Introduction
As we enter the new millennium the World Wide Web ("WWW"), because it collects and disseminates personal information, significantly impacts many personal privacy issues and concerns. One major concern of privacy advocates is that when one travels the WWW from one site to another is not the fact that they knowingly leave personal information at particular sites but that they also leave information at sites without their consent. The collection of personal information will continue to expand as the WWW grows in importance and as a greater number of individuals begin to use and purchase products and services from electronic commerce sites, commonly referred to as "e-commerce sites". For many e-commerce sites it may no longer really be an option to have a "privacy policy" because in reality a privacy policy may already be obligatory or an essential condition for successfully competing in e-commerce.
Developing and implementing a personal privacy policy for the WWW should be a relatively straightforward matter for those sites that collect personal information from visitors. This policy should let the visitor know how and why the site collects the information, how the site plans to use the information and whether this information will be disclosed to third parties. Despite the apparent simplicity involved in developing and implementing a privacy policy there have already been many examples of major WWW companies, such as Yahoo, America Online and GeoCities, and corporations, such as United Airlines, that have become embroiled in privacy issues.
WWW privacy issue problems emanate from a number of varied sources that include (1) uncertainties created by the convergence of new legislation, self-regulation models and WWW standards that are all continually evolving, (2) legislation that although it may be consistent in its approach is often very different regarding specific details, (3) sophisticated software products that permits the tracking and gathering of data and the ability to include such data into customized marketing programs, (4) an increasing commercial demand for consumer information and (5) and a gap that may be widening between what is legal and what may be necessary to prevent major embarrassment for an offending web site.
The complexity of privacy issues involving databases and the WWW is further compounded because it involves a variety of international, national and state laws, self-regulation models and an increasingly evident consumer demand for the protection of one's personal information. The result is that privacy law is constantly changing as the e-commerce environment rapidly approaches a climate where it may become a necessity, as well as legally advisable, for every Web-based business to have a privacy policy on its site.
Establishing and implementing a privacy policy on your site may now be obligatory if your site caters to Europeans, children or is in an industry that regulates the collection of information. With the passage of the "Children Online Privacy Protection Act of 1998" ("COPPA"), which goes into effect in April 2000, having a privacy policy has now become the reality for those sites that collect information from children. However, even when a privacy policy is not obligatory it may already be a necessity for e-commerce sites. This is because of the actions of certain web site owners who have previously gained notoriety and created unfavorable publicity by gathering personal information and exploiting such information without any regard to an individual's wishes and privacy.
A Web-based business requires consumer confidence to be successful. However, even with the significant growth of e-commerce, many consumers will still not register at web sites or transact business on the WWW because of their concern with the privacy of their personal information. Therefore, even though a privacy policy may not as yet be obligatory one may be essential for attracting visitors and potential customers to your site. This is because the posting of a privacy policy on your site should significantly increase consumer confidence in your site and result in increased traffic, registrations and purchasing transactions. Once you have developed and implemented a privacy policy for your site you may further want to instill consumer confidence by becoming a party to a "privacy seal" program such as "TRUSTe" or "BBBOnLine"; these are e-commerce counterparts to the more familiar consumer seal programs such as Good Housekeeping and Underwriters' Laboratories.
Preparing a Privacy Policy
A FTC report, "Public Workshop on Consumer Privacy on the Global Information Infrastructure" (1997), stated that an effective WWW privacy policy must (1) identify the party collecting the information, (2) state how that party intends to use the information, (3) state how a visitor to a particular web site could limit the disclosure of information, (4) provide consumer choice with respect to how the collector of the information could use or disclose the information, and (5) provide consumer access to any information that has been collected. At present, except for the recent passage of COPPA, the FTC's review of WWW privacy has not as yet resulted in formal regulatory action but instead has relied on consumer education on one-hand and self-regulation and policing by trade associations, individual companies and the Internet industry on the other. The FTC's ultimate response will probably depend upon the success of these "informal" privacy policy approaches.
Therefore, if you decide to adopt a privacy policy for your web site or already have an existing one you should make certain that it was or will be done correctly. Many of you may now be asking if there is a standardized privacy policy that you could copy and use on your web site or if you could generate a customized privacy policy by utilizing the resources of the Direct Marketing Association or a "privacy seal" program. The simple answer is "of course you can". However, as with all such approaches the privacy policy you would create will only be a generic policy rather than a policy that specifically addressed the requirements of your business model and the activities taking place on your web site.
The more effective way to establish a privacy policy is to make certain that it specifically addresses all the important issues, including any special legal requirements that may be applicable to your business. Therefore, the privacy policy you develop and implement for your Web-based business must be tailored to your company's specific business requirements, your visitor's privacy concerns and be written in such a manner that it "works" for your web site's targeted audience.
Preparing, implementing and maintaining a functional privacy policy for your company's web site is a company-wide activity that in order to be successful must involve the buy-in and cooperation from the general management, product development, marketing and sales, information services and Web design, and legal constituencies of your company. The process for creating a privacy policy is not really very different than it would be for any other business policy developed for your company. The process should include (1) conducting an audit of what you are currently doing, (2) evaluating your objectives, (3) formulating and preparing your company privacy policies, (4) preparing the design for incorporating the privacy policy on your web site, (5) implementing the privacy policy and (6) establishing maintenance procedures to ensure the on-going functionality of the privacy policy.
The second part of this article will discuss specific guidelines for preparing and implementing your company's WWW privacy policy as well as the specific requirements mandated by COPPA that will effect the design of your site and the services that are targeted toward the children who may visit your site.