Polls of consumers show contradictory impulses when it comes to privacy. While some studies anoint privacy concerns as the No. 1 barrier to growth of e-commerce, others indicate that only 1 percent of consumers are concerned about the issue.
Our research indicates that although
See news story:
Studies out to debunk privacy legislation
This distribution may cross what consumers consider "business boundaries" when, for example, a banking group shares information with the insurance unit of a financial services conglomerate. Moreover, information may be distributed to external business partners as part of a company's overall supply-chain or customer-relationship management effort. The more people who gain access to that information, the greater the danger that it will be disseminated inappropriately.
At some point, when information is collected and made readily available, it becomes more difficult to ascertain what is intended to be "private" vs. "shared," particularly in deference to personal preferences and privacy thresholds. Corporate policy development is a critical first step to highlight the importance of privacy issues and increase protection of private information. As a next step, monitoring and providing examples of potential or real abuses are critical to setting boundaries and organization.
The role of the CPO
We estimate that more than 150 U.S. companies--including AT&T, Mutual of Omaha, Nationwide, American Express, Eastman Kodak, Citigroup, Verizon, Prudential Insurance, General Motors, Providian and McKessonHBOC--now have chief privacy officers (CPOs) in place. This high-level role helps organizations institutionalize privacy management in ongoing business operations.
In some instances, the CPO role is driven by regulatory needs--for instance, in the mandates imposed by laws such as Health Insurance Portability and Accountability Act (HIPPA) and the Gramm-Leach-Bliley Act (GLBA). In other situations, companies are putting these positions in place to monitor legal trends, enforce privacy compliance, raise employee awareness, assist in consumer affairs and public relations, lobby legislators, and communicate with regulators, government bodies, commercial partners, and advocacy organizations.
Not all organizations need a CPO. Those that should consider instituting this role include organizations that collect a great deal of information from consumers and have a business model based on selling or exploiting that information; that are in a diversified business such as financial services with multiple business entities communicating among each other internally; or that work closely with a wide range of business partners with whom they share information.
We believe that this Congress is unlikely to pass meaningful privacy legislation and that if it did, the Bush administration would probably kill it with a pocket veto. Congress has yet to act to create meaningful security and privacy laws for health care information, despite a specific HIPPA provision requiring action by 1999, enacted during a previous administration that presumably was more sympathetic to individual privacy needs.
However, Congress is not the only legislative body involved. International companies--in effect, most companies doing business over the Web--must also be concerned with meeting potential privacy requirements in other regions, particularly in Europe where the European Union is more active regarding online privacy. To address these issues, U.S. companies should use the Department of Commerce's safe-harbor program to protect themselves from prosecution, public embarrassment, and interruption of business operations by certifying compliance with basic privacy protection principles.
The range of the privacy issue
Businesses should also remember that consumers are only one constituency in the privacy discussion. Organizations also have privacy responsibilities for information they gather from employees, trading partners, and business customers. Privacy is also important for investor relations, public relations, and stakeholder relations. Privacy issues apply just as strongly to companies in the supply chain that have private information on a large number of business customers as they do to companies such as Amazon.com that sell to consumers via the Web.
Privacy policies should be clear and unambiguous--unlike some of the nebulous, legalistic or confusing privacy statements that have accompanied consumer credit card statements during the past few months. At a minimum, privacy policies should strive to meet the safe-harbor requirements created between the United States and the European Union to ensure that the policy meets E.U. as well as U.S. guidelines (Fair Information Practices) or regulations (HIPPA, GLBA).
Companies should also recognize that individuals are willing to give up a degree of privacy if they perceive that they are getting something of value in return. Consequently, they should implement permission-based models that establish various levels of information sharing. Consumers can then decide to "opt in" based on perceived or actual value.
Meta Group analysts Dale Kutnick, Jack Gold, Mike Gotta, Jeffrey Mann, Diana Harotian, Val Sribar, David Cearley and William Zachmann contributed to this report.
Visit Metagroup.com for more analysis of key IT and e-business issues.
Entire contents, Copyright © 2001 Meta Group, Inc. All rights reserved.