SAN MATEO (04/27/2000) - There's nothing like a rash of bad publicity and finger-wagging from politicians to jump-start corporate America on a hot-button issue such as consumer privacy. Slightly more startled by the possibility of a privacy scandal than of facing emerging privacy laws, many businesses are now scrambling to at least appear proactive on privacy issues.
Resonating with many Internet-infused companies is a realization that they must keep intrusive marketing practices in check, by self-policing, before the government steps in. And inactivity could invite both costly lawsuits and burdensome regulations.
With those threats looming, many businesses are now working to weave privacy awareness into their corporate culture. Along the way, most have found that sound privacy practices are good for the corporate reputation, and ultimately the bottom line.
"There is now the understanding that if you don't think through all aspects of privacy, you can run into a negative reaction from the market and from consumers," says Rick Lane, director of congressional and public affairs at the U.S. Chamber of Commerce. "Certainly no one out there wants to follow in the shoes of DoubleClick."
After its high-profile run-in with the Federal Trade Commission (FTC) last winter, DoubleClick Inc. has hustled to get out from under the load of bad publicity that followed. And the measures DoubleClick imparted to get beyond the incident signal in many ways the direction in which the entire industry is slowly moving to head off similar problems.
First, DoubleClick CEO Kevin O'Connor immediately stepped up to take the blame when the company in February began to catch grief from the FTC and privacy advocates over plans to merge a database of names with anonymous user activity.
(Neither O'Connor nor other DoubleClick representatives were made available for this article.)The company then turned proactive, quickly hiring a chief privacy officer and recruiting a former state of New York attorney general to head up the company's new Privacy Advisory Board. Next, DoubleClick kicked off a major consumer awareness campaign designed to educate the public on privacy issues.
Companies that want to avoid embarrassing snafus such as the one DoubleClick experienced -- which hurt the e-commerce industry as a whole, many argue -- should take their cues from these efforts and keep privacy issues in check from the get-go.
Taking it to the top
Internal adherence to the statements posted on a Web site is a serious matter, because the FTC will investigate and often issue fines when those public promises are broken. As a result, one move that many corporations are mimicking is explicitly hiring privacy czars or delegating those functions to top executives.
For example, Gayle Crowell has taken on privacy issues as the director of E.piphany's board of directors. Crowell ensures that the San Mateo, California-based company, which provides new-breed marketing and CRM (customer relationship management), makes good on its internal privacy promises.
E.piphany's business, showing clients how to tap personalization and data-mining capabilities, carries with it a load of privacy implications.
"I try to sit in the middle and educate both sides," Crowell says. To do that, she must ensure that E.piphany is very mindful of privacy implications as it coaches heavyweight enterprise customers, such as Nissan, Hilton, Wells Fargo, and Sallie Mae, in the proper use of these online marketing technologies.
Personalization vs. privacy
Privacy snowballs into a bigger and broader issue as more large corporations and smaller dot-coms realize that personalization (shipping marketing materials to buyers based on data gathered by tracking their buying habits) is an effective way to get above the noise on the Internet.
"Companies more and more are using the data they collect: manipulating it, analyzing it, and sharing it for commercial purpose. There is nothing wrong with that as long as the customer knows they have rights, and the use of the data is fully disclosed," says Brian Smith, an attorney at Mayer Brown & Platt, in Washington, who specializes in Internet consumer privacy issues. He previously served as general counsel and corporate secretary at MasterCard.
"There [are] now technology and methods available to make all of this very clear to customers, and we are finding more and more of our corporate customers thinking about these issues and going out of their way to put up clear disclosures," Smith says.
Many of those companies picking up the pace in this area are motivated by fear that government lawmakers will enact policies that mandate "permission marketing," which would limit direct online marketing to "opt-in-only" scenarios.
"We are a big proponent of 'opt-in' when collecting personally identifiable information. You need to have the consent of the consumer," says Dan Jaye, CTO of Engage, a Raleigh, North Carolina-based company that makes profiling software.
Many businesses, however, don't like opt-in mandates because they require too much time and effort from their customers, who would essentially have to ask for marketing.
"What keeps many small businesses around is the ability to target mailings to potential customers," says the U.S. Chamber of Commerce's Lane. "It would really hurt those businesses if you take that away and they had to blindly send out information."
Increasing market awareness
Along with addressing technology practices, businesses need to begin a dialogue with their customers to make them aware of their own privacy rights and how to exercise them, Lane adds.
Many consumers are without basic information regarding their privacy rights.
For instance, many do not know that privacy violations are separate from identity theft, which involves stealing personal data to commit crime. So consumers are more likely to take out of context the limited information they do have, which often comes in the form of bad press.
