Editor & Publisher Magazine
September 19, 1998
What Privacy?

Online Privacy Statements Are Popping Up Everywhere The public, activists and the government have grave concerns about the privacy of Internet surfers. Inreaction, many sites now have online privacy statements. What should they say, and what do they mean? by Jennie L. Phipps In the publishing business, credibility is fundamental. Few publications - online or off -will survive without customers who feel confident about a publisher's integrity. That confidence will be hard to inspire if readers think publications are selling personal information about them to marketers. Recent cases have spotlighted online users' outright hostility toward anything that threatens to jeopardize their electronic privacy. Throw in the potential for government interference, and you get a climate that has many online publishers rushing to add highly visible privacy statements to their Web sites. Privacy statements are essentially online ethics policies. A link to them is usually located at the bottom of the home page. They explain - often at length and sometimes in legalese - how the publication will keep user information private and secure. Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, Calif., and author of the Privacy Rights Handbook published by Avon Books, is in some ways, despite her expertise, a typical online user. When she registered for the Web site of the San Diego Union-Tribune, she hoped there would be a privacy policy in place. She was disappointed and a little nervous when she didn't see one, but she registered anyway." I had to divulge a lot of information to reach their archives," she recalled. "My assumption is that the information that I gave them will go no further, but I don't know that. A year ago, Web surfers like me weren't thinking about privacy policies, but now there is more consumer concern. I think that more and more people are looking for privacy policies because of the publicity surrounding the issue."

Privacy Becomes Media Focus

Indeed, the issue heated up long before President Clinton's plea for privacy in his personal life. In June, the Federal Trade Commission revealed that only 14% of American Web sites provided any sort of notice on their information collection practices. Furthermore, only 2% provided a comprehensive privacy policy. Here's the statistic that really got activists going: Eighty-nine percent of children's Web sites collected personal information directly from children. The report concluded that the "industry's efforts to encourage voluntary adoption of the most basic fair information practices have fallen short of what is needed to protect consumers."
This led to calls for government intervention from some groups. Wanting to avoid the heavy hand of the Feds, the Internet community sprang into action and called for a self-regulation model. Voluntarily, privacy statements began popping up all over the Web. In the meantime, Washington has shown that it isn'tsitting on its hands. Just last month, the FTC charged that Geocities misled its2 million members by secretly selling personal information to marketers. The Santa Monica, Calif.-based company denied the allegations but settled with the FTC and promised to advise customers of its privacy policies. Vice President Al Gore also voiced his concerns this summer by calling on Congress to pass laws to safeguard medical and financial records. "We need an electronic Bill Of Rights," he said. "You should have the right to choose whether your personal information is disclosed."

