Privacy and Independent Verification: What Consumers Want

Jerry DeVault, Partner, Innovative Assurance Solutions
Brian Tretick, Principle, Privacy Assurance and Advisory Services
Kevin Ogorzelec, Senior Manager, Innovative Assurance Solutions
Ernst & Young LLP

Privacy and Independent Verification: What Consumers Want [pdf]

Trust and confidence are at the heart of any successful business model that is able to gain the active participation of its customers and other stakeholders. The connectivity of the new economy, the ease of data collection, and ongoing revelations about how and where peoples' privacy expectations are not being met have made privacy the most important trust issue for online businesses. Even in the most robust organizations, privacy is a dynamic and evolving business risk. Consumer advocates, businesses, industry groups, states, and national governments are struggling to address the many issues of online and offline privacy. This paper explores what consumers want and how robust independent verification is part of the solution.

Privacy Efforts

Over the past several years, businesses have increased their efforts to build trust with consumers by investing in earning consumers' confidence with respect to privacy. Companies have provided consumers with privacy notices and promises. Industry is developing and adopting privacy enabling technologies. Businesses have formed industry organizations to develop common expectations for disclosures, address emerging issues, provide education, and raise awareness. The business community and consumer activists have educated regulators and lawmakers about data collection methods, information usage, and self-regulation. Yet all of these investments have not yielded increased consumer confidence.

Even after several years of business focus on addressing privacy concerns, a majority of consumers continue to have significant concerns that businesses are not keeping the promises they make in their privacy policies. And unfortunately for businesses, the trend is not improving. The increased media attention to high profile cases of broken privacy promises, unmet expectations, public scrutiny of personal data collection and usage practices, and the sinking feeling consumers get that they are being watched and profiled contribute to a perception that businesses are not to be trusted with their information. This perception is now the reality that businesses must overcome to gain the trust and confidence of consumers.

Consumers look for evidence of a company's efforts to build trust with them. In their online activities consumers inquire about company privacy policies about the use of consumer information. Most consumers consider it important that websites post privacy policies. And this varies little when compared by industry � the majority of consumers find it important that businesses communicate their policies and do what they promise in them.

Unfortunately there is no silver bullet technology solution to solve the privacy trust issues. Technology can be part of the solution to ease a consumer's distrust. However, the effectiveness of any technology is primarily a function of how well it is implemented and maintained. Browser-based technologies that assist consumers in evaluating privacy policies still fail to address the root of the privacy trust issue � that consumers don't believe companies are doing what they say they are doing. These technologies merely automate a manual process that consumers inherently distrust. Once compliance with stated policies is assured, filtering can appropriately be used by consumers to visit sites that maintain privacy policies and practices that meet their personal minimum criteria. While technology features are available to assist consumers in managing the collection of data about them, very few actually use the technology.

A further challenge to consumers is that technology solutions only address their concerns about online privacy, leaving the consumer struggling for mechanisms to address their offline privacy concerns. Even without specific technology enablers, consumers are managing their personal information and becoming more active in protecting it. A majority of consumers have refused to share information that they considered too personal or that they thought was not needed. They have also asked companies to remove them from marketing lists.

Privacy Program Options

However, honesty may still be the best policy. Consumers have greater confidence in a company when privacy policies clearly discuss how their information is collected and used and what their choices are. Online seal programs such as BBBOnLine, TRUSTe and others were created to provide users with a baseline upon which online privacy practices could be evaluated for compliance. These programs were intended to promote some degree of oversight and address user privacy concerns. By displaying one of these online privacy emblems on its website, a company communicates to its users its commitment to follow the tenets of the particular program. New organizations continue to emerge in response to the evolving self-regulatory environment, promulgating their own privacy programs and standards to address what are considered industry segment-specific issues.

In a recent survey performed by Harris Interactive for Privacy & America Business, a majority of consumers indicated they would have confidence in a company that proves it keeps privacy promises by having them verified by an independent accounting firm. The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) developed a set of privacy principles that were released in Fall 2000. The principles allow independent accounting firms (independent third parties) to examine a company's privacy assertions. The WebTrust privacy program provides an assurance report that a company earns after extensive testing is performed by an independent accounting firm (independent verification). Earning an assurance report for privacy differs from a company's self-assertion of compliance with their stated privacy policy as required by a seal program. An assurance report examination looks beyond the policies and tests the controls the company has implemented in order to comply with their policies.