In addition to DoubleClick, with its consumer awareness efforts, other groups are looking to combat the privacy misperceptions that could inhibit the growth of e-commerce. The Washington-based Association for Competitive Technology (ACT) has put together a Web site sprinkled with privacy-protection resources (www.netprivacypower.org).
"There are alternatives to regulation. Let market forces and market disciplines do the work," says Jonathan Zuck, president of ACT, which is pushing a market-driven approach to privacy regulation.
Proactive business policies
But many argue that the industry is a little late in making a good-faith show on privacy, scurrying only after a rash of public outcry over incidents involving the Internet and alleged privacy violations.
"I think technology companies in many ways have underreacted," Lane says. "They need to sit up and understand how to apply privacy principles, [and] how to participate in permission marketing."
"Many of those who apply to the program also don't appear to have a clear understanding about granting access to the personal data they have collected," says Gary Laden, director of BBB Online's privacy program, in Ballston, Va. "We then become quickly aware that they have not thought the issue entirely through."
Mayer Brown & Platt's Smith helped a Spanish-education Web site develop a site for children because privacy was a big concern.
"I told this company -- and most of my customers -- what it boils down to is that you have to be honest," Smith says.
In the end, corporate posturing around proactive policies may not be enough.
"It may be an uphill battle," Smith says. "There is unfortunately the general belief that businesses are more concerned with the bottom line than these kinds of niceties."
Ted Smalley Bowen contributed to this article. E-mail InfoWorld Senior Editor Jennifer Jones (email@example.com) regarding this article.
Several initiatives are brewing at both international and national levels of government to address consumer privacy rights.
* European and U.S. government negotiators have been working for more than two years to settle disputes over data protection. Business factions recently struck out against a tentative agreement between the two, saying the proposal would subject U.S. companies to stringent European Union laws. The issue remains unsettled but puts some heat on the United States.
* The Children's Online Privacy Protection Act went into effect recently. The FTC plans to scour the Internet to make sure companies notify parents when data is collected on kids.
* FTC is also working with an industry committee that will advise the agency on privacy, access, and security policies necessary for commercial Web sites. Look for a May report from the FTC on the issue.
* Congress is currently considering an array of privacy legislation over the collection and disclosure of personal information on the Internet.
Bell Atlantic steps up to the privacy platePrivacy-related red flags shot up right away at New York-based Bell Atlantic after a proposal circulated to drive traffic to its Web site by offering an online "reverse directory" that delivers a name and address after a user keys in a particular phone number.
Offering the reverse directory -- a tool designed to help customers identify mysterious phone numbers on their monthly statements -- is just one small step in Bell Atlantic's rapid move onto the Web and away from its old-school phone company roots.
But Bell Atlantic executives say they consistently strive to ensure that the rush to make over the company doesn't trample on consumer rights. Sometimes that means reining in an overzealous marketing, advertising, or other departmental effort.
Case in point: reining in the reverse directory at Bell Atlantic.
"We decided we wanted to give our customers a good, long time to opt out of this before we put the directory up," says Shelley Harms, public-policy director and chief privacy czar at Bell Atlantic.
To cover its bases, Bell Atlantic tagged on to its privacy page some basic information about the initiative and a link to a simple form customers can use to keep their phone numbers out of the directory.
"I think several of our departments have felt like things were going slower than they would have liked because of privacy," Harms says. "But we are really trying to make privacy part of our corporate culture."
Instilling privacy as a core value means Bell Atlantic has had to update its privacy policies, which first hatched in the early '90s. With bastions of personal data behind their walls, phone companies learned long ago about the importance of paying close attention to privacy issues. However, the Internet ushered in new concerns.
As early as 1996, Bell Atlantic had a privacy notice posted on its site, although the notice was difficult to find. With few hits, the notice quickly showed signs of ineffectiveness, so the company now posts a privacy button on every page.
Like many companies, Bell Atlantic is moving beyond the days of lopping a legal-sounding privacy notice onto its Web site. Instead, the company has taken more extensive measures, such as polling consumer groups for feedback on new initiatives and even changing the wording in privacy-policy documents.
"Some folks in the company became aware of the reverse directory idea and came to me about it," Harms explains. "We developed a privacy team and began working with the product information folks."
The team's involvement quite likely caught potential gaffes, such as an oversight that would have led to the inclusion of nonpublished numbers in the project. The group flagged the fact that the unlisted numbers were included in the database being used to build the reverse directory's repository of numbers.
The privacy team's involvement also led to some less obvious changes to the directory's rollout. For instance, domestic-violence shelters were consulted to determine what, if any, danger the directory posed to its residents by including shelter numbers.
"We frequently do other things like customer bill inserts on privacy," Harms says. "From a Bell Atlantic perspective, we have really tried to make this one of our core principles: to tell people what information we are collecting about them and what we will do with it."