Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.

CLOSING THE PRIVACY GAP

Posted on April 30, 2002

(by Michael Weider, CEO of Watchfire Corporation)

      Is your Web site putting you at risk? If you don't think so, guess again. In today's interconnected world, there is a great deal of risk surrounding the issue of privacy. And Web sites, by their very nature, are prime candidates for exposing the organization to that risk.

      The international nature of the Internet only complicates matters. Not only must organizations be diligent to observe privacy legislation within their own country, they must also adhere to the laws of other countries.

Lack Of Trust

      Many Web sites collect and track consumer, employee, and business information through the use of online forms, and technologies such as server logs, cookies, and Web beacons. Powerful data collection techniques and users' inability to know what is being collected or how to stop it, combined with media exposure of perceived 'bad actors' in privacy, have resulted in an increasing lack of trust among Web users.

      To properly inform Web users, corporations must post privacy statements so visitors can make educated decisions about how they want to interact with a Web site. More importantly, corporations must ensure that once they develop these privacy policies, they adhere to them. The risks of failing to comply with privacy policies and guidelines are simply too high.

      Privacy breaches can happen anywhere on your Web properties: your employee intranet, your partner/supplier extranet, your corporate Web site. While online privacy breaches most definitely affect consumers, the organizations making these transgressions hardly go unaffected. The repercussions of privacy glitches can be significant: lost revenue and business opportunities; brand and reputation erosion; adverse media attention; unwanted scrutiny from consumer advocates; class-action lawsuits; and legislative penalties.

      There has been new worldwide legislation affecting online privacy. Businesses must identify and stop online privacy breaches to ensure legislative and industry compliance. For example, in March 2000, it was discovered that one organization's Web site was inadvertently transmitting personal financial information to an Internet advertiser. A number of related lawsuits resulted.

      In response to media inquiries about the practice, company officials said they were unaware of the problem. This experience highlights the difficulty of keeping track of all your Web site's practices. Most of the laws being passed incorporate rules that govern the collection, use, retention, and distribution of personal data. Determining how to handle variations in legislative requirements, while accommodating the various industry regulatory practices to privacy, becomes a compliance risk management decision.

      The Personal Information Protection and Electronic Documents Act became effective in Canada on January 1, 2001, and sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to see and request corrections to information an organization may have collected about them. Foreign companies doing business in Canada will also be subject to the Act for activities conducted in Canada. The Act will come into full effect on January 1, 2004, at which time it will apply to all intra-provincial, inter-provincial and international commercial activities of all organizations.

How Important Is Compliance?

      Current methods of managing Web site privacy are time-consuming and inefficient. Many organizations rely on their Web teams to ensure that the design and content is in alignment with their privacy policies. Many rely on manual spot checks of the live Web site. These kinds of privacy management practices are risky because there are simply too many issues to identify, spread across too many pages of the site. This can leave the organization vulnerable, making it reactive, rather than proactive, to privacy breaches.

      So, what does privacy non-compliance mean to your business? Poor Web site privacy practices are resulting in widespread market backlash, including:
- lost revenue and business opportunities;
- brand and reputation erosion;
- adverse media attention;
- unwanted scrutiny from consumer advocates; and
- class-action lawsuits.

      Consumers, businesses, and employees are becoming increasingly aware of privacy issues especially as they relate to the Internet. In fact, many consumers will not conduct business on Web sites that lack privacy statements or assurances.

      According to Canadian research firm Ipsos-Reid1 , 26 percent of consumers listed privacy as the main issue preventing them from making online bill payments.

The Risks Of Cookies And Beacons

      Privacy breaches can happen on many pages of your Web site and through a variety of different data collection technologies. They can occur through inadequate and unenforced privacy statements. Many Web sites display a privacy statement explaining what the organization does with the information it collects from users. However, a privacy statement is only effective if it properly discloses and appropriately enforces an organization's information practices and corporate privacy standards.

      Fair practices recommend that users be informed of an organization's information-handling practices at the point at which personal information is collected. As such, many organizations have made it a policy to provide a link to their privacy statement on every Web page containing data collection forms.

      Cookies are digital identifiers placed on a user's computer by a Web server which allow for advanced personalization of Web sites. Privacy concerns arise when cookies are used for long-term data collection. Use of certain cookie technology has resulted in several class-action lawsuits. At issue is whether the company's use of cookies to track a user's surfing habits and personal information is an invasion of privacy. Privacy advocates and class-action lawyers have argued that the use of cookie technology constitutes a form of surveillance (akin to wire tapping) that monitors and stalks users without their knowledge.

      Excessive and/or unexplained use of cookies (particularly those served by third parties) may cause users to leave your site. Generally accepted industry standards recommend that companies disclose their practice of online profiling by third-party ad servers in their privacy statements and provide users with the ability to opt out of receiving third-party cookies. Online consumers may be more willing to interact with a Web site if they are made aware of their choices, and the company's practices as they pertain to the use of cookies.

      Web beacons, also known as 'web bugs', are small invisible graphic images that work together with cookies to count page visits, track movements and build behavioral profiles. They are inserted within the code of Web sites and commercial emails to enable the provider to monitor who is reading the page or message in question. Web beacons are considered controversial because unlike cookies, which can be detected and blocked by many popular Web browsers, they are invisible and monitor online users without their knowledge. As a result, companies that choose to use Web beacons should disclose the use of this technology in their privacy policies. Best practices discourage using Web beacons on sensitive sites, such as those sites that are financial or health-related.