To put this level of assurance in perspective, the efforts can be compared to financial statement audits. When a company is publicly traded, it is required to obtain an audit report of its financial statements by an independent accountant in accordance with generally accepted accounting principles (GAAP). If a company is privately owned it may obtain a different (compilation) report from its accountants that does not involve the same level of testing and therefore does not carry with it the same level of comfort. It is however a method of communicating the company's financial results that is acceptable in limited circumstances. The seal programs such as BBBOnLine and TRUSTe can be viewed as the compilation report in the area privacy. These programs meet the privacy needs of stakeholders in limited circumstances. However, for those situations where stakeholders require the highest level of assurance over privacy, robust independent verification is the solution.

Upon closer examination, the principles and criteria of most privacy seal programs, industry organization programs, and the WebTrust privacy program are very similar. Most of the programs have been built around the fair information practices of notice, choice, access, security, and accountability. Unfortunately for consumers, the debate usually revolves around which program has the best proprietary set of criteria rather than on the quality of the assurance provided. Most experienced privacy professionals do not understand how closely these programs' principles mirror one another. The main differentiator between earning an assurance report through robust independent verification and the various seal programs is that these seal programs do not robustly test the people, processes or technology for compliance. To be successful in building trust, privacy programs must extend beyond the privacy policy itself to the business's actual practices. The examination of privacy practices is necessary to provide the proof to consumers that the company is in fact doing as it says in its privacy policies.

Building Trust

Independent verification of a company's privacy practices has demonstrated value for consumers and business alike. The Harris Interactive survey found that consumers would do more business with companies that prove they do what they say. Companies, large and small have undertaken independent verification of the their privacy practices to communicate to their customers, suppliers, shareholders, and other stakeholders their commitment to protect their information. Ultimately, these companies seek a return on their investment in privacy infrastructure. By proving they are doing as they say, they are more readily able to realize a return.

In a May 2000 report to Congress entitled Privacy Online: Fair Information Practices in the Electronic Marketplace, the Federal Trade Commission (FTC) recommended enacting privacy legislation because self regulatory programs alone cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders. Robust independent verification is the tool with which to build trust with its stakeholders by communicating a company's ongoing compliance with privacy laws.

As more thought is given to privacy legislation to regulate certain industries and businesses, a safe harbor framework becomes an important consideration. A company applying for safe harbor is looking for consideration of their best efforts to protect consumers' privacy. Companies entering a safe harbor should be required to prove their compliance with generally accepted privacy principles. Allowing safe harbor to be gained by utilizing privacy programs that do not provide for periodic, ongoing, and robust independent verification will certainly fail to meet stakeholder needs.

Companies seeking the reward of active consumer participation and strong trusting relationships with consumers and partners alike will treat personal information as a strategic asset. The processes for its collection, protection, and destruction will be invested in and maintained as critical infrastructure processes. Consumers want businesses to earn their trust, and promises are not enough. They want to clearly understand those promises. They want proof that their personal information is being handled as promised. Companies that prove they keep their privacy promises will earn the trust and confidence of consumers, and in turn, consumers' business. Independent verification can provide that proof.

Notes

Note: In the preparation of this document, every effort has been made to offer the most current, correct, and clearly expressed information possible. Nonetheless, inadvertent error can occur, and business conditions often change. Further, the information in the text is intended to afford general guidelines on matters of interest to readers. The application and impact of this information can vary widely, however, from case to case, based upon the specific or unique facts involved. Accordingly, the information in this document is not intended to serve as professional advice. Readers are encouraged to consult with Ernst & Young LLP or other professional advisors familiar with their particular factual situation for advice concerning specific matters before making any decision, and the author disclaims any responsibility for positions taken by readers in their individual cases or for any misunderstanding on the part of readers. To the fullest extent permissible pursuant to applicable law, Ernst & Young disclaims all warranties, express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose.

The mere inclusion of the name of an organization in the text is not to be construed as an endorsement by Ernst & Young or the expression of an opinion as to the appropriateness or viability of any particular decision or course of action.