P1: c-146Everett-Church
Everett-Chruch-1 WL040/Bidgoli-Vol III-Ch-08 July 11, 2003 11:46 Char Count= 0
104 PRIVACYLAWmovements between the many sites on which the advertis-
ing companies place their cookies. These ad networks are
a type of advertising agency that rents space on dozens or
hundreds of Web sites, and frequently uses cookies placed
on all of the sites in their network to build a profile about
the kinds of Web sites a particular user likes to visit.
What is increasingly a marketer’s paradise is becom-
ing a consumer’s nightmare: the deluge of commercial
messages in e-mail inboxes, parades of pop-up advertise-
ments, and even solicitations arriving by cellular phone
and pager are making consumers leery of the alleged
benefits of this ubiquitously wired world. In response to
growing consumer concerns, companies have sought to
develop privacy polices that help consumers better un-
derstand how their information is gathered and used.PRIVACY POLICY FUNDAMENTALS
According to the Federal Trade Commission (FTC), if a
company makes a promise that it does not keep, it is con-
sidered an unfair or deceptive trade practice, for which
the offender can be fined up to $11,000 per violation, in
addition to other legal remedies (FTC Office of the General
Counsel, 2002). Central to the FTC’s advocacy of greater
consumer privacy protections has been the call for com-
panies to adopt privacy policies that provide consumers
with useful information about how their personal infor-
mation is gathered and used. Although there are no federal
laws that require the publication of a privacy policy, ex-
cept when data collection from children is involved, it is
widely considered an industry “best practice” to publish
a privacy policy on any public Web site.
Considering the liability created by writing a privacy
policy that a company cannot deliver, the drafting of a
privacy policy is not something to be undertaken lightly
or without advice of legal counsel. However, good privacy
policies tend, at minimum, to address those elements con-
tained in the widely accepted fair information principles,
which have also been endorsed by the FTC: notice, choice,
access, and security. I discuss the FTC’s role in policing
privacy matters later in this section, but it should also be
noted that legal actions by state attorneys general, as well
as private lawsuits, are also driving companies towards
some level of uniformity in privacy disclosures.
Those privacy policies cited by privacy advocates as be-
ing “best of class” also include the elements of the OECD’s
principles of fair information practices. There are also a
number of online privacy policy generators that allow one
to create policies by picking and choosing from predefined
language based on the applicable situation. According to
the privacy organization, TRUSTe, their recommended
Model Privacy Statement has several key elements that
echo the OECD principles:What personally identifiable information the company
collects,
What personally identifiable information third parties
collect through the Web site,
What organization collects the information,
How the company uses the information,
With whom the company may share user information,What choices are available to users regarding collection,
use, and distribution of the information,
What types of security procedures are in place to protect
the loss, misuse, or alteration of information under the
company’s control, and
How users can correct any inaccuracies in the informa-
tion (TRUSTe, 2002).Once a company has surveyed its data practices and
articulated them clearly in a privacy policy document,
the next most important task is to ensure that the com-
pany lives up to its promises. There are three ways to do
this: manage privacy matters internally, look to industry-
sponsored groups for guidance on compliance, or wait for
law enforcement to come after you.Chief Privacy Officers
As the importance of privacy has grown in the corporate
setting, and as the risks from privacy problems have in-
creased, companies have begun to create a new manage-
ment position, the chief privacy officer (CPO), as the des-
ignated point-person for managing privacy policies and
practices.
Since the first CPO position was created in 1999 at
the start-up Internet advertising firm AllAdvantage.com,
the CPO job description (if not always the title) has been
rapidly adopted across corporate America; by the end of
2000, a significant number of Fortune 100 firms had a
CPO-type position, often reporting to the senior-most lev-
els of the organization. According to the Privacy Working
Group of the advocacy group Computer Professionals for
Social Responsibility, there are many benefits to appoint-
ing a CPO:A talented and properly-positioned CPO will add
value across corporate divisions from develop-
ment to customer relations, from liability miti-
gation and risk management to increased market
share and valuation. Perhaps most importantly,
the Chief Privacy Officer promotes an essential
element of new economy corporate citizenship-
Trust. (Enright & McCullough, 2000)The CPO has both an internal and an external role at his
or her company. The internal role includes participation in
companywide strategy planning, operations, product de-
velopment and implementation, compliance monitoring
and auditing, and employee training and awareness. The
external role of the CPO involves enhancing the company’s
image as a privacy-sensitive organization, through foster-
ing positive relationships with consumers and consumer
groups, privacy advocates, industry peers, and regulators.
In many respect, the CPO becomes the focal point for
a company’s privacy activities and in turn can become
the company’s public face on the privacy issue. The posi-
tion is most effective if it is perceived as objective, with
ombudsman-like qualities, serving as a protector of con-
sumer interests while seeking balance between those in-
terests and the interests of the company. Yet there are
other organizations offering assistance in the ombuds-
man role: trustmark organizations.