From the September 2001 issue of Entrepreneur

Nothing has quite stirred passions lately as much as the topic of Internet privacy. Everyone seems to have an opinion on the topic-whether you're talking to business owners or their customers. Even lawmakers are struggling to get a handle on the issue; more than a dozen bills proposing various regulations have already been introduced this year.

On one hand, you have your customers-who, incidentally, have become increasingly tech-savvy. They're now demanding greater restrictions on the use of their private data as well as accountability from the companies that collect it. Some even remain reluctant to engage in e-commerce altogether, fearful that their personal information may be shared with other businesses or government agencies down the line.

Then there are the entrepreneurs who walk a fine line between collecting the information they need to build better customer relationships and scaring shoppers away. It's a tall order to reassure customers that collecting their data is necessary, that it truly benefits them and that their privacy will never be compromised.

"Rising consumer concerns, technological advances and business pressures will make privacy one of the hottest areas of the Internet policy debate in the next several years," confirms Jay Stanley, an analyst at Forrester Research.

Meanwhile, lawmakers are continuing their attempts to nail down more stringent requirements for Web businesses. Last year, for example, Congress passed the Children's Online Privacy Protection Act, which makes children off-limits to aggressive data-collection and marketing techniques. And experts expect even more privacy legislation to pass this year, especially with so many bills regulating numerous privacy issues pending.

But compliance won't be cheap. According to a study conducted by the Joint Center for Regulatory Studies of the American Enterprise Institute and the Brookings Institution and underwritten by the Association for Competitive Technology, adhering to the new Internet privacy rules could cost businesses a combined $9 billion to $36 billion.

The secret for entrepreneurs is in finding the perfect balance. "Modern technology, especially the Internet, has made the collection of personal information easier, faster and more thorough," says Walter O'Brien, executive director of the Privacy Leadership Initiative, a New York City partnership of CEOs from major corporations and business associations. "And that makes many people profoundly uncomfortable. There's a trust deficit of troubling proportions that keeps too many consumers on the sidelines. "For any company, the stakes in missing so many 'wary but wired' consumers are enormous."

Keeping the Faith

So with all the controversy swirling around the privacy debate, what's the best way for entrepreneurs to earn trust from customers, yet gather the information they want at the same time? For starters, experts say Web sites that collect personal information from or about consumers online should comply with the four widely accepted fair information practices: notice, access, choice and security.

That means you should write a privacy policy and disclose to consumers exactly what you intend to do with their information. Post the policy prominently on your site and provide those consumers not only access to their information, but the means to challenge data that's incorrect. Also, give customers the choice to opt out. Finally, be sure you protect the security of the information you collect. As long as you're upfront and do what you say you're going to do, customers will continue to trust and shop with you.

"Consumers don't mind giving information if they know it's going to be in the trusted hands of the company they're doing business with," says Silvana Gragossian, co-founder of DecorLine, an online retailer of original art and craft items. One of the first things this six-employee Encinitas, California, firm did when it opened in 1999 was construct a privacy statement.

Written with the help of a lawyer, the statement says DecorLine is committed to protecting the privacy of its customers and that the information collected on the site is used solely to process orders and enhance the shopping experience. DecorLine occasionally sends e-mail notices to customers, informing them of new services, products and special offers, so recipients are always given the chance to opt out. But few take DecorLine up on its offer. Gragossian, 37, says, "We rarely get a request for removal from a user."

Astrocenter.com Inc., which owns Center.com, a wellness portal in San Francisco, takes a different approach to consumer privacy. The site offers members free health, beauty and fitness information, along with personalized horoscopes and astrological reports. In its privacy statement, Center.com says it not only uses demographic and profile data to personalize services to match customer interests, but it also shares the information with advertisers on an aggregate basis.

The statement further explains that Center.com might share personal information with other companies. "Our customers can check a box that says they would like to receive special offers from our partners," says Jeremiah Rosen of Center.com. "If they don't want the offers, they don't have to check the box."

However, Rosen points out that even if members opt out of the offers, their information is still part of the site's database. The way he sees it, if consumers don't want their information shared, they can unsubscribe from the site. "We aren't trying to hide anything," he says. "It's clear that we sell advertising; how we do it is by selling information about our audiences." Given the site's 3 million monthly visitors, the model doesn't seem to deter customers.

"Center.com understands visitors want their privacy protected," says Eric Bonjour, 42, co-founder and CEO of Astrocenter.com. "That's why Center.com is committed to fully disclosing what and how information is gathered from site visitors. Should users choose to examine our privacy policy, they will clearly understand how personal information is used-on an aggregate basis only."

But as times change, you may need to alter your privacy policy. Take a lesson from eBay: Recently, the online auction site changed its privacy policy to include a stipulation that stated it reserved the right to share customer information if the company merges or is acquired. EBay decided to do this after another online retailer-Toysmart.com-went bankrupt last year and made headlines when it attempted to sell its customer database, even though its privacy policy had stated that it would never share that information. The FTC, as well as privacy advocates, contested the sale, and the list was ultimately destroyed.

Like eBay, you should explain that your policy may change from time to time. It's not a bad idea, especially considering the fact that laws may change. Customers should always be notified of any alterations and given the opportunity to notify you if they don't agree to the changes as described. Of course, that doesn't take away the need for customers-new or existing-to always be given the opportunity to opt out if they're not happy with the policy.

"You have to give customers a choice-it's their information," says Gragossian. "Customers come to your site and give you their information-so you just can't take that lightly."

How Far is Too Far?

Most consumers don't mind sharing personal information for marketing purposes with a company they trust. In fact, shoppers provide personal information all the time, especially if they're offered a freebie to do so, or if they get access to a personalized Web site.

A recent survey by the Pew Internet & American Life Project, a nonprofit organization that evaluates the social impact of the Internet, found that while U.S. Internet users want a guarantee of privacy online, they're willing to give Web sites personal information in return for content they like. In fact, 54 percent of respondents had done it, and another 10 percent said they'd be willing to.

What consumers do object to is the way some Net businesses track users across multiple sites-without their knowledge-and collect huge amounts of information about them, such as spending habits, income, illnesses and occupation. Then these companies try to make money with this information. Not surprisingly, consumers also don't appreciate when a company says one thing about how they handle their customers' private information but then does something different.

Take TiVo, for example. The maker of digital video recorders was put in the hot seat earlier this year when it was revealed that the company didn't clearly disclose how much information it collects about users and their TV viewing habits. Privacy advocates pointed out that TiVo recorders, located in users' homes, were set up to automatically transmit streams of data, such as detailed viewing information, to the company's headquarters each night. This was in direct contrast to statements made in the recorder's owner's manual, which asserted that "unlike the Internet, all of your personal viewing information remains on your PTV receiver in your home." TiVo says that phrase has since been removed from the manual and that data-collection policies have also been modified.

If you don't want to find yourself in hot water, think in terms of full disclosure. "Companies must fully inform their customers of what they'll do with their information and explain why it's needed and how it offers value," says privacy expert Dr. Alan F. Westin, president of the Center for Social and Legal Research in Hackensack, New Jersey. "They also must give them choices and show that they respect and implement those choices."


Melissa Campanelli is Entrepreneur's "Net Profits" and "Net Sales" writer.