magazine resources subscribe about advertising




 CD Home < Web Techniques < 2001 < August  

Privacy Certified

By Bret A. Fausett

A national bank sent me a copy of its privacy policy recently. It's the same privacy policy the bank uses for its Web site, and I was grateful to have a paper copy. Drilling down two, three, or sometimes four pages into a Web site to find a Web operator's privacy policy isn't always easy. This particular policy began promisingly enough:

At Our Bank, respecting the privacy and security of your personal information is important to us.

That's terrific, I thought. My privacy and the security of my personal information are important to me, too, especially when I'm selecting a bank. I've been considering online banking, so this is exactly what I want to hear.

Please read this Privacy Policy carefully.

This is good advice, especially because the personal data I share with my bank is exactly the kind of information I want to keep private. Thanks for reminding me to read it all the way through.

This Privacy Policy is designed to inform you of the types of information we collect, how we use that information, and the circumstances under which we will share it among our family of affiliated companies and with nonaffiliated third parties.

Hmmm, this changes the picture a little bit. Just two lines ago, the bank was telling me how important it was to respect my privacy and secure my personal information, and now I learn that the bank collects information, uses that information, and under certain circumstances shares it with third parties. Good thing I decided to read the entire policy carefully. What else is in store?

We collect nonpublic personal information about you from the following sources:

  • From you, on forms, via the Internet, by telephone, or otherwise. Examples of this type of information include your name, address, social security number, credit history, and other financial information.
  • From transactions with us, our affiliates, or with others. For example, your payment histories, account balances, and other transaction records.
  • From credit reporting agencies, such as information relating to your creditworthiness, your credit score, and credit usage.
  • From third parties to verify information you have given us.

"Nonpublic personal information?" OK, I'll consider "nonpublic" to mean the stuff I consider "private," but why quibble over word choice? The bank has now told me that not only does it collect private information about me, but that affiliates, credit agencies, third-parties, and—worst of all—undefined "others" also may collect information about me and share it with the bank.

All of these private details about me—or "nonpublic personal information"—that the bank gathers from these many sources will go into one big pot of data about me that the bank can use or share with others. And that's what the next part of the privacy policy will tell me: How can the bank use all of this data? This is the part I ought to read very carefully.

Uses of Shared Information: We may share all of the information that we collect, as described above, for the following purposes:

  • To provide you with the products and services you have requested.

This part is OK, I think. The bank will use my private data only to help me with things I request. This might mean looking at my account history to see what to recommend when I ask about better interest rates, or whether to offer me a different checking account based on my past usage. Because the bank uses the private information only in response to questions that I ask, the use of my information is still within my control, right? OK, I'll accept that one.

  • To offer you additional products and services, from us or from others, that may be of interest to you.

I'm not as crazy about this one. The bank is going to use my private information to sell me stuff from time to time. I hate junk mail and spam almost as much as I hate telemarketers, but for the right bank and the right price and the right set of services, I can stomach the annoying marketing.

  • To comply with reporting and other legal requirements.

This seems fair enough, I guess. If the law requires my bank to disclose certain information, then there's really nothing anyone can do about it. Shopping around won't make a difference on this one either, as all banks are governed by the same laws and reporting requirements.

  • To otherwise conduct business.

"To otherwise conduct business?" Holy Moses! That's an opening big enough to drive a truck through—a truck carrying all of my private banking data and possibly dumping it into the public commons. Given that one phrase, you could pretty much condense the bank's entire privacy policy down to this: "We can collect information about you from any source we want and do with it whatever we want." That would have been much easier to understand (and maybe that's the point), but this particular privacy policy has little to do with securing a user's privacy.

How did something called a privacy policy become so poorly named?

It's Called Self-Regulation

Privacy policies were born in the early days of electronic commerce, when the specter of the Internet as a place where you might be watched, catalogued, and placed into various direct marketing databases was just emerging. Much as the movie industry adopted its ratings system years ago to avoid proposed federal regulations on appropriate content for minors, the Internet industry pushed privacy policies as a way to head off government regulation of user privacy. For the most part, the strategy has worked. Other than the Children's Online Privacy Protection Act" (see Robert Cannon's article, "Coping with COPPA," also in this issue), we have no strong federal regulations in the U.S. governing the collection and dissemination of our private data.

Internet privacy policies are supposed to detail exactly how a company interacting with users collects data, uses the data, and shares it with others. Armed with details about what might happen to any information taken from you, you can make an informed decision about whether you want to do business with this company. You might decide to leave a Web site immediately, or you might decide that the services provided are worth the cost of giving up your private data to others.

The thought behind this attempt at self-regulation is that companies will disclose their practices, users will make informed choices about what they want to do, and the combination will empower both.

As encouraging as that sounds in theory, it rarely works so well in practice.

Privacy in the Real World

In the real world, privacy policies are usually, but not always, linked from the home page of a Web site. In the worst cases, they're buried pages deep in a legal section or somewhere in "about our company." Because there's no uniform place for companies to post privacy policies, users are left to hunt for them—in a different place at every site—if they want to learn the rules.

