A consortium of vendors focused on technology for personalizing Web sites today issued a set of self-regulatory data privacy guidelines as part of a continuing effort by companies and trade groups in the IT industry to stave off regulatory intervention by the federal government and individual states.
The guidelines proposed by the Wakefield, Mass.-based Personalization Consortium come as the U.S. Congress and various state legislatures are moving to consider legislative proposals regarding online privacy. For example, two key members of Congress said two weeks ago that they expect some kind of privacy law to be approved this year (see story).
The Privacy Consortium -- which includes American Airlines Inc. and a mix of online advertising firms and vendors of personalization software -- said its guidelines "provide best practices that businesses can follow to ensure consumer confidence in their privacy policies." Personalization involves using technology to gather personal information about Web site visitors in order to tailor content to their individual interests.
The group also said that its members will be required to submit to independent audits to ensure that they're adhering to the privacy guidelines. Part of the consortium's goal is to help companies "follow a set of verifiable auditing guidelines when commissioning a third-party audit," said Don Peppers, one of its co-chairmen, in a statement.
Some of the new guidelines require participating firms to do the following:
- Provide customers with clear and conspicuous notice of their information-gathering practices, including what personal information they collect, how they collect it and how they plan to use it.
- Collect only the amount of individual and household data necessary to perform a specified set of tasks that are consistent with their stated privacy policies.
- Implement appropriate security methods and technologies to protect personal information.
- Offer Web site users the ability to "opt out," informing companies that they don't want their personal information to be collected, shared or used in any way.
- Allow individual users "reasonable access" to personal data and give them the opportunity to correct or delete information.
Privacy advocate Jason Catlett, president of Junkbusters Corp. in Green Brook, N.J., said the consortium's guidelines are "better than average" for a vendor-fueled proposal. "I see a lot of industry guideline proposals, and most of them are lamentably bad," he said. "This one has some good elements in it."
For example, Catlett said, the expectation that members of the consortium will have to undergo independent audits is a plus. "That gives some assurances to consumers that the [stated] privacy policies are being followed," he said. "It also gives the [companies] an incentive to do what they say. ... The only [negative thing] is that it's expensive."
Catlett said he's also impressed that Web site users would be allowed to delete personal information that had been collected by a company. But he added that privacy advocates aren't so receptive when companies propose "opt-out" mechanisms instead of using the more stringent "opt-in" approach, which requires up-front approval from users before any personal data can be gathered.
For complete coverage of data privacy matters, head to our Privacy Issues page.