Full Disclosure In An Environment Of Trust

The Net Perceptions Position on Internet Privacy

As two recent actions fully illustrate, privacy has become a hot button issue in the marketplace. A key component of a new banking law Congress will soon pass calls for banks to fully disclose their privacy policies and requires them to ask the permission of customers before sharing their data with other private companies. Meanwhile, the revelation by an independent programmer that Real Networks’ gleaned information from “Real Jukebox” users led to an embarrassing spate of bad publicity for the company, despite the fact the data had never been used for sales and marketing.

The cases point to the need for companies doing business on the World Wide Web to have strong privacy policies. In that regard, Net Perceptions has a policy in place which discloses to clients how the personal information they provide will be used to offer a more personalized level of service and product selection. They have the ability to opt out. Full disclosure creates an environment of trust between Net Perceptions and clients, leading to a more fruitful and honest business partnership.

Net Perceptions believes consumers must have the right to say no and expect the company doing the asking to honor their decisions. The ability to opt out must be part and parcel of every privacy agreement: A consumer who says no to sharing data should not find his email or mailbox full offers resulting from a company which shared his data in spite of his request for privacy. Such actions destroy the environment of trust online merchants seek to create. They also torpedoes the entire industry’s efforts toward self-regulation and honesty.

The Debate

Consumers have a right to control over their personal information, especially in a climate where huge corporations own so much of the market. The opportunity for abuse could be great if companies do not protect the privacy of their customers. Privacy has been long regarded as an essential right in the United States and, as of late, in Europe, where the European Union will likely pass a set of strict guidelines protecting citizens from unwarranted intrusions by business and government. Wise corporations will devise their own stringent guidelines, if only to prepare for potential government oversight and laws.

Companies with a heritage of trustworthiness will have little trouble gaining permission of consumers who seek value and convenience in shopping on the Web. In an environment of trust, consumers will see the value of autologin convenience at news and e-commerce sites, for example, as well as personalized Web site content. Many will perceive as valuable email messages from favored merchants describing sales and special promotions and personalized Web sites concentrating on products they will find of use and interest. The exchange of personal data for value may result, furthermore, in members-only discounts and other attractive features.

By understanding purchasing habits and the interests of customers, a company can provide consumers a less cluttered online environment of buying opportunities and personalized Web sites. Consumer profiles can – and must – create an economic value for both the consumer and the company.

Just as consumers enjoy the convenience of “power centers” in the brick and mortar retail world because they can buy so much at a small number of large stores – Office Max, Target, Wal-Mart, grocery stores – so will more of them discover the appeal of online shopping. They’ll come to comprehend the concept of trading a small amount of data in return for personalized product selections and discounts based on their profiles and purchasing patterns. Convenience and selection are largely why consumers decide to shop at certain locations, such as malls and power centers. The same is true on the Web. If the experience will be a convenient one, augmented by technology providing a personalized experience, they will opt to share personal data.

After all, many consumers freely offer information today in pursuit of free vacations, computers, prize drawings and other contests. Is it unlikely they will offer data to e-commerce companies, especially those with clear, concise and reliable privacy statements? Absolutely not.

The value equation is real. Give a little, get a little. Trouble can arise, however, when consumers give up more than they get, when the perceived or real value doesn’t add up. If they provide personal data and receive little convenience or personalized service, they will wonder why they bothered. If they discover they gave up their personal profiles only to be graced with spam emails and direct mail they never anticipated, they will seek recourse. They may sever relationships with vendors who shared their information without their knowledge or take it one step further and hire a lawyer. A company violating its own privacy statement may see “class action suit” in its future.

Net Perceptions believes a well-established privacy policy that will not be violated under any circumstances is the best strategy for success in e-commerce. It believes describing how personal information will be used and allowing consumers to opt out is the best insurance against lawsuits, government regulation and angry customers.

Background

In the retail world, the Web is the new kid on the block. E-commerce is growing rapidly, with several billion dollars in transactions expected within the next few years on the consumer side alone. As with any new industry, few established norms of conduct exist. The more egregious examples of online privacy violations invariably make the headlines and land on television news, while hundreds of thousands of transactions a day are handled silently and routinely on the Web.

Of course, retail and catalog companies experienced their own learning curves in the past. Over time, they eventually determined when it is appropriate to ask for home phone numbers and addresses and when it simply irritates consumers. In the case of warranties, consumers gladly turn over personal information in return for protection. Catalog companies, too, eventually realized when consumers would accept more personalized product offerings based on interests, age, gender and other profiles.

The Internet world remains within the learning curve, still climbing but not quite there yet. Asking consumers to allow their clickstream data to be used to provide them more relevant Web content and advertising seems, well, Orwellian at first. Consumers have yet to determine whether they find sharing this kind of data — which can be difficult to describe to a non-technical audience — is acceptable to them. Moreover, government regulators and activist groups have been diligently crafting policy papers and potential legislation to protect privacy online but the law has clearly not kept pace with technology.

As the Internet grows to become an appliance as common as television and telephones and industry and government regulation comes online, these issues will fall into place. For the time being, the best policy is to allow consumers to decide whether and how much personal information they wish to provide to e-commerce companies. They should understand the trade of personal information will allow them convenience and value but still have the option to opt out.

