Don’t Be Like Facebook: Make Your Privacy Policies Clear and Respectful

Last spring, Facebook set off a firestorm by launching an “innovation” that allowed other selected websites to post the personal views of its members without their explicit consent.Consumer activists howled. High-profile members publicly deleted accounts. Politicians rode to the rescue. “Social networking sites have become the Wild West of the Internet," declared Sen. Charles E. Schumer, D-N.Y., calling on Facebook founder Mark Zuckerberg to give users more control over their personal information.Amid the outrage, a news report dryly noted that Facebook’s privacy policy ran some 5,830 words, or more than the entire Constitution.Facebook quickly deep-sixed the new feature. But the company is still playing defense when it comes to its privacy policies and settings.Facebook’s pain ought to be your gainSuch missteps are a timely object lesson. Puncturing customer confidence in your ability or willingness to safeguard personal data can lead to troubling consequences. “It can hurt your reputation and cut into your revenues,” says Jeff Johnson, an intellectual property lawyer at Pryor Cashman LLP in New York City. Plus, bad raps have a way of going viral. Says Johnson, “It can quickly circulate to a large segment of your customer base.”Now would be the right time to set a clear privacy policy. Just make it short and straightforward. “Too often policies are written in legalese,” says Jonathan Askin, professor at Brooklyn Law School. “Instead, state the policy in clear terms that are readable and understandable.” Askin also advises providing a reference or link on your home page.

Effective privacy policies are easier than you thinkA good policy isn’t complicated. “Respect for the customer needs to be first and foremost,” advises Marilyn Prosch, professor at Arizona State University’s W.P. Carey School of Business. For an overview, she suggests reviewing the 10 principles covered by the free Privacy Risk Assessment Tool offered by the American Institute of CPAs.But one size won’t fit all. The following steps can help you create a policy appropriate for your business:Categorize your data. Certain types of information are more sensitive than others. For instance, capturing info like buying habits or brand preferences is unlikely to raise many customer hackles. A user’s personal diet plan, on the other hand, needs discreet handling. And personal financial and health data require rigorous legal protection. So the strength of your practices should be dependent on the data you capture and store. Don’t forget archives of e-mail, texts and instant messages when making these assessments.Define the information you really need. Frequently, companies collect way more data than necessary, provoking customer resistance, data storage expenses and security headaches. Also, there’s no need to retain everything. When you no longer need information, dispose of it securely — and let your customers know that you do.Limit access to as-needed information. For example, workers who fulfill orders on the warehouse floor don’t need customer credit records to do their jobs.Establish easy ways to update records. Let customers know how they can change preferences or information easily. Procedures need not be elaborate. Many small businesses can simply ask customers to contact them with changes.Determine what’s legally necessary. Businesses of all sizes and in every industry increasingly must comply with an array of state and federal regulations, many of them industry-specific. While privacy regulations vary, most laws share such elements as identity verification, information access and audit-trail reporting. Major federal laws include the Health Insurance Portability and Accountability Act of 1996, which applies to health care organizations, and the Gramm-Leach-Bliley Act of 1999, which affects financial institutions. State requirements may differ.If regulations seem onerous, consider an online privacy service. For example, Neal Creighton, CEO of RatePoint, a Needham, Massachusetts-based social media service for businesses, says TRUSTe can manage data and compliance for about $500 a year, a move that could even bolster your reputation for privacy compliance.Appoint a serious watchdog. Put a senior manager in charge of monitoring practices. Why? A 2009 survey of nearly a thousand businesses by the Ponemon Institute, a privacy consultancy based in Tucson, Arizona, found that 69 percent of employees copied confidential information onto USB memory sticks, even though most company policies forbade it. More than half downloaded personal software onto company PCs. More than four out of 10 (43 percent) said they’d lost or misplaced portable devices that held sensitive company data. Effective policies need high-level oversight and policy enforcement.Invest in training. Employees and key independent contractors should be knowledgeable about your privacy practices. Don’t forget telecommuters and outside services, such as accounting, advertising and PR agencies. Set up regular training and monitoring checks, or perhaps a quarterly review. Arizona State University’s Prosch suggests affordable outside training seminars, such as those offered by the International Association of Privacy Professionals.In the end, if you set, communicate and enforce rigorous and clear privacy standards and, wherever possible, put customers in control of their personal data, you’ll likely be rewarded with more information and stronger customer relationships.Joanna L. Krotz writes about small-business marketing and management issues. She is the co-author of "Microsoft Small Business Kit" and runs Muse2Muse Productions, a New York City-based custom content provider.