Online privacy policies

Internet users seem concerned about how organizations may use or abuse personal information supplied online, whether such information is supplied willingly or without informed consent.
This can be a disincentive to online purchasing: website characteristics that convey security and privacy have been found to be the most reliable indicators of purchase intent. Similar attitudes exist within the business community, albeit for different reasons. The picture is also enduring: in a three year survey of online companies it was found that privacy was consistently the most important policy issue.

Online personal information

There are a number of distinct elements to the fears that people have regarding online capture of personal information. Perhaps the most important is the fear of fraud. Fraud online, as offline, can occur through deception or through data interception. In both circumstances, there has been a failure to apply the principle of informed consent.

Other potential misuses of personal information are not necessarily fraudulent but still represent a failure to apply the principle of informed consent. An organization may collect contact details and other information about visitors to its website in order to profile customers, and use the profile to target further communications for marketing purposes. Although, significant numbers of internet users have falsified their personal details when registering at websites in an attempt to curtail dissemination of their personal data.

Personal information collected by an organization may be passed to other organizations for a variety of reasons. The most innocent is when a host organization has sub-contracted out part of the service on offer, and as a result must pass on some personal information about its customers in order to deliver the service. For instance, many online retailers use logistics companies to make deliveries, which necessitates the transfer of name and address details. Perhaps we should regard this as a case of implied consent, since the requested delivery cannot occur without transfer of data.

Personal information may be referred on to business partners for targeted marketing purposes. It may be sold on to otherwise unconnected organizations for similar use. Current legislation, particularly in Europe and the US, has sought to restrict this sort of activity. However, some reports suggest that the growth in the quantity of personal information held in large databases has made it possible to obtain, for a price, almost any item of information about almost anyone.
Trustworthiness

Trustworthiness is an intrinsic reality that abides in one or both of the partners to a transaction. Its perception, particularly in the beginning, by the other partner depends critically on the perception of certain extrinsic forms (signs, labels, messages, etc) that are understood to represent the presence of underlying trustworthiness. The most important extrinsic form for commercial transactions is control. Over time, trust deepens, and the extrinsic forms become less important. As a relationship acquires its own history, there is more to go on than just external appearances and thus the appearances become secondary.

"Many organizations have been worried about damage to trade if consumers do not feel they could place sufficient trust in online transactions."

The internet as a medium still suffers a relative lack of history, and thus, by association, so do all businesses that transact within it. Therefore the first and least dispensable step for anyone who seeks to establish relationships that involve trust on the internet is to satisfy their partners' needs for control, mostly of security and privacy. Thus trustworthiness is the perception of confidence in the partners' reliability and integrity. It is this that influences an organization's internet strategy.

Organizational internet strategies

Many organizations have been worried about damage to trade if consumers do not feel they could place sufficient trust in online transactions. This is in addition to legislative pressures such as those from, for example, the national laws arising from the European Data Protection Directive. Organizations seek to respond to these concerns in three main ways:

Most e-commerce sites have adopted practices and technologies that give some assurance regarding confidentiality, authenticity, integrity and non-repudiation. These include security protocols, security measures such as firewalls, constant vigilance by network administrators, administrative procedures and physical security of buildings. All help to protect against intrusion, fraud, and other threats to personal information.

Some organizations have joined one or more third party certification schemes, such as TRUSTe and VeriSign. These provide some independent verification that an online organization is trustworthy. Depending on the scheme, some redress may be available if consumers believe they have been treated unfairly.

Many organizations have published on their websites a statement of policy that aims to make explicit how that organization deals with information provided by visitors to its website, including its customers. The adopters of privacy policies hope to reassure the wary, and thereby to overcome the disincentive to trade. A privacy policy also functions as part of the overall branding and image of an organization. Its presence, its location, its prominence, its style and its contents carry explicit and implicit messages about the organization.

The extent of adoption of privacy policies turns out to be quite high but not consistent across different countries. For example, a survey of 149 commercial sites in nine countries found that on average 42 per cent contained a privacy policy. The rate was higher in the developed West, but differences did not follow a simple regional pattern. The USA led with 80 per cent of sites displaying a policy, while both the UK and Canada narrowly exceeded 60 per cent. In the middle range, Singapore scored 54 per cent, China 39 per cent and Venezuela 38 per cent. The rate for some countries was much lower, with Brazil and Germany at only 18 per cent, and none of the 17 Hungarian sites displayed a privacy policy at all.

Recommendations to practitioners

Privacy policies should be made effectively available to all users. This can be achieved by ensuring that:

There is a prominent link to the policy on the main home page.

The policy is readable for a general audience.

The policy minimally covers OECD (Organization for Economic Cooperation and Development) guidelines. That is, it includes content relating to notice, choice, access, security/integrity and enforcement/redress. Where any of these aspects do not apply, the policy should state this explicitly.

The policy restates (where necessary) compliance with relevant national law.

The policy is tailored specifically to the information processing practices of the host organization, and is regularly audited to ensure that compliance is maintained over time.

There is also an argument to be made that privacy policies should be sensitive to the individual user and the context of use, in the same way that other aspects of website presentation and content are often now customized.

The use of automated online privacy policy tools is not recommended. There may be attractions in being able to create a privacy policy quickly, cheaply and with minimum effort, especially for small businesses, but there are doubts as to the validity of such a policy in any but the most routine circumstances, and it is likely that important aspects of online privacy will not be addressed.

It is clear that many organizations have embraced the publication of an online privacy policy with some seriousness, gauged in a number of different ways. These include the prominence of a policy on the organization's website, its detailed content and length, and other characteristics such as its style and readability. However, some of the most prominent policies are still very limited in their content or suffer poor readability. Overall, many organizations still have considerable work to do, before they can be seen to "walk the talk" in relation to their privacy policies.

Source: www.managementfirst.com