Adoption and Implementation Additionally, in the vast majority of 1. circumstances, where there is third party of a Privacy Policy distribution of individually identifiable What can An organization engaged in online activities or information, collected online from the electronic commerce has a responsibility to individual, unrelated to the purpose for adopt and implement a policy for protecting the which it was collected, the individual should you privacy of individually identifiable information. be given the opportunity to opt out. Consent Organizations should also take steps that foster for such use or third party distribution may do the adoption and implementation of effective also be obtained through technological to protect online privacy policies by the organizations with tools or opt in. which they interact; e.g., by sharing best practices your customers’ with business partners. 4.Data Security Notice and Disclosure Organizations creating, maintaining, using privacy 2. or disseminating individually identifiable An organization’s privacy policy must be easy to information should take appropriate measures find, read and understand. The policy must be to assure its reliability and should take available prior to or at the time that individually “Ninety-two percent of companies reasonable precautions to protect it from identifiable information is collected or requested. loss, misuse or alteration. They should take feel that they adequately protect The policy must state clearly: what information reasonable steps to assure that third parties users’ privacy by disclosing is being collected; the use of that information; to which they transfer such information are possible third party distribution of that information; practices and not selling data. aware of these security practices, and that the choices available to an individual regarding the third parties also take reasonableprecautions However, ninety percent of sites ?? collection, use and distribution of the collected to protect any transferred information. fail to comply with . . . basic privacy information; a statement of the organization’s commitment to data security; and what steps protection Data Quality and Access the organization takes to ensure data quality 5. principles.” and access. The policy should disclose the Organizations creating, maintaining, using or disseminating individually identifiable — Forrester Research consequences, if any, of an individual’s refusal to provide information. The policy should also information should take reasonable steps to include a clear statement of what accountability assure that the data are accurate, complete mechanism the organization uses, including and timely for the purposes for which they how to contact the organization. are to be used. Organizations should establish appropriate processes or mechanisms so Choice/Consent that inaccuracies in material individually 3. identifiable information, such as account or Individuals must be given the contact information, may be corrected. These opportunity to exercise choice processes and mechanisms should be simple “The loss of personal privacy regarding how individually and easy to use, and provide assurance that identifiable information is the Number One concern inaccuracies have been corrected. Other collected from them online procedures to assure data quality may of Americans as the 21st may be used when such use is include use of reliable sources and Century approaches.” unrelated to the purpose for collection methods, reasonable and which the information was appropriate consumer access and — Wall Street Journal/ collected. At a minimum, correction, and protections against NBC News Poll, September 1999. individuals should be given the accidental or unauthorized alteration. opportunity to opt out of such use. Member Companies E-commerce has grown 3Com Equifax Novell faster than anyone could have Acxiom Ernst and Young northpole.com. LLC AdForce Experian Oracle predicted only a few years America Online, Inc. Fast Forward/IAB Preview Travel Creating Ameritech Ford Pricewaterhouse ago. The is entering more Apple Computer Gateway Coopers and more American homes to AT&T GeoCities PrivaSeek, Inc. consumer Bank of America Geotrust, Inc. Procter & Gamble become a true mass medium. Bell Atlantic Hewlett-Packard Real Networks, Inc. While the Net offers unparalleled Bell South IBM Reciprocal, Inc. BioNetrix InsWeb Corporation Sun Microsystems confidence convenience for consumers, many Systems Corp. INSUREtrust.com LLC Teknosurf.com Centraal Corporation Intel Corp. Time Warner Inc. hesitate to transact business on the Cisco Intuit Unilever online: CommTouch Software KPMG United States, Inc. online: web. People are nervous about the Compaq LEXIS-NEXIS USinternetworking Inc. potential loss of personal privacy. Is Dell MatchLogic Viacom Five Essential Disney MCI WorldCom ViewCall Canada, Inc. their personal information and Dun & Bradstreet Virtual Vineyards Elements to online activity tracked, collected and DoubleClick Inc. MindSpring WebConnect eBay Inc. Enterprises, Inc. Women.com analyzed without their knowledge or Eastman Kodak, Co. National Foundation Networks Online Privacy EDS for Consumer Credit Xerox approval? EDventure Holdings, Inc. NCR Yahoo! E-LOAN Nestl´e USA Web businesses are striving to Engage Netscape Technologies Inc. Netzip Inc. convert visitors to customers. Enonymous Corporation NORTEL But consumers will not purchase e-commerce from sites if they do not feelconfident Member Associations American Advertising Federation Information Technology Association that their personal information is American Electronics Association of America respected. News stories, studies American Institute Information Technology of Certified Public Accountants Industry Council and polls all confirm that fear of the Association of Online Professionals Interactive Digital Business Software Alliance Software Association loss of privacy is a principal reason CASIE Interactive Travel Services Association people don’t transact business (CASIE is representing Association of (ITSA) National Advertisers & American Internet Alliance online. If online companies expect Association of Advertising Agencies) Motion Picture Association of America Computer Systems Policy Project Software & Information consumers to spend time at a (CSPP) Industry Association Web site, make purchases and visit Council of Growing Companies The United States Direct Marketing Association Chamber of Commerce the site again they must build trust. European-American Business Council The United States Council for Individual Reference Services Group International Business Posting a privacy policy is a critical step. But what is Organizations collecting personal data are urged to join a credible privacy policy? The an online privacy "seal program." Information on these programs is available at the following Web sites: Online Privacy Alliance, a coalition www.bbbonline.org of nearly 100 global companies www.truste.org www.cpawebtrust.org and associations, urges all Web Other third party enforcement programs are at: businesses to post privacy policies www.the-dma.org www.irsg.org that contain ALL the following elements, recognized by policymakers Thanks to Intel Corporation for their support in the creation of this brochure. and consumers as the foundation for a policy that engenders trust. Join Us! To join the Online Privacy Alliance, or for more information, contact: www.privacyalliance.org Or contact 202/244-1200. Online Privacy Alliance