Poor Ignorant Soul: “Our insurance office has been notified that a new federal law regulates what we can do with the information we collect from our customers. When do these regulations go into effect and what do we need to do to comply? Also, what about the big boys like Amazon.com? Do they have the right to turn around and sell the information they collect about me?”— Chris Smith, Bainbridge Island
Ignoramus: A year ago, good business practice turned into law when Congress approved the Gramm-Leach-Bliley Act (GLB), one of the most significant consumer-protection laws ever enacted. Although the privacy provision of the GLB became effective in November 2000, full compliance by businesses was delayed until July 1, 2001.
The July deadline is now looming. To comply, businesses must not only create privacy policies or revise existing ones, but also spend money to tell their customers about the policy via e-mail and snail mail. And they must train employees to safeguard the data, too. The Federal Trade Commission and state justice departments promise to create a legal nightmare for those that do not comply.
The GLB regulates what financial institutions can do with the information they collect from customers. And this law does not affect only banks — the term “financial institution” is defined broadly, catching any company that offers any kind of financial service. A travel agent who sells travel insurance or an auto dealer that finances cars is swept into this definition.
Amazon Changes Its Tune
“But if clarity — and not outright ownership of all customer information — was Amazon’s goal, why not make the new policy effective the date of the change for only subsequent transactions?” asked Catalano. “If I’d been surreptitiously buying Spice Girl’s items, I could stop, knowing full well future purchase information might be shared,” said Frank. “But the new policy was applied retroactively for all purchases and shows no option for removing any purchase information. I expect many customers now pause before hitting the ‘Place Your Order’ and some don’t hit the button at all.”
Hiring a CPO — Chief Privacy Officer
The initials “CPO” could be the next big thing in corporate CXOs (the initials for chief fill-in-the-blank officer). About 100 companies have appointed CPOs, according to Privacy and American Business, a nonprofit think tank that predicts there will be about 1,000 CPOs by the end of this year and 2,000 by next year. Business without a privacy post usually let marketing officials or the CEO deal with compliance and training.
Educating Your People
The GLB also requires companies to train its employees so they too understand what the law requires and protect customers’ data from landing into the wrong hands.
One company, who shall remain private, launched an intra-company “Privacy Week” when the CPO and CEO held a town meeting explaining the new privacy rules. Days later, the two officers roamed the halls and randomly asked employees questions about the law. Those who answered correctly won movie tickets, doughnuts and buttons that look like stop signs and proclaim, “Stop and Think Privacy.”
In a recent survey by Miller Brown Interactive, an e-commerce consulting group, nearly 93 percent of Americans strongly agreed that companies should not sell or share personal information without permission. Close to 70 percent of respondents said that the government should do more to protect privacy on the Internet.
The GLB is not the last word on consumer privacy. Legislation that has been introduced in Congress and in 28 states across the country is much more restrictive. It is almost certain that Congress will take up privacy again in the very near future and states will get tougher.