With approximately 50 privacy-related laws scheduled for review in Congress, numerous privacy violations continuing to steal headlines, and countless privacy groups popping up everywhere, privacy is being positioned as the next legal frontier. But in the rush to litigation, we've failed to notice that we don't even have a general consensus of what privacy really is.
American privacy issues are essentially being defined by legal actions, instead of having laws enacted to enforce a generally accepted consensus. The result: Rather than proactively contributing to a debate that could dramatically alter the corporate/consumer relationship, American businesses are in a wait-and-see mode.
It's time to achieve a consensus, and the appropriate forum to facilitate the debate is not Congress or the courts...it's in boardrooms across America.
Corporate America is regarding privacy as a compliance issue, taking a very linear stance designed to pacify legal concerns. Privacy statements, for example, are written as safeguards against litigation, ignoring the more important objective of creating relationship parameters that both businesses and customers can feel comfortable about.
Privacy statements feel like a parking-garage disclaimer or a "hot coffee can burn" sign, and therefore become part of the legal Muzak of daily life and can be safely ignored. One of the most insidious problems with formalized, rubber-stamp privacy certifications, (both internally through a dedicated chief privacy officer and externally by industry self-regulation organizations), is that they can lull a company into a false sense of security.
Privacy statements feel like a parking-garage disclaimer or a "hot coffee can burn" sign, and therefore become part of the legal Muzak of daily life and can be safely ignored.
Altogether, it's becoming increasingly obvious that privacy policies aren't satisfying long-term maintenance of customer relationships. Really, they're only prenuptial agreements that legally entitle corporations to a very one-sided marriage with customers.
Most opt-out privacy policies, for example, are effectively useless for the average consumer since most companies reserve the right to modify their policy by posting the change on the Web site. The idea that any but the most privacy-militant consumers would constantly "poll" Web sites of products and services that they use is ludicrous. Even if the policy has changed, the stated change will deal with potential activities, not actual ones, and as such will be hard to assess ("We may share this information with third parties"). Opting out takes determination because it usually requires written notification or an hour-long telephone call.
The number of publicized cases that highlight the downside exposure by mishandling consumer information has been steadily increasing. For instance, Eli Lilly recently settled Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. Apparently an Eli Lilly employee sent an e-mail to all 669 subscribers to the site's medical notification service and inadvertently put all their addresses in the "to" line of the e-mail. As part of the settlement, Eli Lilly has agreed to implement an extensive and expensive security program including training, writing procedures, security audits and annual reviews.
The FTC got involved because of privacy claims that had been made on the Web site, but what would have happened if it had been a widespread "outing" of thousands of people involved in a clinical trial for a herpes medication or a drug that combats schizophrenia?
Furthermore, challenges to unsanctioned uses of consumer data are beginning to come directly from customers instead of advocacy groups, and the complaints have nothing to do with privacy policies. For instance, Qwest Communications International announced that it was temporarily backing down from its stated intention of using telephone customer-calling information for marketing purposes in other divisions of the company.
All about customer relationships
At some point in the near future, I believe that most companies will be held publicly accountable for how they have handled customer information in the past. Even if the government doesn't get directly involved in these issues (which is wishful thinking), civil litigation--and possibly even class-action lawsuits--always have the potential of forcing companies to open their kimonos.
It's becoming increasingly obvious that privacy policies aren't satisfying long-term maintenance of customer relationships.
Lawyers achieve consensus through formal contracts and refine it through judicial interpretation. Business, of course, doesn't actually work this way. Good business is ultimately about good relationships. A business deal that is based on less than sound principles is doomed to fail, contract or not. Written contracts are mandatory just as some privacy legislation is needed because they provide an objective mechanism for resolving ambiguity in case of a dispute.
However, they are not a substitute for the stated or implied promises that constitute the actual business deal.
Expectations are more than anticipation of a list of features; they are also emotional attributes that reflect how the purchaser expects to feel about the product or service (or themselves) after the purchase. Customer expectations about product capabilities define the market segment; differentiated expectations between product offerings are defined by the brand.
Brands are more than awareness; they are also an implied promise from a company to a prospective customer. The stronger promises take a great deal of time to be believed and are based upon the company and/or the product's reputation. A strong corporate reputation earns a consistently higher P/E ratio in the public markets. A strong brand is essentially free marketing against lackluster competition. The intensity of the customer's expectations is directly proportional to the strength of the brand.
It is easy to fall into the trap of using legal restrictions and regulatory covenants to create a universal definition of a prickly issue like privacy by defining the boundary conditions of acts that are impermissible. Using yes-or-no compliance as a litmus test creates a dichotomy that encourages heated debate without truly understanding what the issues and associated trade-offs are. As a result, current developments are doing little to guarantee the long-term happiness of businesses and consumers.