      Managing your company's data practices may encompass a due diligence of any third parties' links on your Web site. Privacy concerns arise when links to external domains lead to third-party information sharing, especially if these external domains have privacy practices that differ from your own. Your organization may bear reputation and litigation risks if a linked site has questionable privacy practices. Identifying the linked sites can help you monitor and assess these risks.

Privacy Risk Checklist

      Building trust can go a long way towards convincing consumers to spend online. Effective, proactive, and cost-efficient privacy management can minimize the risk of regulatory investigation, classaction lawsuits, and legislative enforcement, and enhance the trust and confidence of your customers and partners.

      In order to avoid costly Web site privacy breaches, it is recommended that companies create an ongoing privacy management program. The following are some general steps to take in such a program:
1. Create an internal cross-functional privacy council or team ‹ bringing together legal, marketing, HR, technology, and internal audit expertise.
2. Understand privacy legislation and applicable industry-specific rules.
3. Create a map of all consumer collection and usage across all channels.
4. Assess relationships with third-party vendors and business partners.
5. Prepare an official privacy policy that clearly describes the information- handling practices to consumers and Web site users.
6. Ensure that adequate processes and controls are in place to demonstrate compliance with the privacy policy.
7. Conduct ongoing monitoring of compliance with the privacy policy.

      Ultimately, a company's fear of a privacy breach might be the best incentive to be strict about privacy policies. In the US, an investment firm failed to adhere to its posted privacy policy and had to pay $4 million in fines.

      A joint research study entitled "Privacy Policies Critical To Online Consumer Trust", released last year by Columbus Group and Ipsos-Reid, suggests that having a clearly communicated and easily understood privacy policy in place is a competitive advantage. The conclusion was that "firms that have recognized this are enjoying the benefit of being able to develop a better understanding of their current and potential online customers. Organizations that have not yet recognized the importance of a clear privacy policy are shooting themselves in the foot and are hindering their efforts to build strong and long-lasting online customer relationships."

Understanding Worldwide Legislation

      Adhering to new privacy legislation is quickly becoming a top concern for companies around the globe. Businesses must identify and stop online privacy breaches to ensure legislative and industry compliance. Some key pieces of legislation worldwide are as follows:

      The Gramm-Leach-Bliley Act of 1999, (US) enforced since July 2001, restricts third-party data sharing. Business Web sites must provide notice and opt-out options prior to sharing information with non-affiliated third parties.

      The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (US), with the final rules approved by the Bush administration, requires companies collecting or transmitting health information to provide privacy protections. They must also establish a company official responsible for privacy compliance (Chief Privacy Officer).

      The Children's Online Privacy Pro-tection Act of 1998 (US) safeguards the collection and use of personal information from children under the age of 13 ‹ requiring parental consent for any such activity.

      European Union Data Protection Directive of 1998 ‹ This Directive requires all member states to enact wide-ranging data protection law that complies with its principles.

      Australia's Privacy Amendment (Private Sector) Act of 2000, which came into effect in December 2001 for large private-sector organizations, has far-reaching data protection provisions.

The P3P Initiative

      An undertaking of the World Wide Web Consortium (W3C), the goal of the Privacy Preferences Project initiative (P3P) is to help users be informed about Web site practices by simplifying the process of reading privacy policies.

      With P3P, users need not read the privacy policies at every site they visit; instead, key information about what data is collected by a Web site can be automatically conveyed to a user, and discrepancies between a site's practices and the user's preferences can be automatically flagged.

      A browser that fully supports P3P technology will look for a privacy "compact" policy from a Web server whenever a Web page is requested. When the browser receives the "compact" policy, it compares it to the user-defined privacy settings contained in the browser. Depending on the browser's filter setting, and the content of the compact policy, the cookies being set by the page will be accepted, downgraded, leashed, or blocked. In addition, if the user has P3P-enabled his browser, and a Web site does not provide the appropriate information, the cookie will be downgraded, leashed, or blocked. In short, depending on the user's browser configuration, the cookies on a site may or may not be set as expected. The result: the Web site page or page(s) may not be appropriately served to the user.

CPOs and Privacy Seals

      It's not enough to merely post privacy policies on a company bulletin board or at the company Web site. The direction and management of privacy has to be established and supervised by the very top management of the company. A new position has emerged among privacy-conscious organizations, particularly those that operate globally: the Chief Privacy Officer (CPO).

      CPOs must address the new privacy needs by assessing risks, managing implementation of privacy policies and associated procedures, ensuring ongoing compliance, raising awareness in the organization, and training staff. As companies grapple with new regulatory requirements, increased consumer and governmental scrutiny, and the realization that privacy will play a role in differentiating them from their competitors, increased emphasis is being placed on this new role.

      To make it easier for organizations to explain their privacy policies, demonstrate compliance, and build consumer trust and confidence, online privacy seal programs and independent privacy audits have been created. Online privacy seal programs use graphics to indicate to consumers that the site has been certified according to a set of standards defined by a privacy or consumer advocate group.

      (E-CommerceALERT note: The WebTrust Privacy Seal program is outlined in detail here: www.WebTrust.net)

Benefits Of Good Practices

      The Privacy Gap can be closed with sound privacy management practices combined with automated Web site privacy management solutions; furthermore, organizations must close the Privacy Gap to instill trust in customers and partners. If trust is to be built into the E-business process, privacy and confidentiality must be at its core.

      Those organizations that understand the risks inherent in their privacy management practices, address the exposures, and communicate their policies openly, will earn consumer and user trust, and are more likely to gain customer loyalty and enjoy long-term success.

      1 - Concerns about Making Payments Online among Canadian Consumers, emarketer.com, 2001.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999