Commentary: Net privacy, the perennial issue

Polls of consumers show contradictory impulses when it comes to privacy. While some studies anoint privacy concerns as the No. 1 barrier to growth of e-commerce, others indicate that only 1 percent of consumers are concerned about the issue.

Our research indicates that although

	See news story: Studies out to debunk privacy legislation

consumers may talk a great deal about the importance of privacy, their actions frequently tell a different story. In fact, it is surprising how willing people are to give away all kinds of personal information for very little return. Businesses need to remember that privacy is a quid pro quo issue, and they need to give consumers something in return for providing information about themselves. They also need to set forth clear privacy policies that comply with regulatory guidelines and set clear expectations for how information will be used.

However, companies should not underestimate the difficulty of enforcing a privacy policy consistently across their organizations. The problem is that companies collect a great deal of information about both business customers and consumers in their various business systems. To reap value from this information, they often want to distribute that information widely in-house.

This distribution may cross what consumers consider "business boundaries" when, for example, a banking group shares information with the insurance unit of a financial services conglomerate. Moreover, information may be distributed to external business partners as part of a company's overall supply-chain or customer-relationship management effort. The more people who gain access to that information, the greater the danger that it will be disseminated inappropriately.

At some point, when information is collected and made readily available, it becomes more difficult to ascertain what is intended to be "private" vs. "shared," particularly in deference to personal preferences and privacy thresholds. Corporate policy development is a critical first step to highlight the importance of privacy issues and increase protection of private information. As a next step, monitoring and providing examples of potential or real abuses are critical to setting boundaries and organization.

The role of the CPO
We estimate that more than 150 U.S. companies--including AT&T, Mutual of Omaha, Nationwide, American Express, Eastman Kodak, Citigroup, Verizon, Prudential Insurance, General Motors, Providian and McKessonHBOC--now have chief privacy officers (CPOs) in place. This high-level role helps organizations institutionalize privacy management in ongoing business operations.

In some instances, the CPO role is driven by regulatory needs--for instance, in the mandates imposed by laws such as Health Insurance Portability and Accountability Act (HIPPA) and the Gramm-Leach-Bliley Act (GLBA). In other situations, companies are putting these positions in place to monitor legal trends, enforce privacy compliance, raise employee awareness, assist in consumer affairs and public relations, lobby legislators, and communicate with regulators, government bodies, commercial partners, and advocacy organizations.

Not all organizations need a CPO. Those that should consider instituting this role include organizations that collect a great deal of information from consumers and have a business model based on selling or exploiting that information; that are in a diversified business such as financial services with multiple business entities communicating among each other internally; or that work closely with a wide range of business partners with whom they share information.

Congress, the Bush administration and the public are more interested in the faltering economy, a potential energy crisis, education, the environment, and other issues. Privacy policy is likely to take a back seat. Any action that Congress does take will likely be in response to a privacy disaster that becomes public and makes front-page news--for instance, if a health insurance company gained access to the private health records of a large number of people and denied health insurance or raised premiums based on that information. Even then, Congress most likely would produce a "window dressing" bill with no real effect.

We believe that this Congress is unlikely to pass meaningful privacy legislation and that if it did, the Bush administration would probably kill it with a pocket veto. Congress has yet to act to create meaningful security and privacy laws for health care information, despite a specific HIPPA provision requiring action by 1999, enacted during a previous administration that presumably was more sympathetic to individual privacy needs.

However, Congress is not the only legislative body involved. International companies--in effect, most companies doing business over the Web--must also be concerned with meeting potential privacy requirements in other regions, particularly in Europe where the European Union is more active regarding online privacy. To address these issues, U.S. companies should use the Department of Commerce's safe-harbor program to protect themselves from prosecution, public embarrassment, and interruption of business operations by certifying compliance with basic privacy protection principles.

The range of the privacy issue
Businesses should also remember that consumers are only one constituency in the privacy discussion. Organizations also have privacy responsibilities for information they gather from employees, trading partners, and business customers. Privacy is also important for investor relations, public relations, and stakeholder relations. Privacy issues apply just as strongly to companies in the supply chain that have private information on a large number of business customers as they do to companies such as Amazon.com that sell to consumers via the Web.

One major problem with the privacy debate is that the concept of privacy is nebulous and means entirely different things to different people. Regardless of whether Congress passes any meaningful privacy legislation, businesses owe it to their key constituencies--employees, consumers, trading partners, investors, and business partners--to establish a corporate privacy policy that properly sets expectations for each group regarding how information will be used. The policies should be published and mechanisms must be put in place to enforce that policy.

Privacy policies should be clear and unambiguous--unlike some of the nebulous, legalistic or confusing privacy statements that have accompanied consumer credit card statements during the past few months. At a minimum, privacy policies should strive to meet the safe-harbor requirements created between the United States and the European Union to ensure that the policy meets E.U. as well as U.S. guidelines (Fair Information Practices) or regulations (HIPPA, GLBA).

Companies should also recognize that individuals are willing to give up a degree of privacy if they perceive that they are getting something of value in return. Consequently, they should implement permission-based models that establish various levels of information sharing. Consumers can then decide to "opt in" based on perceived or actual value.

Meta Group analysts Dale Kutnick, Jack Gold, Mike Gotta, Jeffrey Mann, Diana Harotian, Val Sribar, David Cearley and William Zachmann contributed to this report.

Visit Metagroup.com for more analysis of key IT and e-business issues.

Entire contents, Copyright © 2001 Meta Group, Inc. All rights reserved.