Consumer Privacy Best Practices


Privacy Laws


Privacy is a hot topic, with new cases and situations arising every day around the globe. You don't have to look far to see how inappropriate data preservation or usage destroys consumer trust. Case in point - Facebook, November 2007. Facebook got into hot water regarding its new beacon advertisements which displayed items that your friends bought on third-party partner sites. While the data usage may have been legal (Facebook offered options for opt out and had written provisions permitting these actions in its privacy policy), the public response overwhelmingly was one of betrayed trust, condemnation; forcing a public apology.


As such, don't approach consumer privacy solely from a legal stand point but from a CRM and loyalty management perspective. In doing so, keep in mind that no one standard of privacy exists globally. As the legal and legislative environments locally and globally are in flux on this topic, we caution you to consult your lawyer and/or security professional for the latest and greatest on this topic.


Here you can learn more about the issues from both sides of the debate. This page should be considered illuminative rather than exhaustive.


Privacy should be a concern for everyone. Not just because of data breaches or you may run amok of one of the many innocuous laws in the global marketplace, but because your customers are concerned about privacy - not just from a legalistic perspective but also from a customer experience perspective as well.


Surprising in this day and age, according to I4 Commerce, almost 40% of online users are still new to web buying or not buying at all. And when asked what information they were willing to give online, consumer answers were equally enlightening:


All Consumers
Email address
Date of birth
Home address
Home phone number
Mortgage and/or rent information
Last 4 digits of your SS#
3 digit credit card security number
Driver's license number
Credit card number
Bank account or routing #
Full 9 digit SS#
Question asked: "How sensitive are you to providing the following information online?" 1= Not sensitive at all, 5= Most sensitive


Thus, in every aspect of the consumer experience, put them at ease; that you not only take their privacy seriously, but it is safe to do business with you as well. A model of how to present the importance of privacy and customer satisfaction to your customers.


Privacy laws are everywhere and growing. Here are some examples of major laws around the world that relate to privacy and data protection:




Personal Data Protection Act of 2000




Privacy Act of 1988


Privacy Amendment (Private Sector) Act 2000: This Act has strict procedures for the way that private sector organizations deal with personal information relating to identifiable individuals.


The Act requires that data be collected, stored, and shared according to specific guidelines and also places major restrictions on transferring personal information overseas. It also requires that individuals be given access to their personal information and that individuals be given the option of anonymity wherever lawful and practicable.




Personal Information Protection and Electronic Documents Act (PIPEDA): This Act, which went into effect on January 1, 2004 establishes complex and detailed rules to govern the collection, use, and disclosure of personal information in a manner that balances the right of privacy of all individuals with the need of organizations to collect, use, or disclose such information for purposes that a reasonable person would consider appropriate in the circumstances.


PIPEDA places severe limits and controls on organizations with respect to the collection, use, and disclosure of personal information. It also mandates that individuals consent to certain data uses and that they be given access to their personal information and have the ability to challenge compliance with the law.




As far as we are aware, China has no personal data privacy laws although a law could be imposed at any time without notice.


European Union European:


Privacy Directive


Union Data Protection Directive: The full name of this directive is: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.


This Directive regulates information—such as names, e-mail addresses, photographs, phone numbers, and medical records—relating to individuals including employees, contractors, and business contacts. All such information is called personal data. In some EU countries, personal data also includes information relating to companies themselves.


Anything that is done with this information—obtaining it, recording it, storing it, using it and even destroying or disposing of it—must be done in accordance with the provisions laid down in the Directive.


European Union Anti-SPAM Directive: The full name of this directive is: Directive 2002/58/EC on Privacy and Electronic communications.


The Directive requires those who wish to market their products and services through e-mail to obtain the addressee's prior consent to receive such e-mails (“opt-in” system). While the former “opt-out” system only required the sender of the e-mail to allow addressees to object to receiving further unsolicited commercial e-mails, the opt-in system requires their consent in advance.




Data Protection Act




Data Protection Act. The Telecommunications Act adds additional privacy requirements for electronic communication and the systems that enable it.




As far as we are aware, India has no personal data privacy laws. India's legislature is considering new laws and amendments to existing laws to protect data.




Data Protection Code




Personal Information Protection Act 2003: This Act protects individuals by regulating the use of personal information in personal information databases by private sector businesses.


The Act requires entities handling personal information to meet a number of restrictions as to the collection, handling, transfer, and security of the information. It also requires that individuals be given access to their personal data and that individuals consent to certain data uses.


New Zealand:


Privacy Act




Data Protection Act




Laws on the Protection of Personal Data


United States:


A wide variety of laws touch on privacy. The Federal Trade Commission (FTC), as the consumer protection agency, may have jurisdiction over industries not already regulated by other laws, such as:


Fair Credit Reporting Act

Bank Secrecy Act

Children's Online Privacy Act

Freedom Of Information Act (FOIA)

Patriot Act.


Gramm-Leach-Bliley Act: Financial institutions are covered by and subject to the requirements of the Gramm-Leach-Bliley (GLB) Act.


The Act requires certain financial institutions to protect information collected about individuals and mandates that they provide their customers a notice explaining their privacy policies, and offer individuals an opportunity to opt out of sharing information with certain third parties.


The Act also has a provision concerning Information Safeguarding.


CAN-SPAM Act This Act: imposes certain requirements on e-mails sent for the primary purpose of advertising or promoting a commercial product or service (including content on an Internet web site operated for a commercial purpose).


It prohibits a sender of a commercial e-mail from including fraudulent or deceptive information. The sender must also include a clear and conspicuous notice that provides the consumer an “opt-out”—or decline—option of receiving future e-mails, states that the e-mail is an advertisement and provides a physical address for the sender of the e-mail.


Do Not Call Lists: The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) established a federal do not call registry. Certain telemarketers, subject to FTC and FCC regulation, may not call an individual who has placed his or her telephone number on the list.


Children's Online Privacy Protection Act (COPPA): This Act addresses the collection, use, or disclosure of personal information from individuals under the age of 13 through web sites or other online services. It applies to operators of web sites directed to or that knowingly collect personal information from children under age 13.


COPPA specifically protects these children by requiring parental consent for the collection or use of any personal information of the users and other restrictions.


Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health care providers and health information processors are subject to HIPAA requirements regarding the safeguarding of medical data and non-disclosure of any protected health information.


The Privacy Act of 1974.. Government agencies can compile only data that is relevant and necessary on US citizens and residents and must respect the rights of citizens to access that data.


State Laws:


Various U.S. states led by California including Louisiana, Massachusetts, New Jersey, and New York, have passed, or are considering, legislation that impacts privacy.


An example is California's Security Breach Information Act, which went into effect July 1, 2003. This law requires organizations to notify California residents and customers if personal information about them that is maintained in computerized data files has been compromised by unauthorized access.


Several other states are passing or considering similar legislation on a variety of privacy-related issues, including telemarketing, SPAM, spyware, identity theft, security breach, and other aspects of internet and web site activity.


International Standards Affecting the U.S.:


Payment Card Industry (PCI) Data Security Standard - PCI is focused more on security than privacy.


Safe Harbor - Bridging US and EU privacy, Safe Harbor is available only to institutions that are regulated by the FTC or Department of Transportation (DOT). Safe Harbor can either self-certify on an annual basis or employ certification companies such as TRUSTe or BBBOnLine.



A summary of laws affecting direct mail


This page offers a good summary of news and opinion affecting the world of online and off-line privacy.


Find articles on the latest news and opinion on this issue


Find articles on the latest legal and regulatory environment


Recommended practices to comply with California's tough privacy requirements.



Businesses that responsibly manage privacy and educate their customers about their privacy practices benefit greatly - especially with regard to positive brand development. One Harris Interactive survey found that 68 percent of all consumers "consider the privacy protections of a company before they will do business with that company, especially in industries that handle their most sensitive information." Additionally, 83 percent of all respondents said that they will "stop doing business entirely with a company if they hear or read that a company is using its customers' information in a way they consider to be improper." You can never make your customers feel too secure.


Everything you need to know about responsible privacy practices from TRUSTe


If you operate a web site that has the potential of collecting personal information from children (ages 12 or younger), you must comply with the Children's Online Privacy Protection Act (COPPA). You definitely don't want to go afoul of the law on this one. Some sites taking the most drastic approach of cutting off preteens altogether. Other sites ask for their parent's credit card number (cards aren't charged but are used to verify that someone is over 18). To be safe, consider going beyond COPPA and adopting The Children's Advertising Review Unit's (CARU) guidelines as well.


Don't think you're immune from COPPA. Mrs. Fields Cookies and Hershey Foods settled FTC charges that their Web sites violated children's privacy laws by illegally collecting personal data from children without first obtaining proper parental consent. Mrs. Fields paid civil penalties of $100,000 and Hershey paid civil penalties of $85,000. Specifically, Hershey instructed children under 13 to have their parents fill in an online parental consent form. The FTC alleged that the company took no steps to ensure that a parent or guardian actually saw or filled out the consent forms.


The CAN-SPAM Act - Federal law that covers email whose primary purpose is advertising or promoting a commercial product or service, including content on a Web site.


Spam. Read the actual letter of the laws - both state and local.


Recommended practices to comply with California's tough online privacy requirements


For a comprehensive summary of news and opinion on marketing and privacy, there is no place like an advocacy group.

