Privacy Innovators

A few bold companies are changing the way data privacy is delivered to the market. By taking risks that others fear, they're helping all of us define how we strike the balance between convenience and caution. I'd like to tip my hat to these innovators in each of the disciplines that make up privacy: Notice, Choice, Access and Security.

Notice. The development of P3P browser technology will change the way people tell companies what level of privacy they demand. Dismissing the never-ending stream of skeptics, a team from Microsoft, IBM and AOL, among others, has developed a way for browsers to automatically read Web site privacy settings. Built into Internet Explorer 6, the P3P technology can flag those sites falling below the user's minimum privacy preferences. Well done!

Kudos also to the Royal Bank of Canada (RBC) for pioneering a new type of user-friendly privacy policy. The RBC displays on its Web site a clear statement of 10 privacy principles. Visitors who want more details can find them in the linked pages. The Citigroup online privacy policy is also a model of clarity, consisting of 10 short promises written in basic English. Both are big improvements over the legal tomes that filled our mailboxes last summer.

Choice. The Direct Marketing Association (DMA) has taken the lead in requiring its members to sign a privacy pledge, demonstrating how industry can self-regulate. Members promise to stop sending direct mail to the millions of people on the DMA's opt-out roster. The move is bold because it puts the DMA's reputation and member dues on the line. I put my home address on the list and have noticed a clear reduction in junk mail.

Access. Experian Information Solutions Inc. has quietly deployed a fascinating and easy way for people to access their complete credit histories. After passing through a series of unique authentication measures, Web site visitors can view their entire profiles. I found mine to be very accurate.

Hats off also to the Commonwealth Bank of Australia and others that are charging customers between $20 and $75 per hour to respond to their requests to obtain copies of their personal profiles. To charge the true cost for these services is a risky public-relations proposition, but it's the right thing to do. Customers who don't want this service shouldn't be forced to subsidize those who do.

Security. Like the DMA, Visa International is risking its considerable clout to raise the global bar on data security. By requiring its top merchants to adhere to the standards in its Cardholder Information Security Program -- or lose their ability to process Visa payments -- Visa is putting its fee income on the line. The initiative is all the more bold because Visa's competitors will benefit from its efforts without taking any of the risk.

Newcomer ScanAlert Inc. has proved that security does pay. E-commerce Web sites that display its "Hacker Safe" seal have seen sales jump 13% to 30% and credit card fraud drop. The company posts the seal on your home page if it can verify that your Web server is protected against known vulnerabilities, and quietly removes it if it finds holes you don't fill quickly. Bravo!

Overall. Probably the most courageous acts of the past two years came when Dun & Bradstreet and Hewlett-Packard risked their brands in joining the very uncertain and maligned Safe Harbor, in which companies certify that their privacy protection is good enough for the European Union. D&B was the first major company to dock in the Harbor in November 2000, and HP soon followed in January. By joining early, they invited heightened scrutiny of their privacy practices and risked being publicly kicked out of the Harbor. Their leadership provided the cover for others to join, saving a truly valuable and innovative agreement.

In 2003, I'll be searching the market for innovators in two areas I think are still lacking: permissions management and security quantification. In permissions management, companies are waiting to be convinced that an "opt-in" approach is good for business. In data security, the market is waiting to be led toward a common, comprehensive way to measure and communicate security value to consumers. Innovators, forward!

Cline manages data privacy at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries. Contact him at


Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon