be passed on an sector-by-sector basis.

"America has always adopted a path where we adopt laws that address particular sectors," he says. "Over and over, we've adopted technology-specific legislation. I think it would be highly unlikely for our country to go toward a data protection act that legislated all areas of data collection."

There are currently four primary pieces of legislation relating to the use of online information in the U.S. In addition to COPPA, the Gramm-Leech-Bliley Act required that companies dealing in financial services, such as banks, retailers issuing credit cards, mortgage brokers, appraisers, tax preparation services and others disclose to customers how their information is collected and to whom it is sold. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) allows individuals to limit with whom medical information may be shared. Finally, Section 5 of the Federal Trade Commission Act deals with any business that is engaged in unfair and deceptive business practices, both online and offline. Of course, since Web businesses are usually accessible to a global audience, the site may be subject to the laws of various countries in which it does business.

Lucas believes that by the end of 2002, we'll see the federal legislature pass basic minimum standards of disclosure relating to the collection and use of private information obtained online. Still, others believe that passing laws that apply only to online businesses punishes e-commerce players. Enter Vince Sampson, vice president of public affairs for the Association for Competitive Technology (ACT), Washington, DC.

"We don't believe that an online-only privacy law is the way to go," he explains. "You end up punishing online businesses when companies like Sears are collecting information and are not limited in how to use it."

Sampson claims that a ACT's polls have shown that nearly 90 percent of those surveyed support a privacy law that governs both online and offline businesses and that more than half surveyed believe that enforcement of current laws is more important than passing new legislation.

Thompson is one of those people. "I'm terrified of the privacy legislation that's floating out there," he says. "The potential for additional cost and lost time is huge. That's another reason why we kept the data we collect to a minimum."

This Means You

Sure, you may be thinking, but I'm a small business. Who's ever going to know if I don't comply with my privacy policy or if I'm in violation of a couple of laws? Ignoring the law can cost you in more ways than one, say the experts.

"There are a fair number of [watchdog] groups that like to play the 'Gotcha Game,'" advises Smith. "You'll have a fair number of people looking over your shoulder if you're in business." The FTC's Rosenfeld adds that all businesses should have proper safeguards for keeping private information private and that this will be the focus of much policy debate in the future.

Still, it's not just the legalities of lax privacy protection that can burn businesses, say many of the experts. Customers are becoming more aware of privacy issues and more concerned that their data is not being shared without their permission. Cultivating trust, says Lucas, should be a key motivation for protecting privacy.

"Privacy can be used as a competitive advantage," says Lucas. "Businesses that maintain a clean record on privacy have a greater chance of succeeding."

Meanwhile, Smith says that one of the best ways to avoid issues surrounding the protection of using private information is to rethink collecting it in the first place. He says that most businesses adopt a "pack rat" approach to information, collecting as much as possible whether they need it or not.

"As a company, I'd be concerned about tracking users to the nth degree because you're probably wasting your time," says Smith. "There's a certain cost of collecting and processing that data and the jury's still out on whether it buys you much in terms of increased sales."

While the jury's also out on exactly how privacy protection best practices, protocols and legislation will look even a year from now, most agree that initiating and informing customers of clear policies now may be a key step in preventing overly-zealous legislation in the future. And those same steps will cultivate stronger customer relationships.

Don't Even Think About It

While many privacy-protection measures are just good business practices, there are a number that are necessary by law.

  • Thou shall not violate your privacy policy. If you say you do one thing and then do another, you may be in violation of Section 5 of the Federal Trade Commission Act (FTCA).
  • Thou shall not collect information from users under 13 without parental consent. This according to the Children's Online Privacy Protection Act (COPPA).
  • Thou shall not share financial or health information collected without permission from the individual. The Gramm-Leech-Bliley Act applies to financial information and Health Information Privacy Protection Act protects health care information.
  • Thou shall not link personally-identifiable information, such as registration information, with information collected tacitly, such as that obtained through cookies, without the user's knowledge. This is a potential violation of Section 5 of the FTCA.


Depending on your industry, you may be subject to additional requirements. The best way to protect yourself and your business is to have an attorney who is familiar with your industry evaluate the privacy-protection measures you are taking.

If you find yourself in a situation where you are in need of changing your policies, such as in the case where you would need to share information with an outside party for the sale of your company, it is possible to do so. You simply have to notify customers that your policy is changing and give them an opportunity to opt out of having their information shared, says Richard M. Smith, chief technology officer of the Privacy Foundation.

"As long as operations will remain similar, it's usually not a big deal," sys Smith. "The new owner can send a notification to customers asking for their permission to transfer the account."


Do You Need a Privacy Consultant?

Finding your way through the privacy jungle can be a daunting task for those who have been dealing with the issues for years. It's no wonder that a slew of experts, from solo practitioners to multinational firms, are offering assistance in the form of privacy consulting. So, when it comes to getting your own privacy initiatives and protection in good shape, shouldn't you tap a little experience-for-hire?

It depends on whom you ask. Richard M. Smith, chief technology officer for the nonprofit Privacy Foundation says that you probably don't need a privacy consultant for most situations. Smith says that most smart e-commerce operations farm out their data collection and purchasing functions to a hosting service or vendor with strict privacy procedures. However, Smith does say that privacy consultants can be helpful for certain situations, such as when a company collects sensitive data.

Dr. Steven Lucas believes that privacy consultants are a great idea and can be utilized by many online businesses. In the business himself, Lucas is the chief privacy officer of the for-profit Privacy Council. Lucas believes that consultants can be a big help in a variety of privacy-related situations - even when you're hiring that e-commerce or information vendor.

"It doesn't have to cost a fortune," says Lucas. "Even for a few thousand dollars, you can get about five to 10 hours of consulting, which might be all you need."

When hiring a consultant, both agree on the basics: Reputation and experience. Smith adds that price can also be a consideration, as well as how you get along with the representative.

"I would get back to how they react when you bring up your concerns about privacy," he advises. "Tell them 'This is our policy' and see how they measure up."


Copyright 2002 Gwen Moran.
This material may not be reprinted in any form without permission from the author.





[ Books | "Life as I Know It" Column | Entrepreneur Columns | Editorial | Essays | Humor | Copywriting | Copy Doctor ]
[ Classes and Seminars | About Gwen | Contact Information | E-mail Gwen | Home | Resources for Writers | Links ]
Gwen Moran   ·   Wall Township, NJ, USA   ·   732-280-7047

Web Design by NDKstudio, Inc.