The proverbial wind is blowing towards federal legislation that will make a privacy policy not just a good idea, but also the law.

Web sites would be required to offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities). (FTC 2000)

This section deals directly with the consumers right to "opt-out" of any further use of their information. By opting out, the consumer tells you what use (if any) you can make of their information after the transaction is completed. Now, this means different things to different kinds of web sites. For instance, a retailing web site has a very tangible transaction that has a beginning and a well-defined end. Non-retailing sites have a much more difficult task in defining the end of the transaction when the interaction is a message board or news site. In the FTC Report, they recognize "…that the implementation of these practices may vary with the nature of the information collected and the uses to which it is put, as well as with technological developments." (FTC 2000) With such a gray definition, you are left to act in good faith in the absence of concrete direction, but one option that you should consider is "opt-in" instead of opt-out. By giving your users the option to receive communications from you, you will get a better quality communication because you will only be interacting with users who have already shown interest in what you have to offer; be that a product, service or simply information. The typical response from an untargeted mailing is well under 1%. Not only is that wasted effort, but it may be annoying to your users as well. Keep in mind that if a user decides to opt-out of your information gathering, they may also be opting out of some of the features on your site. For instance, you can only maintain a personalized "wish list" if you are permitted to use the users’ personal identifying information. Look at the Amazon privacy statement where they state, "you can choose not to provide certain information, but then you might not be able to take advantage of many of our features." Let your users know that there is an advantage for them when they give you access to that information.

The third major area outlined by the FTC relates to "access". Here is the section from the FTC Report. "Web sites would be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information." (FTC 2000)

The requirements for implementing access to customer data vary widely from site to site based upon the quantity and type of information that you collect. If the only information that you collect is an email address that you use for a mailing list, then the simple list management services available from the typical majordomo service are adequate. On the other hand, if you are collecting a full user profile, the requirements are going to be somewhat higher. Some sort of self-service capability is usually the most cost effective and the easiest, fastest way for your users to correct their data. This is also one of the most advantageous items from a purely selfish standpoint. We live and die with our customers, and inaccurate customer information puts us more often in the die column. It is in both parties’ interests to make sure that the information is accurate and up to date. The Amazon.com privacy policy makes specific statements concerning the data that can be changed, and provides links directly to the account maintenance functions. A similar format should be very effective for your site.

The final area outlined in the FTC Report requires the disclosure of "security" precautions that you are taking with the users data. "Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers." (FTC 2000)

We have all seen the news articles after one site or another has fallen prey to a hacker, or received an email informing us that our credit card has been stolen. Moreover, while the reality of the occasional hack is uncomfortable, the Fear, Uncertainty and Doubt sown by the technological neophytes in the news media are far worse. For every successful break in, a hundred articles decrying the dangers of the Internet permeate the popular press. "Recent survey data demonstrate that 92% of consumers are concerned (67% are "very concerned") about the misuse of their personal data online…This apprehension likely translates into lost online sales due to lack of confidence in how personal data will be handled. Indeed, surveys show that those consumers most concerned about threats to their privacy online are the least like to engage in online commerce, and many consumers who have never made an online purchase identify privacy concerns as a key reason for their inaction. One study estimates that the privacy concerns may have resulted in as much as $2.8 billion in lost online retail sales in 1999…up to $18 billion by 2002…if nothing is done to allay consumer concerns." (FTC 2000)

Our users are looking to us for reassurances about the safety of their data. In many cases, your privacy policy may be the only direct impact that you can have toward making those reassurances. Take this opportunity to tell your users the steps that you are taking to secure their data during transmission from their browser, and what you are doing to make sure that their data is just as secure sitting on your servers as it would be sitting in their wallet.

Prev: FTC Recommendations Part 1  |  Next: Conclusion