Home Pioneer Squared Making Privacy A Policy

Making Privacy A Policy

Poor Ignorant Soul: “Our insurance office has been notified that a new federal law regulates what we can do with the information we collect from our customers. When do these regulations go into effect and what do we need to do to comply? Also, what about the big boys like Amazon.com? Do they have the right to turn around and sell the information they collect about me?”— Chris Smith, Bainbridge Island

Ignoramus: A year ago, good business practice turned into law when Congress approved the Gramm-Leach-Bliley Act (GLB), one of the most significant consumer-protection laws ever enacted. Although the privacy provision of the GLB became effective in November 2000, full compliance by businesses was delayed until July 1, 2001.

The July deadline is now looming. To comply, businesses must not only create privacy policies or revise existing ones, but also spend money to tell their customers about the policy via e-mail and snail mail. And they must train employees to safeguard the data, too. The Federal Trade Commission and state justice departments promise to create a legal nightmare for those that do not comply.

The GLB regulates what financial institutions can do with the information they collect from customers. And this law does not affect only banks — the term “financial institution” is defined broadly, catching any company that offers any kind of financial service. A travel agent who sells travel insurance or an auto dealer that finances cars is swept into this definition.

The law requires financial companies to have a privacy policy that explicitly states with whom the company shares its information, and also requires an opt-out provision. In addition to posting the privacy policy online, the company must mail a copy to its customers every year.

Amazon Changes Its Tune
In an “open letter” to Amazon Chief Executive Officer, Jeff Bezos, KCPQ Tech Analyst Frank Catalano criticized Amazon’s revision of its privacy policy last fall. In that revision, Amazon stated that any customer information can be shared with any Amazon partner. Amazon explained that the change came about due to the need for a clearer policy Amazon partner.

“But if clarity — and not outright ownership of all customer information — was Amazon’s goal, why not make the new policy effective the date of the change for only subsequent transactions?” asked Catalano. “If I’d been surreptitiously buying Spice Girl’s items, I could stop, knowing full well future purchase information might be shared,” said Frank. “But the new policy was applied retroactively for all purchases and shows no option for removing any purchase information. I expect many customers now pause before hitting the ‘Place Your Order’ and some don’t hit the button at all.”

Hiring a CPO — Chief Privacy Officer
The initials “CPO” could be the next big thing in corporate CXOs (the initials for chief fill-in-the-blank officer). About 100 companies have appointed CPOs, according to Privacy and American Business, a nonprofit think tank that predicts there will be about 1,000 CPOs by the end of this year and 2,000 by next year. Business without a privacy post usually let marketing officials or the CEO deal with compliance and training.

One of the first duties that a new chief privacy officer will have to tackle is rewriting privacy policy to comply with the new law. The policy details with whom a company shares data with and allows customers to opt out of having their information sold to third parties. Once the policy is completed and posted on the website , a company will have to mail it to their customers every year, a significant expense. Mailing the privacy provision to all customers annually can be a huge cost in mailing alone. Such a cost will affect the smaller business more significantly. Depending on a business’s size and whether it outsources the mailing, the cost could run anywhere from a few thousand dollars to a few hundred thousand dollars, say experts.

Educating Your People
The GLB also requires companies to train its employees so they too understand what the law requires and protect customers’ data from landing into the wrong hands.

One company, who shall remain private, launched an intra-company “Privacy Week” when the CPO and CEO held a town meeting explaining the new privacy rules. Days later, the two officers roamed the halls and randomly asked employees questions about the law. Those who answered correctly won movie tickets, doughnuts and buttons that look like stop signs and proclaim, “Stop and Think Privacy.”

In a recent survey by Miller Brown Interactive, an e-commerce consulting group, nearly 93 percent of Americans strongly agreed that companies should not sell or share personal information without permission. Close to 70 percent of respondents said that the government should do more to protect privacy on the Internet.

The GLB is not the last word on consumer privacy. Legislation that has been introduced in Congress and in 28 states across the country is much more restrictive. It is almost certain that Congress will take up privacy again in the very near future and states will get tougher.