Once users find the policy, they must read it and understand it. That's not always easy. A lot of policies are drafted by lawyers, whom we all know can turn even the simplest sentence into something full of caveats, qualifiers, and conditions. And that's exactly what we saw in the bank's privacy policy.

After describing in some detail the way in which it planned to share private data with third parties, the bank then threw in a catch-all provision—that it could use consumer data "to otherwise conduct business"—designed to give it the maximum flexibility to use its data however it saw fit. This ensures that the bank will never be accused of doing anything with the data that it had not disclosed, and it permits the bank to change its use of the data from time to time without updating the privacy policy. This is great protection for the bank, but not for the users.

And that distinction reveals a fundamental truth about privacy online. The interests of Web users aren't aligned with the interests of Web site operators.

Certified What?

Realizing that privacy policies were difficult for consumers to comprehend or use meaningfully when navigating from site to site, many in the industry backed privacy certification efforts from organizations like TRUSTe and the ESRB. To their credit, these associations help companies develop privacy policies that are comprehensive and comprehensible, and the people who run them have thought intelligently about the issues involved in managing private data.

These organizations bring the goal of self-regulation—informed user choice—one step closer to reality. For the most part, certified policies are written in plain English, are prominently displayed so users won't have to mine a site looking for the policy, and provide a point of contact in the form of the certification agency for confused or dissatisfied users.

But for the unsophisticated user, a privacy certification seal may send the wrong message. It's not a seal that private data is actually protected; it's just an indication that, by the standards of one association, the privacy policy is a fair and adequate disclosure of what information the certified company collects and how it shares that information. A policy clearly stating that all private data is immediately turned over to telemarketers and thieves would still get a certification from the major privacy associations, so long as it were true.

The real difficulty with the privacy certification initiatives, though, is that they rely primarily on the good intentions of the certified companies and on self-corrective behavior for those companies that run afoul of the association's disclosure rules. If a certified company breaks its promise, there's little the consumer or the privacy certification association can do. Compliance with the certification program is voluntary in the first place, and companies can back out at any time. Violators might fear the bad press that comes with a published privacy policy showing disregard for users' privacy rights, but they're not likely to be subject to any serious penalties.

Whatever the benefits of the privacy initiatives, they've been adopted by a small minority of commercial Web sites. Even if some of the sites a user routinely visits are privacy certified, many more that make inadequate or unclear disclosures are only a click away. Certification may be helpful for some popular sites, but as an industry cure, it's no solution.

Write Something Meaningful

For the time being though, as companies look to handle privacy on a case by case, site by site basis, a few tips can help. Whether you're privacy certified or not, remember that giving yourself the maximum legal flexibility may be what your lawyer recommends, but it could get you in trouble with your customers. A bad privacy policy is bad public relations. Consumers care about their privacy and the security of their data. Protecting the customer's data means more than saying, in the first line of a privacy policy, "respecting the privacy and security of your personal information is important to us." If that's really true, prove it.

If you don't share information with third parties and have no plans to change that practice, say it: "We will never share data collected from you with third parties." That's powerful. If I'm looking for a new bank, that's exactly what I want to hear. The word "never" means you're relinquishing the flexibility to someday in the future take a step that might conceivably lead to a future set of circumstances in which you might want to.... Just give it up. Don't be afraid to limit the future if it's the right thing to do.

Write something meaningful to the consumer using words that instill confidence.

A Better Policy

One of the best privacy policies I've seen is the policy on Karl Auerbach's CaveBear Web site. Karl is a long-time netizen, now serving as the elected director from North America for the Internet Corporation for Assigned Names and Numbers (ICANN). The privacy policy is clear. It's truthful. And it puts all of the nonsense about privacy policies and certification programs into proper perspective:

The CaveBear Privacy Policy

We participate in no so-called "private" privacy initiatives. Indeed, we feel that leaving the protection of privacy to anything less than well enforced laws would be a farce.

The CaveBear site takes no active steps to protect your privacy. We collect the standard logs of access to our systems.

We never have used the access logs for anything but our own administrative uses—primarily monitoring our sites to see whether someone has tried (or succeeded) to penetrate our security. And we have never opened those logs to anyone other than our own administrative staff, who, it may be said, tend to find the contents not merely uninteresting but downright boring.

At the current time, the CaveBear site has no interest in using our logs for any other purpose.

At the present time we do not believe that we have any Web pages that either put "cookies" on your computer or read such cookies that may have been put there by ourselves or by others.

So, if you're concerned about your privacy, you luck out—our practices are consistent with your interest in protecting your privacy. However, we do not guarantee that our practices will not someday change or that we will not accidentally disclose something.

It is our recommendation to you that you take such self protections as you feel appropriate. And we further suggest that you do not look to protection of your privacy to come from the private sector—that sector's interests are not aligned with yours.

The CaveBear site strongly urges that you support national legislation and international treaties that define and protect your privacy.


Bret is an intellectual property and Internet attorney, and a partner with Hancock, Rothert & Bunshoft. Contact him at

Copyright © 2003 CMP Media LLC