Hey you might learn something.


The DMA (the Direct Marketing Association) is also trying to sort out the good guys from the bad guys by developing guidelines for e-mail marketers.


This news aggregator offers a fairly comprehensive listing of current news regarding online privacy from sources on all sides of the privacy debate.


The Network Advertising Initiative is a cooperative group of network advertisers that have developed a set of privacy principles, in conjunction with the Federal Trade Commission. Can't hurt to see what they have to say, then consult your own lawyer.

TRUSTe has introduced a Trusted Sender certification and seal of approval initiative for commercial e-mailers. So far, they've managed to attract some high profile names.


Web sitepersonalization, while a marketer's dream, has some very heated privacy issues associated with it.

It can't hurt to consult a few privacy experts or a consumer site hosted by the American Bar Association to get a lawyer's point of view - because you just know they are "hankerin'" to get involved.


A model of how to present the importance of privacy and customer satisfaction to your customers.


Opt-in Policies


Part and parcel of any comprehensive CRM and privacy policy is determining whether your web site will have an opt-in or an opt-out system of customer contact. With opt-in policies (i.e. users check a box if they want to be contacted), the customer stays in control. Opt-out systems are negative option i.e. the customer has to pro-actively decide not to receive communications from you.


While arguably, self selected customers will respond best to ongoing offers, according to Forrester Research, 18 percent of customers will respond to a request to either opt-in or out. That is hardly heartening - especially considering experience has shown us that your valuable customers are the ones who are likely opting out... initially. Can a company survive if it is limited to contacting less than one-fifth of its customer base?


Rather than trying that experiment and adopting a total opt-in or total opt-out policy, consider giving your customers choices. Customers are jaded. While traditional opt-in policies mean that the consumer can be assaulted through any and all channels available - email, telephone, direct mail - at any time of day. Placate those concerns. Allow customers to tailor the types and frequency of communication e.g. "e-mail me three messages a month maximum only about one product, but don't ever call me." It's a customer-friendly way to build a relationship around the user's needs.


In many cases, consumers will need an incentive to respond, so why not pay a customer for providing information? Firms pay list companies all the time for valuable customer information.

Click here for Books of Interest



Sites of interest:

A review of Federal and State Privacy Laws (PDF) privacy laws


Privacy Law Playbook - GREAT site covering information on relevant laws and regulations, pending legislation, articles, and other relevant resources


Privacy2000 - excellent aggregator of privacy in the news headlines


Spam Laws (a review of federal and state laws along with selected cases)

Privacy Laws

Center for Democracy and Technology: Web site tracks US consumer privacy legislation within the current congress as well as including a collection of historical information.


The Daily Dashboard from the IAPP: Free email newsletter providing abstracts and links to privacy-related incidents and current events worldwide.


E-commerce Law Week by Steptoe and Johnson: Free weekly newsletter that discusses electronic commerce issues and new law developments including privacy.


BNA Privacy Law Watch and Privacy and Security Report: Reports provide notification of current events and articles analyzing those events by attorneys and reporters on primarily US issues.


Privacy Law & Business International Newsletter: Newsletter covers international legislation updates, case studies, and legal analysis in the areas of privacy principles, workplace privacy, marketing, and international data transfers.


Alston & Bird International Privacy Library: Extensive collection of provisions from governments worldwide on the topic of privacy as well as privacy-related articles and analysis. It also maintains English translations of some foreign laws


PrivacyLaw - another aggregator of privacy news, legislation and other relevant information


Federal Trade Commission: Privacy Initiatives


Electronic Privacy Information Center - a good source for privacy hot topics from a public interest group focused on civil liberties in the information age


Privacy Foundation - a public interest group focused on personal privacy


Privacy Journal - the longest running publication on privacy


Privacy Times - authoritative magazine dealing with all things privacy


Internet Law Library - legal privacy and information access


Electronic Frontier Foundation - public interest group focused on free speech on the Web


Privacy Rights Clearinghouse


Privacy International - Another watchdog group with news from around the world


The Organization for Economic Cooperation and Development (OECD): Contributes guidelines for the protection of privacy and trans-border flows of personal data developed by member countries including the UK, US, and Japan.


AICPA/CICA Privacy Task Force: The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) developed a privacy framework.


Asia-Pacific Economic Cooperation (APEC): APEC has created a privacy framework to establish a consistent approach to privacy across the region.


ID Theft web site


Miscellaneous white papers


Privacy Laws


In keeping with our site's mission to represent CRM best practices, we reiterate our call that should you come across content and links that, in your opinion, represent the best of the Internet, we strongly encourage you to pass them along so we can continue to keep our community abreast of the latest and best.