As online marketing matures, many companies are finding privacy policies that once seemed acceptable as constricting as clothing that has been outgrown and, like a too-tight suit, must be altered.
“Often, a company will create a privacy policy that seems to have all the important parts, but then turns out to be untenable in some way,” said Larry Ponemon, head of the Arizona-based Ponemon Institute. His organization researches privacy issues and verifies companies’ privacy and data protection practices.
“It’s standard practice to say information will not be shared with third parties. But a company may then realize that sharing is part of their core business,” Ponemon explained. “So they tweak the policy to reflect that. It’s a growing trend.”
Businesses with a strong brand and companies with a strong trust element, such as youth-oriented sites and banks, are at the vanguard of this trend, Ponemon noted.
Yahoo! was one of the first online companies to institute broad changes in its data sharing policy in March of last year. eBay also made adjustments. Walt Disney, which has a network of sites including Disney.com, ESPN.com and Movies.com, is the latest such example.
“We recently updated our privacy policy, the first update since 1995,” said Kim Kerscher of the Walt Disney Internet Group. “You can imagine how our business and consumer activity have changed since that time. We did it because as consumers became more interactive and did more transactions on the site, we realized our original policy was creating some issues.”
People spend a lot of time on Disney’s parks and resort sites, planning activities, building travel itineraries and the like, Kerscher commented. But when it comes to making final arrangements and paying, many want to transact with a live person, so they telephone the call center.
Because Disney’s old privacy policy precluded sharing information collected online with its offline businesses, customers had to verbally recapitulate all the details they already typed in online.
Disney says revised its policy to allow the company to share information with its non-Internet businesses, primarily the theme parks. These businesses will also be able to use the information to market services and information.
Disney will now permit outside companies to send promotions to users via postal mail (though not e-mail), and Disney itself can send e-mail and U.S. mail promotions to its customers. Finally, Disney can obtain information about its users from third parties, such as the postal service.
“My gut tells me Disney have been good players,” with regard to privacy, Ponemon commented. “The public is more concerned with whether a company is honest than whether it provides opt-in or opt-out.”
However, there’s danger is changing a privacy policy, Ponemon cautions. “There is this general belief that if you change your policy and become less restrictive, you pulled a fast one on your customers.”
When making the change, Kerscher said, Disney realized the dangers and decided it was important to act conservatively.
“There is a link to the privacy policy on every page of the site, and that link was tagged ‘Updated,’ and through that you could get to a FAQ on the update and view the old and new privacy policies,” Kerscher said. Existing registrants got e-mails explaining the changes and offering the option to migrate to the new policy.
Another factor affecting the California company’s online privacy practices is a number of new laws in that state that passed in 2003. One of these, SB 27, provides that consumers can request lists of the kinds of information that companies share with third parties, as well as the names of these third parties. SB 27 takes effect Jan. 1, 2005.
Another new law, AB 68, says sites should post a privacy policy and enforce it, according to Brian Murnahan of the California Office of Privacy Protection.
Disney’s Kerscher says Disney is on the case.
“We have teams of people looking at all the legislation and will do whatever it takes to comply. My sense is we’re already in compliance with many of them,” Kerscher affirmed.
Ponemon said the new laws are a factor in the overall trend of companies tweaking their privacy policies.
“Clearly, an organization would have a difficult time operating two sets of requirements, one for California residents and the other for another 49 states. So, most companies treat the regulations below as national requirements,” Ponemon said.
But California’s new laws aren’t the only ones on the books supporting privacy. A number of such laws already exist, attesting to a move toward better notice and options for consumers, according to J. Trevor Hughes, executive director of the International Association of Privacy Professionals (IAPP).
“There’s the Gramm-Leach-Bliley Act, which provides us with greater choices and notice with regard to financial data. The Health Insurance Portability and Accountability Act, HIPAA, provides us with greater notice and control over health information. And of course there’s the Do-Not-Call list and the recent Can-Spam act giving us greater control over e-mail,” Hughes pointed out.
“The fact that Disney is giving (registrants) a choice represents an enormous shift over where we were 10 or 15 years ago,” Hughes maintained. “In the broader scheme of things it really represents a very granular piece of a much broader tectonic shift.”