Consensus From The Industry

In the field, there seems to be widespread agreement that privacy statements are needed. For Bill Pisarra, Webmaster for LinguiSystems in East Moline, Ill., having a privacy statement is simply good business. His company publishes special education materials and sells them via direct mail. In doing business, he has encountered an interesting phenomenon. When customers call in using the 800-number to order a publication, they must offer up a good deal of personal information. But Pisarra said it is rare for a phone customer to question or express concern about the information LinguiSystems collects. By contrast, he said, a disproportionate number of Web customers and prospects express concern. It's not unusual for electronic orders and catalog requests to have special instructions such as "do not give out our phone number," or "do not sell this information to anyone." Pisarra said, "So, it's clear to us that privacy is a concern for a good number of people visiting our site, making the need for a privacy statement a given. Sure, we've read the surveys describing privacy as a big concern on the Web, but in our case we're getting direct input from customers and prospects, which is more compelling than all the surveys on earth. We're simply responding to their needs. We think it reassures customers who send us personal informationand is an important step in building their trust in our company. Why lose customers for lack of a few words in the appropriate places on the site?" Response to complaints also drove the Las Vegas Sun to adopt a privacy statement on its Web site, Vegas Deluxe. Bryan Allison, general manager, said the site posted a privacy statement after they began using NetGravity ad-serving software, which sets persistent, random cookies when people access the pages. Most pages have four ads on them, so just coming to the site nets a user at least four cookies. "A number of people who had heard that cookies were evil andwere going to invade their privacy would hit our site, get four or five cookies requests and go ballistic," Allison said. "This statement seems to help." Even though the privacy statement thoroughly explains cookie technology and the fact that these cookies are temporary, Allison still gets e-mail and calls from upset users. He patiently explains to them how to access their cookie file and how to delete the devices. That personal approach helps, but it is not always foolproof. "It's hard to explain to people who are very upset about something that they don't understand why it isn't going to hurt them." American Business Press, the trade organization that serves business publications, has begun advising all of its members to include Web privacy statements. The advice comes from the general counsel for the group, David G. Nichols, an attorney with Morgan, Lewis & Bockius in New York City. Nichols believes that the first reason an online publisher should add a privacy statement is to allay customer fears. But he also thinks that such a statement combined with adherence to it may someday save sites from lawsuits. "I think it is appropriate for a firm to be mindful of the possibility of litigation," he said. "There was great brouhaha when America Online divulged information about Timothy McVeigh's buying habits and other disclosures that created considerable concern among people who use the Web. Technology is developing so quickly that makes all sorts of information very accessible that it seems very likely that this is something that companies should watch." McVeigh is the former U.S. Navy officer who was discharged after the Dulles, Va., online service revealed his identity and personal profile to Navy investigators who were investigating McVeigh's sexual orientation. McVeigh eventually won a court battle to be reinstated. AOL apologized for releasing McVeigh's name to an investigator who did not identify himself as a representative of the Navy. As the number of deep-pocket companies doing business on the Internet increases, the potential for costly litigation grows, adds Stuart N. Brotman, who teaches communication law and policy at Harvard Law School. "Publishing companies are very large targets." Brotman suggests not only posting your privacy policy, but e-mailing it back to everyone who registers at your site, subscribes or buys something.

No Policy = Trouble

Certainly, the lack of a privacy statement can get a company in trouble. When subscribers to New York City's Advertising Age found an e-mail invitation from theglobe.com Inc. to join its online community, many were not appreciative.The problem was that the invitation included their password - the same one they used to access the Advertising Age Web site - but the message didn't mention any relationship between the two companies. Advertising Age got so many complaints that they had to issue an e-mail apology, which explained that this personal information hadn't been sold to theglobe.com, but shared in a partnership designed to provide expanded services to AdAge subscribers. It explained that this was not a security breach but a marketing mix-up. Brian Quinn, sales manager for the AdAge group, said his company regrets how it handled introducing the new partnership. "We just wanted to make it as seamless as possible," he said. "If the e-mail had come from us instead of theglobe, I guess it wouldn't have been such a big deal." Shortly after this incident a few months ago, AdAge.com adopted a privacy policy, which it now displays prominently on its site. Quinn said he helped approve the wording, and he's glad it's there, although he doesn't think it has a whole lot of practical application. "This is business to business. We aren't asking people where they live. We're asking people, 'Do you work at an ad agency?'" Deerfield, Ill.-based Kona Communications, publishers of trade magazines, Truck Parts & Service and Successful Dealer, has one of the Web sites now sporting a privacy policy, thanks to concern over the potential for government interference. Denise Rondini, vice president, said, "We added it partially because we have seen a growing number of articles that indicate if we don't do it voluntarily, we will be mandated to do so. And it seems like voluntary is better."
Yet Rondini remains a little skeptical about the necessity for such a step. "On some levels I find it amusing that the privacy issue came up, since I collect the same info on my Web site that I do in my magazine's subscription cards or on my circulation requalification direct mail, and no one is asking me to put privacy statements on my written circulation efforts." Experts in the privacy area agree that Rondini could have a point. Marc Rotenberg, director of the Electronic Privacy Information Center, a Washington, D.C.-based public interest research center, calls privacy statements "digital fine print." He said, "The company putting up a notice about what they are doingwith personal information is not the same thing as protecting your privacy or limiting the use of that information. Privacy statements are useful in terms of raising issues about privacy and reminding the publisher about the need to protect privacy, but beyond that, I don't think they do a whole lot." To give a privacy statement teeth, Rotenberg thinks that a visitor to the site should have some legal rights that guarantee that he will be permitted to see any information that is collected about him and that he will be able to decide how that information will be used. Jay Small, general manager of StarNews.com, the online service of Indianapolis Newspapers Inc., does essentially that. When StarNews.com moved its nationally popular auto racing and other sports message boards to a registration system, it did so in order to collect specific information useful to advertisers. Users who were accustomed to coming to the site anonymously were perturbed. To make these users more comfortable, the site allows registrants to review exactly what information the site is keeping about them, then they must opt in - agree to receive - specific information from StarNews.com. Only about 40% of registrants say "yes" to receiving more information about a variety of sports-related products, including newsletters. Small admits there have been some times when the sales department found this system to be limiting.After all, some of the people who refused might be persuaded if salespeople had a shot at them. But Small has stood firm. "Even though it may be a smaller list,they are what you might call highly qualified leads," he said. "One of the ways that you treat customers right is by being careful how you protect their privacy and that makes them better, more loyal customers. I think we have to be especially careful to protect subscription-base customers because it is from there that we sell advertising."

'Opt In' Rather Than 'Opt Out'

Another site that insists that its users must "opt in" rather than "opt out" is the Web site of Consumer Reports. Nancy Macagno, the company's director of new media, says that because of its mission and reputation, Consumer Reports wants to be "meticulously favorable to the consumer." The publisher's privacy statement is considered a model in the industry. It says in part:
* We ask you to explicitly choose to "opt-in" to tell us we have your permission to send you notification of special Consumer Reports Online events and updates or news about other Consumer Reports activities. You may opt-in following the registration process, or at any time afterward on our e-mail notices page. Of course, if you change your mind at any time, you can change your option and you may remove your name from any list.
* You can access your subscription registration information for review or to make changes at any time by going to the subscription instructions area of the site. This area is protected by security checkpoints, including password protection, so others cannot access your registration data. Macagno worked with others at Consumer Reports to write a suitable privacy policy. Many publications do the same thing, calling a committee to review the issues, look at some samples and finally tailor an acceptable statement. But there are alternatives to doing it yourself. One of them is to join TRUSTe, a nonprofit consortium of businesses on the Net based in Palo Alto, Calif. For a nominal membership fee, TRUSTe will either help you write a policy or review theone you have to make sure that it is consistent and enforcable. Among the publications that belong are the New York Times and Wired magazine. Susan Scott, executive director of TRUSTe, says the organization's standards are getting higher all the time. TRUSTe used to suggest simple disclosure. Now, in order for a site to carry the TRUSTe link, it must disclose what information is collected, what use is made of the information and specifically with whom it will be shared. Consumers must be given access to their data to check for accuracy and suitability. Beyond that, the new TRUSTe member must be able to prove that it can authenticate that the user is who he says he is - by a system of passwords and, in the case of an address change, physical mail. It seems like a tough standard, but Scott says that what people forget is that the Internet is an international medium, and privacy laws in other parts of the world are much tougher than they are in the United States. Scott predicts that if publishers aren't careful and if the industry doesn't step-up and adopt policies with teeth, there will be laws and international agreements that will dictate what publishers have to disclose. In the short term, she urges sites to be conservative about the information they gather. "Don't ask for information that you don't need. You don't have to worry about managing information that youdon't have."

*(Jennie L. Phipps, a former newspaper editor, is an independent writer based in Detroit.)