web-site privacy checklist
TRANSCRIPT
Privacy and secu-rity are vital tothe creation of
trust and confidence ina Web site. This holdstrue whether the Website operates for busi-ness-to-consumer or business-to-business. Web-site operatorsmust protect the confidentialityof information gathered on sitevisitors, consider consumers’expectations of privacy, and rec-ognize a growing conflict withpersonal information gatherers.
In business-to-businessmarketing, we find the sameinterrelationships among trust,reputation, loyalty, privacy/confi-dentiality, and security. Trustbuilding involves privacy andsecurity of transactions and confi-dential information. Trust infra-structure, trusted transactions,and digital trust are based on thesecurity technologies of digitalsignatures, biometrics, encryption,intrusion detection of servers,firewalls, and access controls. Sitesecurity and soft assets protectionof confidential proprietary infor-mation are also important.
PROTECTING CONSUMERPRIVACY
Most successful and prof-itable businesses have a base ofloyal customers, and much of
this loyalty is based on trust.Consumer privacy protection isvital to the creation of trust, loy-alty, and confidence in a busi-ness; together they enhance itsreputation. As online alliancesproliferate in the global econo-my, companies will increasinglyform many new relationshipswith suppliers, affiliates, andformer competitors or through e-business networks or similarassociations. Corporate reputa-tions will increasingly be tied tothese alliance partners.
E-business companies havehad huge up-front acquisitioncosts for advertising, primarilyfor brand and name recognition.In many cases this has been afailure, resulting in no namerecognition and no money left torun the business or service cus-tomers properly. Other compa-nies have managed to get overthe cost hurdle and settle in to dobusiness on the Internet. But themore high tech the business envi-ronment becomes, the harder it isto build trusting customer rela-tionships that can lead to long-term profits. The Internet is used
mostly by Web surfers,making for lots ofWeb-site “hits” but notloyal customers.
In The LoyaltyEffect (1996), Freder-ick Reichheld set out a
model of loyalty economics.Reichheld’s core idea is thatcompanies that cultivate loyalcustomers, employees, andshareholders consistently out-perform the competition. Hav-ing a loyalty-based advantagemeans that customer loyalty andretention result in superior prof-it and growth. Conversely,emphasizing short-term earn-ings leads only to cost controlsand reductions. According toReichheld, it all starts with earn-ing a customer’s trust.
Reichheld looks to the cre-ation of value to the customer,with loyalty “inextricably linkedto the creation of value as both acause and an effect.” As aneffect, loyalty measures thedelivery of superior value by thecompany, such as repeat cus-tomers. As a cause, loyalty setsoff a series of economic effects,such as revenue and market sharegrowth, employee retention, pro-ductivity increases, and loyalinvestors. Reichheld’s concept of“loyalty economics” is crucial toe-businesses seeking to createand hold consumer trust.
If you want customers to trust your Web site—andhave the confidence to buy online—privacy andsecurity are vital. Does your Web site pass thetest? © 2002 Wiley Periodicals, Inc.
Paul Shaw
Web-Site Privacy Checklist
featu
reartic
le
49© 2002 Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/jcaf.10069
E-COMMERCE PRIVACYPRINCIPLES AND POLICY
Web sites and the Internethave great potential for raisingprivacy liability risks. A conflictbetween the site operator and theuser is almost inevitable becausea key reason for a business tohave a Web site is to market itsproducts or services, whereas akey reason a person visits a par-ticular Web site is to examine itsmarketing information. Whenmarketer and consumer meet, thedynamics of informationexchange occur and privacyproblems may take shape. TheWeb-site business usually desiresas much information on a cur-rent or potential customer as itcan get. The business may obtaininformation openly, by asking, orsurreptitiously, through the useof techniques that use the infor-mation residing on the cus-tomer’s computer.
Web-site operators need to beaware of potential privacy prob-lems that can cause legal liabili-ties, as well as very bad publicity.Businesses gather information onsite visitors by using cookies orother browser features that allowinformation to be read off or writ-ten to a computer’s hard drive.Cookies are a means for Web-siteoperators to obtain and storeinformation about their users andto use that information for variousmarketing purposes. Users oftendo not know about this method ofinformation gathering.
A customer may, of course,give information to the Web-sitebusiness freely and without car-ing what the business does withit. On the other hand, before giv-ing out personal, marketing-rele-vant information, the customermay want something inexchange and may want to knowexactly how personal informa-tion is going to be used.
