Sunday, January 28, 2007

Are Privacy Notices Worthless?

In Computerworld, Jay Cline asks "Are Privacy Notices Worthless?".

In my not so humble opinion, most of them are. Too many are overly long and full of legalese that is meaningless to most of the prospective readers. Too many are simply a regurgitation of blue sky principles that don't provide any information.

In many cases, they are referred to as "privacy policies". I prefer to call them privacy statements, since they are supposed to communicate with customers. Policies are those things in thick three-ring binders in the back office.

You can tell a lot about a company by their privacy statement. They really are an indicator of how the company approaches its customers. If it reads like at fifteenth century indenture, the company sees the privacy policy as another piece of regulatory compliance that can be tossed over to the lawyer who usually drafts their corporate documents. Often there is a real disconnect between the words in the statement and what the company actually does. (Too often, you see privacy statements that are clearly poached from another company, often in another industry.) On the other hand, if you can read it and gain an understanding about what will actually happen to your information, the company is doing a good job.

What's the real purpose of a privacy statement? At least in Canada, it is part of the openness requirement in PIPEDA:

4.8 An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

The information made available shall include

(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;

(b) the means of gaining access to personal information held by the organization;

(c) a description of the type of personal information held by the organization, including a general account of its use;

(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and

(e) what personal information is made available to related organizations (e.g., subsidiaries).

An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.

If your statement doesn't contain that minimum, go back to the beginning.

However, privacy statements are more than that. Companies really need to think about who is going to read it and under what circumstances. Just because very few people read them doesn't mean that we should underestimate their importance.

When someone actually takes the time to read the statement, they are usually either upset about something or actually care about privacy and want to know how you handle personal information. This customer can become a real problem and your privacy statement is your first (and perhaps last) opportunity to keep them as a customer and prevent any problems from arising. (On a purely practical level, the customer who reads the statement is one who cares about privacy and these are the kinds of customers than can become difficult.)

If a customer wants to know how you handle personal information, make it staggeringly easy by spelling it out in your privacy statement. If you don't, they will go somewhere else or will ask one of your employees. A privacy statement is an opportunity to clearly answer that question in a very controlled way. The trend towards layered privacy statements, or those with a snapshot summary at the top is a good way to provide a quick answer to the customer without forcing them to wade through details that may not be relevant to them.

If a customer has a problem or a potential complaint, a clear and meaningful privacy statement will go a long way to providing some comfort. If it's full of legalese, the customer becomes less trusting and increasingly alienated. The statement should answer their question and lead them quickly to the resolution they are looking for. If not, they'll be madder when they finally reach the right person.

Your privacy statement should not be worthless. You should treat it as an important communication opportunity with your customers. It is perhaps the first and last chance to keep your customer and to avoid an unpleasant complaint.

And, as an aside, privacy should permeate all aspects of your business. If you ask customers to input information online, make sure that the form includes explanations about why you are looking for the information and what will be done with it. If you actually operate in the real world, train employees to explain without prompting what information is used for. If you don't provide an explanation, customers will assume the worst.

Of course, you should also treat it like a contract with your customers and follow it accordingly. The FTC in the United States considers not following your privacy statement to be an unfair trade practice and imposes penalties accordingly.

No comments: