The Politics of Standardized Privacy

Trust is the key to any business relationship. Without it, deals don't happen and customers don't make purchases. But on the Internet, trust can be a very difficult thing to earn. A large segment of the general public is already cautious about doing business online, having heard countless horror stories about people being victimized by sites that track their movements through the Web or launch guerrilla marketing attacks against them. And if you don't have a brick-and-mortar presence or a name-brand identity, how do potential business partners or customers even know who you are?

Moreover, the issue of protecting confidential information is getting more sensitive every day. We're already awash in online sources for goods and services, and each company wants to gather as much information as possible about its customers. Although the volume of business-to-business and business-to-consumer transactions shows no signs of slowing down, e-commerce won't continue to thrive if the Net develops a reputation as a den of beggars, tramps, and thieves.

To win consumer confidence, you must give visitors easy access to your company's privacy policy to determine if it meets with their approval. That's not new. But what is new is that many businesses and consumers are now clamoring for standardized privacy policies across the Internet.

The goal of standardizing privacy is to establish consistent standards that everyone recognizes and trusts. Yes, costs are involved: You have to pay to establish a privacy system and conduct ongoing audits to ensure compliance, and you may lose a valuable resource if fewer customers submit their data. But in most cases, the benefits of increased consumer goodwill outweigh those losses. And as more sites implement customer-friendly privacy policies, the squeeze on businesses that don't comply will only increase: Customers will come to expect privacy policies to be laid out and may decline to deal with sites that don't comply.

One popular approach is the privacy certificate. Companies that offer certificates, such as Trust-e and BBBOnline, will analyze your site's privacy policies, looking primarily at how you handle the personal data that users submit and what happens to that information after it has been collected. If your e-business conforms to the expected guidelines, you're permitted to display the Trust-e or BBBOnline graphic on your site, thereby showing the world that users can trust you.

Of course, privacy certificates have their limits. After all, they only indicate that a site has been audited and is compliant with the certifier's guidelines. But what if those guidelines aren't stringent enough to assuage a user's concerns? Even more worrisome is the fact that privacy certificates have not yet been widely adopted, and thus are not always recognized by Web surfers. That brings us back to the initial problem: If users don't know who's certifying a site, why should they trust the certificate?

To that end, a number of universal privacy standards are currently in the works. One of the most advanced is the Platform for Privacy Preferences Project (P3P) being developed by the World Wide Web Consortium (W3C).

The P3P is a standard that specifies how sites communicate their privacy policies to users. For your site to be P3P-compliant, you must provide your privacy policy in a machine-readable format so that your site's policy can be compared against a user's personal P3P settings. Users are warned whenever a site's privacy policy doesn't mesh with their own settings. This way, customers aren't forced to read the privacy policy of every site they visit, and sites can proceed with their data gathering and storage practices with a clear conscience.

The effects of P3P on business will be both positive and negative. On one hand, visitors are more likely to reveal personal information if they're told what it will be used for, but on the other, that information will be harder to get.

In any case, P3P cannot guarantee that sites will not collect and use personal information against a user's will. Companies that falsify their privacy policies could trick users into revealing information that they normally wouldn't disclose. But at least it's a start. Without some kind of standards-based approach, users have no hope of knowing how a site will treat their information -- and no added incentive to do business with you.

The P3P standard will also affect how Web sites are designed and run. Adopting P3P involves first establishing a policy and having your legal department verify it (specific information about how your company will handle visitor information must be put in ink). Next, your site administrator uses a P3P policy development tool to wrap this information into a machine-readable file that is placed on your Web site. The actual P3P document is stored in XML, with specific tags and options to hold your company's privacy policy information.

P3P is backed by some of the biggest names in the online economy. Companies such as Microsoft Corp., AT&T Corp., and IBM Corp. have already rewritten their privacy policies to comply with the P3P standard. Meanwhile, other companies are developing tools to allow machine-readable P3P policies to be easily customized. This is the kind of industry support that's expected to fuel P3P's momentum.

Remember, the Web is like any other marketplace: To succeed, you must do more than offer a quality product or service. Once more corporate decision-makers and end-users become aware of the issues surrounding privacy invasion, the Internet will become an even more dominant form of commerce.

Kevin Railsback ( is the West Coast technical director for the InfoWorld Test Center.


Standardized privacy policies

Business Case: A privacy policy that complies with universal standards lets potential customers see what kinds of information your Web site is collecting. You may lose the advantage of a large pool of customer data, but you'll win back revenues via increased consumer confidence.

Technology Case: Establishing a standardized policy requires a minor amount of site development and refinement. Some companies are developing tools to let site administrators publish machine-readable, P3P-compliant privacy policies without manual coding.


+ Increased visitor comfort and confidenceCons:

- Site administrators must comply with occasional audits- User data will be harder to collect.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AT&TIBM AustraliaMicrosoftW3CWorld Wide Web Consortium

Show Comments