Guide to the TechWeb Network

Intelligent Enterprise

Better Insight for Business Decisions
Intelligent Enterprise - Better Insight for Business Decisions
search Intelligent Enterprise
Advanced Search
RSS
Webcasts
Whitepapers
Subscribe
Home



June 28, 2002

Making Your Privacy Policy Work

With the right planning, analytic infrastructure can be surprisingly effective in enabling your privacy policy

by Mark Madsen

More than any other medium, the Internet has raised concerns about the privacy of information. Before the Internet, you surrendered private information in a consensual setting, such as filling out forms for an insurance policy or bank loan. But now, the PC in your home or office has become a silent data collection device that can record every aspect of your online behavior. The resulting data can be analyzed by something as benign as an e-tailer's personalization application or as potentially dangerous as the FBI's Carnivore program.

Your data warehouse lies at the convergence of these issues because it collects data from many sources, Web and otherwise, and disseminates that information to internal and external systems. It's literally on the front lines of a properly implemented privacy policy.

In my recently published book, Clickstream Data Warehousing, my coauthors and I devote more than 100 pages to the types of data that can be collected in a Web environment and the privacy issues involved. In this article, I'll offer a synopsis of that information.

The Eternal Conflict

There's an inherent conflict between answering users' desires for efficient and personalized services and maintaining the privacy of the data required to deliver those services. People genuinely want the benefits of improved user knowledge but are reluctant to share information, even though they willingly sign over similar information in the offline world.

Executive Summary

Mark Madsen

What are the basic conflicts between privacy and the use of data for analysis and marketing? I'll detail some of the technical aspects of integrating a privacy policy with your Web analytics, CRM, or permission marketing operations and infrastructure.


Visit our Privacy & Security Information Center for more focused content about data privacy principles.

A full list of FTC privacy initiatives is available at www.ftc.gov/privacy/index.html.

The Electronic Privacy Information Center (EPIC) has published a "privacy law sourcebook" containing the full text of major privacy legislation.
See www.epic.org/bookstore/pls2001 for details.

At the same time, vast amounts of personal data are traded or sold by business and government enterprises every day. Much of this data is being managed, bought, and sold by syndicated data providers such as Equifax, Acxiom, and Experian. Inside data warehouses, syndicated data is often merged with data collected online. Unsound business practices and unintentional security breaches that expose this information can lead to serious damage to a firm's reputation, or worse, civil and criminal lawsuits.

Privacy isn't just a problem for consumer-oriented businesses. It affects all businesses, regardless of whether they deal with individual consumers or solely with other enterprises. In some industries, government mandates such as the Gramm-Leach-Bliley Act, which affects financial firms, and the Health Insurance Portability and Accountability Act (HIPAA), which affects medical and insurance firms, dictate privacy requirements. Your industry may be next.

Unfortunately, posting a privacy policy on your Web site doesn't necessarily mean you comply with proper practices or legal requirements. In fact, in some cases, having no stated policy may be better than a policy that's posted and ignored internally.

Consider the case of Toysmart.com One of the bankrupt company's assets was its customer database, which was to be put up for sale in 2000. However, the U.S. Federal Trade Commission (FTC) and several state attorneys-general sued to prevent the sale on the grounds that it violated Toysmart's posted privacy policy, which promised that the company would "never" share its personal information with third parties.

The legal system generally views a privacy policy as a legally binding contract between the company and the public. Failure to meet the standards in a privacy policy is viewed as a deceptive practice, which can in turn lead to lawsuits or fines. Depending on the business, privacy policies can apply to information about business users as well as individual consumers. Furthermore, your enterprise's information privacy policy should cover all enterprise applications — not just those that directly involve user Web sites. In some industries, there's no choice because online and offline privacy practices are mandated by state and federal laws, such as HIPAA.

Acceptable Use

One of the reasons we see so many privacy complaints is that companies tend to ignore the boundaries between acceptable and unacceptable uses of information. Part of the problem is that "acceptable use" is sometimes hard to define; thus, the company may not realize it has crossed the boundary until it's too late.

A user may provide simple information with the expectation that it will be used for an obvious purpose. Gathering and inferring behavioral data and combining it with user-supplied data can extend this basic information, making it more valuable but also more personal, and, therefore, from the user's perspective, unacceptable to share.

In the past few years, many enterprises have repeatedly crossed the acceptable use line, leading users to perceive personal risk in almost anything involving data. You need to establish trust if you want to bridge this gap.

The easiest way to establish trust is to say what you do with user information and do what you say. Trust can be developed through a few simple actions. First, the stated privacy policy should be fair and balanced between the interests of the enterprise and its users. Many companies fail in the "fair" side by leaving themselves a loophole to make changes to the policy with no advance notice or notification to users. A privacy policy is a contract and shouldn't be changed on a whim to satiate some newly discovered desire.

The privacy policy should have a direct effect on the design of the processes and techniques used to collect information about users. The spirit of the policy should also be reflected in how the enterprise uses the collected data, as opposed to letting the business use of data dictate the terms of the privacy policy.

Privacy and Data Warehousing

Assuming that you have a corporate privacy policy in place, the next logical question is, "What impact will it have on my data warehousing operations?" The answer depends on how serious your company is about its policy. If your company isn't that serious, then the answer is likely "not much" and a cursory review is probably sufficient. If the focus on policy is driven by legal requirements, then the answer could be "huge."

If you're just starting out on a data warehouse that contains user data, consider yourself lucky. In this scenario, you can tackle the problem during the initial design. You should take the privacy policy into consideration when building a data warehouse, adopting third-party Web analytic tools, adding clickstream components to a warehouse, or implementing a permission marketing system.

However, if systems to process and analyze user-related data are already in place, how do you integrate a privacy policy with these systems?

The first step is to know the affected business practices, and the best place to start is by reading the privacy policy. This isn't always easy because your company may have different privacy policies for the Web site, internal departments, and customer-facing systems. Except for legally mandated requirements, the most important information is probably in the online privacy policy, because this is the one that users are most likely to encounter.

Look for the components of the policy that outline what data is being collected, how long the data is retained, how it will be used, whether it's shared, and what — if any — control users have over their data.

First and foremost, identify what data is crucial to privacy. Is it possible to separate data affected by the privacy policy from the rest of the data in the data warehouse? This data "triage" is crucial: If you can separate the data that's important to monitor from the data that can be disregarded, you're well on your way to a solution. As an example, credit-rating data is very important and sensitive, while basic personal data such as a user address may not be. The relative importance depends on what data is specified by your policy.


Most Popular This Week
Seven Steps to Successful BI Competency Centers
Business Process Management 101: The Basics of BPM and How to Choose the Right Suite
Slowly Changing Dimensions Are Not Always as Easy as 1, 2, 3
Business Intelligence 2.0: Simpler, More Accessible, Inevitable

IE Weekly Newsletter
Subscribe to the newsletter
    Email Address







InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo Jitter
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet Evolution
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space