Well, both, say a host of industry observers.
Privacy policies, which advocates say are critical to building consumer faith in doing business online, are intended to let surfers know what information will be collected when they visit a site and how data collected will be used or sold to marketers.
Federal Trade Commission Chairman Robert Pitofsky said he hopes other companies will see the wisdom of what IBM is doing and follow in suit.
"IBM doing this [alone] isn't going to change things much," Pitofsky said. Big Blue, the first company to take such a step with its advertisers, expects to spend $60 million on Web-based advertising this year worldwide.
Industry observers say there are three forces driving the adoption of privacy policies online: fear of government intervention, pressure from portal operators to make their partners follow their privacy-posting leads, and, last, a push from online advertisers, including IBM, who need to build consumer confidence to get them to buy online.
But progress has been slow.
"A long journey starts with a single step," said Susan Scott, executive director of Palo Alto-based privacy group Truste, who believes other companies will follow IBM's lead.
IBM's idea is "terrific," added Tara Lemmey, executive director of the Electronic Frontier Foundation. "This really stakes a claim about IBM's commitment to privacy," she said.
But IBM's advertisers best take their privacy policies seriously, Scott said.
"They need to abide by it," she said. "If they're saying: 'I will not share your information with a third party,' the company needs to abide by it. The FTC will not shy away from prosecuting companies."
David Sobel, general counsel for the Electronic Privacy Information Center (EPIC) in Washington, D.C., said he doubts IBM's advertising customers will post meaningful policies "with a gun to the head," noting the Web is already plagued by a host of policies that are incomprehensible to consumers.
IBM is recommending that companies visit the Online Privacy Alliance for guidance on how to write a policy. IBM estimates just 30 percent of 800 worldwide customers have done so.
"They're concerned about liability," Sobel said. "It's: We don't want someone to sue us or hold us accountable for what we do."
The bottom line, he said, is that many companies have no interest in providing full disclosure to surfers on how they use information collected on their sites because their business model depends on gathering that data.
Good self-policing entails a sound privacy standard that all Web sites deploy, he said.
While the government is leaning toward holding operators of Web sites accountable for whatever it considers "deceptive practice," other organizations, such as EPIC, are asking for more lenient policies that give individuals the right to seek legal recourse if, for example, a company misuses information they filed on a site.
Meanwhile, Europe, which adopted stricter privacy policies through the European data privacy directive last fall, is pushing America to move in a similar protective direction. If the United States fails to do so, European Union regulators have warned they may move to block transmission of data to the United States.
Nonetheless, FTC Chairman Pitofsky said he favors giving self-regulation a fair chance.
"Self-regulation, if done right, could have a flexibility that legislation and bureaucratic rule-making will never have," he said. But if little progress is made under self-regulation, Pitofsky said, there is little doubt Congress will be forced to step in.