Companies operating on the Net must tell customers the following:

• The information being captured. Users have to be told what information is being used by the company, from purchasing record to name, family size, income, neighborhood, educational level, hobbies. Net Perceptions notes that information being captured in non-intrusive ways, such as purchasing histories and Web site usage, must be described to users in privacy consent decrees. Companies capturing information only in the aggregate or anonymously should still disclose, even if a client’s personal data is not being used in any way.
  
  
• The information’s intended use. If the data is to let users know of impending sales or new products they might like, those facts should be disclosed. If the information will be shared with other subsidiaries of the company, that, too, should be described to users. Companies may want to offer choices to consumers – can we share your profile with others in partner companies of our corporation or would you prefer we confine its use to our business? This would reduce the need to clarify some policies in the future.
  
  
• The method of use. Will the company only use the information to direct information to customers on its Internet site or will it be used direct mail solicitations? Does consent mean email newsletters and other email notices? The company should fully disclose whether the data will stay within its online environment or be shared with its direct marketing division and give users a choice–as the best sites do now — whether they want to receive email or mail updates, news and...
  
  
  • How the company benefits: A little self disclosure goes a long way. The company should describe how the information will be used to serve customers better by focusing their efforts on giving them what they need based on interests and purchasing record. An explanation of why targeted marketing saves the company and the consumer time and will potentially result in lower prices is a concept most consumers understand.
    
    
  • How the consumer benefits. Obviously, the quid pro quo environment described, telling the consumer how he benefits should be the easiest part of any privacy policy. Consent should result primarily in convenience and economic value. There needs to be reason for relinquishing even a small amount of personal data.

The language of any privacy statement must be clear, concise and readable. Too often, privacy statements read like legal documents, dull verbiage intended to make them skip to the “I agree” button. It is a legal document but it can, and should, be written in a language everyone can understand. And it should be available in multiple translations for global audiences if the e-commerce site expects to sell internationally.

The consumer must have the choice of agreeing to these terms or opting out. In return e-commerce companies have to abide by that decision – they must not share data with others if their privacy policy disallows it, they must not intentionally personalize the site or sell the names of those who opt out. They have to create an unbreachable environment of trust concerning the protection of consumer data.

The same issues e-commerce companies struggle with in the privacy arena are undergoing the same scrutiny in Washington, where legislators and regulators wrangle over laws intended to protect consumer privacy on the Internet. They are attempting to strike a balance between over-protecting and underprotecting consumer information, calibrating the fine line between the potential for great convenience and value, and abuse by small numbers of merchants. Though no easy task, the general consensus of Washington continues to track with the Net Perceptions’ model — ask for consent, allow for the opt out, do what you say or be prepared to face the consequences of potential legal action and inevitable public relations debacles.

Net Perceptions’ differs with Congress’ efforts slightly in one area. We favor consent, of course, but current legislation calls for Web sites to provide a great deal of privacy verbiage consumers must plow through. The process could be better controlled by automation efforts underway by browser companies such as Microsoft and Netscape through the use of P3P (Platform For Privacy Preferences). A better method employing technology such as P3P would do more to protect consumers’ privacy than more uneasily-digested paragraphs describing a company’s privacy policy. It would allow consumers to control what information they will share through pre-determined selections they make using their browsers. This would give Web sites the option of a short agreement statement instead of forcing consumers to read and approve long-winded privacy statements.

Conclusion

Privacy remains an issue around the world. Internet companies have to comprehend their users’ sensitivities and play fair with the information they gather. Users will come to understand — as many already have — that sharing a bit of data will provide them a more personalized experience on the Web, including announcements and deals on products and services they are more likely to buy. To provide them a higher level of service, personal data will be required. It’s not an unreasonable request, nor will consumers see it that way.

In return for that information, e-commerce companies must create an environment of trust. They must have a clearly written privacy statement which tells consumers why the information is being collected. They must allow consumers to opt out and use personal data only in ways they said they would in their privacy policies. They must not sell data unless that option is disclosed in the privacy statement. And companies must abide by the promises they make in regard to protection of personal data or risk the wrath of the market, the media and the government.

TRUSTe

Begun in 1996 by two privacy advocates who met at a conference sponsored by the writer Esther Dyson, TRUSTe has grown to include hundreds of members, among them Net Perceptions. What TRUSTe offers members is the equivalent of a “Good Housekeeping” seal to World Wide Web commerce sites.

TRUSTe members agree to have a privacy policy statement, to disclose to users how their personal information will be used, to allow them to opt out (or give permission) and to have in place rigorous data security measures to protect data. The company also provides a Children’s Program to protect the privacy of consumers under age 13. E-commerce companies with the Children’s Privacy Seal have to fulfill several requirements to earn a TRUSTe license.

In addition, TRUSTe monitors its licensees through periodic reviews of sites, checks to insure privacy policies are being followed, requires reviews of members by a CPA firm and watches for feedback and complaints from the online community. If a problem arises with a licensee, TRUSTe gives formal notice to the target asking for a response. Should the response prove inadequate, TRUSTe could revoke the license or sue the company in court over breach of contract. The enforcement procedure has been largely untried.

All the Internet’s major portals support TRUSTe (Yahoo!, Lycos Network, CNET, etc.), as do ABC.com, AOL, IBM, Microsoft, Land’s End, Novell, Wired Ventures, Netcom, AT&T, PriceWaterhouseCoopers LLP, AdForce, The Industry Standard and others.