Grammy Winners Hogwarts Legacy Review 'Last of Us' Episode 5 Coming Early Frozen Yogurt Day Freebies Super Bowl Ads Super Bowl: How to Watch Popular Tax Deduction Wordle Hints for Feb. 6
Want CNET to notify you of price drops and the latest stories?
No, thank you

Accounting companies tackle online privacy concerns

Online privacy policies are becoming so important for dot-coms that they are increasingly being overseen by companies that normally scrutinize the bottom line.

Online privacy policies are becoming so important that dot-coms are increasingly turning to old-economy consultancies for high-priced evaluations of their policies.

Travel site Expedia, for example, will announce today that it has rewritten its privacy policy and has undergone a rigorous privacy audit from Big Five accounting firm PricewaterhouseCoopers.

The move mirrors

Meta Group says a privacy audit by a Big Five accounting firm is a nice marketing move by, but questions still remain regarding online privacy.

see commentary

similar efforts by online businesses to clarify privacy practices and reassure consumers about how personal information will be collected and shared. In many cases, such action is a response to emerging industry regulations, consumer concern about Web site tracking practices, and increased litigation against companies not fully disclosing these practices in their online privacy policies.

"What's emerging is what some call 'the perfect privacy storm,' where laws and public relations disasters are intersecting at an accelerating pace and companies are looking for help," said Dave Steer of Truste, a nonprofit advocacy organization that issues a so-called privacy seal of approval for online businesses.

As a result, PwC and other major accounting firms, such as Ernst & Young and Andersen Consulting, are stepping in to help Internet businesses deal with legislative and regulatory issues concerning privacy, as well as with emerging industry standards and consumer expectations. They make sure companies don't skirt the issue of data-sharing with partners or omit part of their tracking practices within a privacy policy, for example.

For PwC and several others, a privacy seal of approval is a part of their offerings.

"All the Big Five are moving in this direction pretty fast," said Larry Poneman, who heads the privacy practice at PwC. "Companies are asking for privacy audits, and all of the firms are saying it's not a difficult stretch."

The services are big business, too. PwC charges $15,000 for its privacy seal and up to millions of dollars for an audit, depending on the size of the business, Poneman said. Companies such as E-Loan, Mastercard and DoubleClick are PwC clients.

Launched last December, PwC's "BetterWeb" program competes with other verification organizations such as BBBOnline (the Better Business Bureau's online arm) and Truste. These programs historically have focused on disclosure: As long as a company provides certain wording in its privacy policy and is up front about its practices, it can get a seal. But that's often not enough in today's heated climate.

"Disclosure isn't the full monty; the full monty is ensuring the company is doing what they say they do. That's why an audit is valuable," Poneman said.

Many industry experts say that while many of the programs are well-intentioned, they lack teeth.

Truste, a first-mover in online privacy seals, has gotten a tarnished reputation in the industry for turning a blind eye on alleged violations. Last year, Truste sponsor and member RealNetworks was criticized for snooping on consumers through its RealJukebox software. But Truste didn't take action against the company because it said the matter was out of the area it governs, which was the Web site itself.

"The irony is that many of these seal programs are turning into the Internet version of the old-boy network," said Ira Rothken, an attorney specializing in Internet law. "If they're being paid by the organization that they're supposed to monitor, the questions framed to them may not be the questions that privacy advocates would ask."

Click here to Play
Online privacy policies under attack
Privacy advocates generally say that privacy programs are necessary. But the common question is: Who's guarding the guards?

"I like the notion of a trusted third party officially blessing sites on privacy because, as a consumer, I am not going to spend the time to check their privacy policy," said Craig Nathan, chief technology officer at privacy start-up

"But the watchers cannot be paid by the people being watched; otherwise, they (have an economic incentive) to turn a blind eye," Nathan said.

Some question the integrity of a relationship between a company and a paid auditor as well. "Many times the hard questions aren't asked," Rothken said.

But the auditors beg to differ.

"We start out with the regulatory and legal components that affect that company in its industry; we look at industry standards and privacy codes; we look at their stated privacy practices; we look at their competitors; and we look at the highest bar on consumer expectations," said Brian Tretick, a principal with Ernst & Young.

"We don't just placate them and tell them how lovely they are," he said.

Many more industry groups are likely to create privacy regulations and seal programs, industry watchers say. In addition, consumers will increasingly buy from brands they already trust on the Web.

Expedia rewrote its privacy policy to make it easier to understand and to clarify that customer information isn't sold or given away. It also states that customers have access to the personal information held by Expedia and have the option to delete any information, Levine said.

"It's a competitive differentiation," said Expedia spokeswoman Suzi Levine. "What's important to us is more than our words being good but that our product lives up to what we say."

Navigating the delicate waters of online privacy issues has become a daily challenge for Internet businesses because many are not in compliance with emerging regulations.

 CNET Radio
Suzy Levine marketing director 
Explaining the new privacy policy. 
• RealAudio
• Windows Media
For example, financial services companies need to comply with privacy provisions within the Gramm-Leach-Bliley Act by July 2001. In August, PwC released a report that two-thirds of the Web sites operated by the 50 largest banks did not offer the privacy protections mandated by the law.

Expedia's announcement comes at a time when former parent company Microsoft faces criticism for its tracking practices across the MSN network of sites, including Expedia. came under fire last week by privacy advocates for retooling its privacy policy to include a clause that allows the sale of customer information in the event of a buyout.

Such attention on these matters will most likely mean added business for the likes of PwC and its competitors.

"Amazon tried to do all the right things, to announce the realities of its practices, and they got a lot of negative attention. Something like this happens, it affects everyone else; it's a reactionary world right now," said Ernst & Young's Tretick.