What's Your Privacy Policy?

Last year I raised funds for a national organization that helps premature babies and their families. Online fundraising is becoming more popular and this organization allows you to create an online profile; accept pledges and donations; check your fundraising goal; and print pledge forms.

And it also allows you to see the private profile information from other volunteers: name, address, phone number, e-mail address, and employer (with accompanying address and phone). All it took was to change a single number in the URL when displaying a certain form. (By my estimate, nearly 800,000 volunteers had their privacy compromised.)

I reported this last year when I found it, with no response to my several e-mail messages. When I signed up again this year, I found that the website team had made a minor change to the URL, presumably to keep this security risk from occurring. Unfortunately, the change was ineffectual and I was once again able to access data that should have been kept private.

This time I decided a phone call to the national headquarters was in order. When I told the receptionist that I "wanted to report a violation of their website privacy policy," I was correctly transferred to their online contributions team. Within minutes I was talking to James and describing the issue in detail so he could forward it to an engineer. And within a day the issue was corrected and their volunteers' information was protected.

Protecting your customers' information

Why is this important to you? If you're selling products and services on the Internet, you have a responsibility to ensure that the information that you collect from your prospects and customers remains safe. Whether you've obtained just an e-mail address or their address and credit card information, that data is to be protected from misuse, both by people inside and outside your operation.

Realize that people who trust you will be likely to do business with you and, conversely, those who don't, won't. Do you have a privacy statement published on your website? The Direct Marketing Association has a step-by-step form that you can use to generate a privacy statement.

You might consider creating a privacy policy for your website, specifically a P3P privacy policy. The Platform for Privacy Preferences Project (P3P) enables web sites to express their privacy practices in a standard format that can be retrieved—in both machine- and human-readable formats—automatically and interpreted easily by web browsers. There is one free privacy policy editor that I have found, but instructions for using it are lacking. Since creating a P3P privacy policy is a complex process, I'd recommend using a paid service like P3Pbuilder or P3PEdit.

Of course, telling your web site visitors you're going to keep their data private and actually doing it are two different things, as we've seen. However, by reassuring your prospects and customers about your plans for their data and actually following through, you will build a reputation of trustworthiness that carries you a long way in a medium (online) that often appears untrustworthy.