Does Privacy Pay?

The flat economy has forced companies across America to require any new investments to deliver hard economic returns within short time frames. Do privacy-related investments generate these kinds of returns? In many cases, absolutely not. But if your company plays in a privacy-sensitive industry, your customer databases may be empty in a few years if you don't start investing in privacy now.

The reason many privacy investments—in permission-tracking technology, for example—don't generate hard returns by themselves is that they're like investing in buildings. They enable other things to happen in the future that generate the returns. In addition, there are few ways besides Web privacy seals for customers to know which companies are actually investing in and protecting privacy. If customers can't see the results of the investment, privacy won't pay.

So what does it take for privacy investments to finally generate hard returns for a company? Putting my customer hat on, privacy would have to be a key part of what I think about when I see the company's logo. I would give accurate and more complete personal information to companies I could trust. I would need to trust that the company won't share my information with others, will protect it from hackers and won't hound me with unwanted direct marketing. In America, this means going above and beyond the law.

The hard returns for such a company come in the form of more customer data that can be used to generate repeat purchases and higher average sales. This is how privacy pays.

But building the abstract experience of privacy into a brand image is no small feat. It doesn't result from a single project. It takes a long-term strategic commitment from the most senior executives and a series of projects over several years. It takes customers repeated experiences to learn that bad things aren't happening to them when they deal with your company.

So have any companies already made this strategic move? To answer this question, I reviewed the membership rosters of the Safe Harbor and privacy-seal groups, as well as other indicators of a strategic investment in data privacy. One trend became obvious: Companies that depend on collecting sensitive information or on providing the technology to manage this information—what I call "privacy-sensitive commerce"—are by far the most active in trying to make privacy pay. (To figure out if you're in privacy-sensitive commerce, see Table 1.)

The privacy steps companies take on their Web sites appear to be the clearest differentiators of who is committed to data privacy. Among the Fortune 100, 83 companies post a privacy policy, but only 15 display a privacy seal, and four have their sites enabled with the Platform for Privacy Preferences (P3P) technology. A few companies do all three.

Another differentiator is whether a company has joined a privacy-related program or organization. Only nine of the Fortune 100 are members of the Safe Harbor program. Just 11 belong to the Online Privacy Alliance, the International Association of Privacy Professionals, or Privacy and American Business, the leading privacy associations in the U.S.

So who are these companies? Are they your competitors? Table 2 shows the top 10 privacy leaders in the Fortune 100—those that have the most external indicators of a strategic commitment to privacy. It's no accident that nine of the 10 are in the technology and communications industries—key players in privacy-sensitive commerce.

Is your company involved in this privacy-sensitive commerce? If your business model depends on collecting sensitive personal information and you collect it online or through bar codes, the answer is clearly yes. If you're in the privacy space and haven't made a strategic commitment to privacy, be assured that many of your Fortune 100 competitors already have.

So does privacy pay? In the short term, it may not. But a lack of a privacy strategy will punish many who are taking a short-term view of their current economic situation.

Cline manages data privacy at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries. Contact him at

Table 1: Are You in a Privacy-Sensitive Industry?

Companies that either collect sensitive personal information or provide the technology to manage that information are most likely to see privacy as a long-term, competitive differentiator.

Privacy-Sensitive Sectors
Data Sensitivity Highly sensitive (credit-card numbers, bank account numbers, Social Security numbers) Small professional services: financial planners Banks, insurance companies Online banking, telecommunications providers, Internet service providers, computer software and hardware
Sensitive (medical information, personal preferences) Small professional services: medical Hospitals, hotels, drug makers, off-line publications Online booksellers, online travel, online market research
Basic (contact information, purchase histories) Brick-and-mortar retailers Loyalty-card retail, automotive retail, consumer utilities Online retailers
Minimal Manufacturers, oil refiners, industrial goods Off-line postal services E-mail-only marketing, online postal tracking
Off-line (paper forms) Electronic off-line (bar codes, loyalty cards) Online
Data Collection Channel

Table 2: Fortune 100 Privacy Leaders

Among the Fortune 100, these companies have taken the most steps indicating a long-term, strategic commitment to data privacy.

Privacy policy on Web site Privacy seal on Web site P3P-enabled Web site Member of a privacy organization Safe Harbor member
IBM x x x x x
Microsoft x x x x x
Hewlett-Packard x x x x x
Procter & Gamble x x x
AT&T x x x x
Intel x x x
EDS x x
Verizon x x
AOL Time Warner x x
Dell x x x x

See more columns by Jay Cline.

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon