Tech Industry

The privacy imbroglio

Former Network Solutions CTO David Holtzman warns against using legal restrictions and regulatory covenants to create a universal definition of a multisided issue like privacy.

One of my favorite expressions is: "When all you have is a hammer, the whole world looks like a nail." Whenever I read an article about privacy issues, I can hear lawyers hammering away like deranged cobblers.

With approximately 50 privacy-related laws scheduled for review in Congress, numerous privacy violations continuing to steal headlines, and countless privacy groups popping up everywhere, privacy is being positioned as the next legal frontier. But in the rush to litigation, we've failed to notice that we don't even have a general consensus of what privacy really is.

American privacy issues are essentially being defined by legal actions, instead of having laws enacted to enforce a generally accepted consensus. The result: Rather than proactively contributing to a debate that could dramatically alter the corporate/consumer relationship, American businesses are in a wait-and-see mode.

It's time to achieve a consensus, and the appropriate forum to facilitate the debate is not Congress or the's in boardrooms across America.

Corporate America is regarding privacy as a compliance issue, taking a very linear stance designed to pacify legal concerns. Privacy statements, for example, are written as safeguards against litigation, ignoring the more important objective of creating relationship parameters that both businesses and customers can feel comfortable about.

Privacy statements feel like a parking-garage disclaimer or a "hot coffee can burn" sign, and therefore become part of the legal Muzak of daily life and can be safely ignored. One of the most insidious problems with formalized, rubber-stamp privacy certifications, (both internally through a dedicated chief privacy officer and externally by industry self-regulation organizations), is that they can lull a company into a false sense of security.

A privacy policy, unfortunately, does little to maintain customer intimacy. Relationships are based upon trust and trust is created based upon how expectations are met or not met over time. Consumer expectations are defined by the marketing message, not by the fine print in service agreements or privacy policies. This "implied contract" is the true relationship and should be managed at the profit-and-loss level.

Privacy statements feel like a parking-garage disclaimer or a "hot coffee can burn" sign, and therefore become part of the legal Muzak of daily life and can be safely ignored.
The term "privacy," when applied to commerce, is too ambiguous and highly charged to use to describe a key element of a business' relationship with its customers. Developing a healthy, long-term relationship with customers enhances a company's reputation and the strength of its brands. But these valuable relationships are hardly the focus of today's litigious approach to privacy.

Usage of consumer data is one of the thorniest privacy issues on the table for businesses today. Companies associated with violating consumer privacy via third-party data sharing are finding just how thin the privacy policy veil is when it comes time to be accountable to customers.

Altogether, it's becoming increasingly obvious that privacy policies aren't satisfying long-term maintenance of customer relationships. Really, they're only prenuptial agreements that legally entitle corporations to a very one-sided marriage with customers.

Most opt-out privacy policies, for example, are effectively useless for the average consumer since most companies reserve the right to modify their policy by posting the change on the Web site. The idea that any but the most privacy-militant consumers would constantly "poll" Web sites of products and services that they use is ludicrous. Even if the policy has changed, the stated change will deal with potential activities, not actual ones, and as such will be hard to assess ("We may share this information with third parties"). Opting out takes determination because it usually requires written notification or an hour-long telephone call.

The number of publicized cases that highlight the downside exposure by mishandling consumer information has been steadily increasing. For instance, Eli Lilly recently settled Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Web site. Apparently an Eli Lilly employee sent an e-mail to all 669 subscribers to the site's medical notification service and inadvertently put all their addresses in the "to" line of the e-mail. As part of the settlement, Eli Lilly has agreed to implement an extensive and expensive security program including training, writing procedures, security audits and annual reviews.

The FTC got involved because of privacy claims that had been made on the Web site, but what would have happened if it had been a widespread "outing" of thousands of people involved in a clinical trial for a herpes medication or a drug that combats schizophrenia?

Furthermore, challenges to unsanctioned uses of consumer data are beginning to come directly from customers instead of advocacy groups, and the complaints have nothing to do with privacy policies. For instance, Qwest Communications International announced that it was temporarily backing down from its stated intention of using telephone customer-calling information for marketing purposes in other divisions of the company.

There was an enormous customer outcry against this plan, resulting in several states urging Qwest to reconsider. Arizona even said that it was willing to sue if necessary. It's worth noting that Arizona was completely in line with its privacy policy and the state had provided an opt-out mechanism. It's also interesting that this is standard operating procedure in the telecommunications industry and that Qwest is now the first telecom company to commit to not sharing customer information within different business units in the company.

All about customer relationships
At some point in the near future, I believe that most companies will be held publicly accountable for how they have handled customer information in the past. Even if the government doesn't get directly involved in these issues (which is wishful thinking), civil litigation--and possibly even class-action lawsuits--always have the potential of forcing companies to open their kimonos.

It's becoming increasingly obvious that privacy policies aren't satisfying long-term maintenance of customer relationships.
Corporate management owns the strategic direction and mission of the company and is accountable for setting how the company wants to be perceived in the market. So profit-and-loss managers should be held responsible for how their customer relationships are handled by auditing them for adherence to the desired company image. This is not a legal decision; it's a bottom-line business decision.

Lawyers achieve consensus through formal contracts and refine it through judicial interpretation. Business, of course, doesn't actually work this way. Good business is ultimately about good relationships. A business deal that is based on less than sound principles is doomed to fail, contract or not. Written contracts are mandatory just as some privacy legislation is needed because they provide an objective mechanism for resolving ambiguity in case of a dispute.

However, they are not a substitute for the stated or implied promises that constitute the actual business deal.

Expectations are more than anticipation of a list of features; they are also emotional attributes that reflect how the purchaser expects to feel about the product or service (or themselves) after the purchase. Customer expectations about product capabilities define the market segment; differentiated expectations between product offerings are defined by the brand.

Brands are more than awareness; they are also an implied promise from a company to a prospective customer. The stronger promises take a great deal of time to be believed and are based upon the company and/or the product's reputation. A strong corporate reputation earns a consistently higher P/E ratio in the public markets. A strong brand is essentially free marketing against lackluster competition. The intensity of the customer's expectations is directly proportional to the strength of the brand.

It is easy to fall into the trap of using legal restrictions and regulatory covenants to create a universal definition of a prickly issue like privacy by defining the boundary conditions of acts that are impermissible. Using yes-or-no compliance as a litmus test creates a dichotomy that encourages heated debate without truly understanding what the issues and associated trade-offs are. As a result, current developments are doing little to guarantee the long-term happiness of businesses and consumers.