Securing online privacy

By Lori Mitchell , InfoWorld Test Center
September 8, 2000

PRIVACY ONLINE IS a hot topic these days for both businesses -- especially e-commerce sites -- and shoppers. Companies struggle to build trust with their online visitors, hoping to turn them into customers. On the other side, online shoppers are skeptical of Internet security practices, and making an initial purchase frightens them.

For companies to build successful e-commerce sites, they need to first gain users' trust. The more online customers a site logs, the higher company sales will be, resulting in an improvement in the company's bottom line. To gain user trust and confidence, certain privacy practices should be followed.

Corporate confidence and policies: E-commerce site tactics

Companies walk a fine line between preserving their integrity online by providing a secure site and gathering user information for future marketing and sales campaigns. When setting up an e-commerce site, companies will want to follow some general customer privacy guidelines to ensure a successful transaction site.

First and foremost, businesses need to post privacy statements on their Web sites. A privacy statement is a legal, binding document that should include explicit information about what data is collected and for what purpose. In addition, get your site certified by privacy seal organizations such as TRUSTe (www.etrust.com). Site visitors can then click on these seals to verify the validity and status of your certificate.

If your site has a registration area that gathers information about your customers, make sure you let them know what information you are collecting and what you plan to do with it. If you tell customers up front what the questions are for, you will have a better chance of gaining their confidence. Also, when accepting credit cards on your site, make sure you have a secure site and provide proof in your policy.

In our research of privacy policies, we saw a number of explanations for why information is collected. For example, a company may use specified information to find out how many visitors are using a particular browser or what products users purchase. What does the company do with this information? Is it used for personalization, marketing, selling to third parties? The more information users have access to, the more secure they feel, and, in turn, the more they will trust using the site.

If you plan to sell or share the information with third parties such as advertising agencies, financial groups, fulfillment houses, and so on, let your visitors know. State in your privacy policy what safeguards are in place to prevent accidental disclosure of information, such as how the information is stored and what restrictions are in place to protect the data.

Also, give users the opportunity not to have information gathered about them via opt-out or opt-in functions. Opt-out allows customers or registrars to choose to not be on a mailing list or not have their information passed on to marketing agencies. But remember, if a Web site offers opt-out, they are by default placing customers on these lists. Be sure to clearly state your company's opt-out/opt-in policies.

Above all, let people know you care, and always provide contact information such as a phone number or e-mail address. If you need help writing a privacy policy, there are privacy seal programs such as Privacy Bot (www.privacybot.com) that help businesses write them.

If users don't trust your site, your business will not prosper. Get your site certified and secure, and lay out a policy that can be easily viewed. Although companies can provide comprehensive security policies on their Web sites, users should also be aware of their rights and how they can investigate the validity of an e-commerce site.

Arm thyself, Big Brother is watching: End-user tactics

Although it may seem logical for companies to fully understand the privacy issues involved with their Web site, customers should also understand the ramifications of the information that can be gathered about them. End-users need to educate themselves on how Web site information is collected and how they can best protect themselves.

Online customers usually don't realize that they are not required to disclose personal information to a Web site. In addition, users don't realize that information about them can be gathered just from visiting a site via the use of cookies or Web logs. This information may include personal data such as the user's name and address but can also include information about the machine being used, IP address, location, browser, as well as what pages the user has viewed. This information can be tracked from site to site, leaving traceable footsteps on the Internet.

Well then, how can consumers protect themselves? There are several simple tactics to follow. Next time they visit a Web site and are asked to register, they should remember that they don't have to disclose any information. Customers should look for privacy policies and read them, making sure that they understand them before purchasing from the site. Also, they should look for certified privacy seals and verify the validity of the privacy seal to ensure the company's legitimacy.

If a site uses cookies -- small files that contain user information -- it is the viewer's option to accept them. Many browsers are set to accept cookies by default while other browsers are not. Not only does a cookie contain information that Web sites use to identify customers, but that information can also be shared with third parties.

Depending on what information is gathered, a person's privacy may be at risk. For example, passwords, credit card numbers, or a mother's maiden name can be rapidly spread to other sites. The good news is that end-users are now able to manage cookies via new tools, such as Junkbusters (see our review).

In addition to cookies, Web logs track and gather information on each end-user. Some sites are connected to tracking networks that record not only what a visitor does on one site but on all the sites he or she visits. At little or no cost, tools such as ZeroKnowledge's Freedom software protect a user's anonymity. It works with the browser and removes tracks made by the computer, such as IP address.

When using a credit card online, consumers need to check to see whether the site is a secure site and make sure their browser supports SET (Secure Electronic Transfer) or SSL (Secure Sockets Layer). Also, the same consumer protection laws apply online as they do offline, so credit-card buyers are protected.

Before buying that CD online, savvy Web shoppers will check out the Web site's privacy policy and determine whether they've been followed via cookies. It is their right to know. If a site's privacy information isn't available or is incomplete, we recommend visiting another site. Companies should not play dumb when asked about their privacy policy. In this day and age in which seconds can make or break online shopping decisions, corporations can't afford to lose shoppers by not displaying comprehensive privacy policies.

Return to the Privacy in the Enterprise package.


Lori Mitchell (lori_mitchell@infoworld.com) covers portals, market exchanges, online customer service, and commerce-related tools.