The trick for a Web-sitebusiness is to turn privacy con-cerns into a business plus,rather than a minus. Handlingprivacy concerns effectivelymay also have a long-term ben-efit for all Web-site owners: Itmay hold off more restrictivelaws and government regulationon how business can be con-ducted on the Web.
PRIVACY PROTECTIONPOLICIES AND PRACTICES
An effective privacy protec-tion policy should have threeconcurrent objectives:
1. To minimize intrusiveness:Create a proper balancebetween what an individualis expected to divulge to acompany or Web-site ownerand what the individualseeks in return. The compa-ny should explain its infor-
50 The Journal of Corporate Accounting & Finance
© 2002 Wiley Periodicals, Inc.
Web-Site Operator’s Privacy Assessment ChecklistThe following checklist should be used to assess a Web site’s compliance with privacy protection requirements:❑ Does your site collect personal information from site visitors through cookie files or electronic registration
forms?❑ How does your site use a visitor’s personal information?
❑ What kinds of information are collected about site visitors?❑ How will this information be used, and is there a user consent form covering company and third-party use of
the information?❑ Can visitors opt in or opt out of your marketing database or mailing list?❑ Is the information current and accurate for its intended use?❑ Can visitors look at, change, or delete any collected personal information?❑ Do you describe the kinds of legal actions that would force the release of personal information to a third
party?❑ Does your site have a visitor’s personal information privacy policy?❑ Is your privacy policy or information disclosure notice posted on your Web site?❑ Are your information privacy practices audited by an independent third party, such as an accounting firm, and
are the results of the audit available to the Web-site user?
Exhibit 1
mation needs, collectionpractices, and informationcontrols and security.
2. To maximize fairness: Giveindividuals a right of accessto their records and informa-tion for reviewing, copying,and correcting.
3. To create a legally enforce-able expectation of privacy:Develop and define obliga-tions regarding uses and dis-closures that will be made ofcollected and recorded infor-mation about an individual.Restrict the Web-site opera-tor’s or record keeper’s dis-cretion to voluntarily dis-close information about anindividual.
PRINCIPLES OF PRIVACY ANDINFORMATION PROTECTION
The following principlesshould guide Web-site operators’collection and use of privateinformation:
1. Don’t collect informationunless its need and rele-vance have been clearlyestablished.
2. Don’t collect informationfraudulently or unfairly.
3. Use information only if it isaccurate and current.
4. Individuals have the right toknow of information storedabout them, why it has beenrecorded, and how it is col-lected, used, and disseminat-ed, as well as the right toexamine that informationupon request.
5. Provide a clear procedure onhow the individual can cor-rect, delete, or amend inac-curate, obsolete, or irrelevantinformation.
6. Ensure the reliability,integrity, and availability ofcollected, maintained, used,or disseminated personalinformation, and take precau-tions to prevent its misuse.
7. Provide a clear procedureand safeguards to preventpersonal information collect-ed for one purpose frombeing used for another pur-pose or disclosed to a thirdparty without an individual’sconsent. Also provide a rightto notification of disclosureof information.
8. Federal, state, and local gov-ernments should collect onlylegally authorized personalinformation.
Does your Web site followthese standards? See the check-list in Exhibit 1.
Since 1974, federal and statelaws have incorporated theseprinciples of privacy protection.Most laws cover individuals’right to see and copy informa-tion collected about them, cor-rect or amend such information,and seek redress of grievances orinjury caused to them as a con-sequence of the use of inaccuratedata. Record-keeping organiza-tions must always be concernedthat their information is up-to-date, complete, and secure. Datacollection, dissemination, andsecurity are all important. Orga-nizations are responsible for ver-ifying data they collect and forcorrecting any false informationthey knowingly pass on to anoth-er party. Organizations cannotargue, as a legal defense, a gen-eral presumption of accuracyregarding third-party data theyuse or transmit.
May/June 2002 51
© 2002 Wiley Periodicals, Inc.
Paul Shaw is the editor and publisher of Computing and Communications: Law and Protection; Commu-nications: Law and Protections; and Assets Protection, periodicals with a circulation of more than 4,000individuals. He is also the coauthor of Avoiding Cyber Fraud in Small Businesses: What Auditors and Own-ers Need to Know, also published by John Wiley & Sons. This article is adapted from that book.