Companies Discuss Protecting Consumer Privacy

Conference attendees look to balance profitable technologies with customer concerns.

Andrew Brandt, PCWorld.com

WASHINGTON--Gathering here this week are hundreds of chief privacy officers, who bear a title that didn't exist in most businesses just two years ago, but who are today thrust into a hot seat juggling consumer concerns, company interests, and new government regulations.

Many corporations have created the new executive title of chief privacy officer (CPO) to comply with new federal and state privacy regulations. Represented here at the conference of the Privacy Officers Association are CPOs from financial institutions, insurance companies, the health care industry, and online and offline retail businesses. They're comparing notes on the challenge of protecting the privacy of their employees and customers, while their companies want to take advantage of shared databases and listservs. The latest twist is balancing privacy with security concerns following the September 11 attacks.

This, however, is a gathering of privacy advocates who contend that it's bad business not to take customer privacy seriously.

Setting Priorities

"Having a secure world doesn't have to mean consumers need to sell out their personal information to the highest bidder," said Mozelle Thompson, a Federal Trade Commission member and conference speaker. "Privacy has to be a part of business strategy to get consumers in your corner."

Privacy lawyer John Kemp concurred. "We need to make privacy endemic in the corporate culture of all businesses," Kemp said. "Proctor and Gamble has decided that privacy has as much to do with Tide as does detergent."

Other privacy experts were more prosaic.

"When you screw around with privacy, you screw around with your brand," cautioned Larry Irving, chief strategist for Privacy Council, a consulting firm.

Online tools confound privacy issues as never before, noted David Stampley, associate attorney general for New York. "Cookies are like the LoJack of Web sites, and in the age of Web bugs, when you get up in the morning to read your newspaper [online], your newspaper is probably also reading you," he said.

Goofs and Gains

A frequent topic was the recent FTC ruling against the Eli Lilly drug company for carelessness with e-mail to customers. The CPOs also conducted a postmortem on the practice of flooding customers of financial and insurance companies with privacy notices, to comply with the federal Graham-Leach-Bliley Act approved last year

The Lilly ruling stemmed from an FTC investigation of the company, which last year sent a mass e-mailing about its antidepressant drug Prozac to 669 Prozac users--revealing all addressees to every recipient.

"It's hard to get companies to understand how [the Eli Lilly incident] didn't just affect the 669 individuals whose privacy was broken, but all six million customers who are in the same database," the FTC's Thompson said.

Most of the speakers and participants in breakout sessions were critical of the so-called Graham-Leach-Bliley (GLB) Act notices mailed to consumers last summer. The privacy experts complained about incomprehensible legalese in the so-called GLB notices. Many considered the practice a dismal failure of a well-intentioned privacy law--even if they strongly supported the legislation.

Next Challenge

But the GLB issue was overshadowed by the specter of new, more complex notices that health insurance and medical businesses must distribute in 14 months, under another privacy law that targets those industries. The Health Insurance Privacy Assurance Act (HIPAA) will require a similar disclosure by companies about their privacy practices.

"If you thought the GLB notices were bad, just wait until the lawyers get their hands on HIPAA to write those notices," joked Marilou King, a privacy lawyer.

But attendees did not seem concerned about the USA Patriot Act, a much-touted antiterrorism bill that has worried some privacy advocates. The act broadens the government's ability to monitor communications, including e-mail and cell-phone conversations, and share that information among agencies.

"The reports of the death of privacy has been greatly exaggerated," said Daniel Collins, associate deputy attorney general and CPO of the U.S. Justice Department.

"The cost of not providing privacy assurance may be far greater than the cost of implementing privacy," FTC Commissioner Thompson said.

Computer security and privacy software company Zero Knowledge Systems also announced at the conference a deal with Hewlett-Packard to bundle a light version of its Freedom software on new Pavilion desktop PCs.

The bundled package includes a cookie and password management tool, ad-blocking filters, and a personal information protection system that scans outbound data for sensitive numbers (such as credit cards). For an additional fee, users can upgrade the bundled version to add a personal firewall, antivirus package, and parental controls that lock out inappropriate content for kids.