Making a privacy statement

RealNetwork, DoubleClick, Amazon. What do they have in common? All have weathered some serious privacy concerns. You can't go a week without reading about a privacy brouhaha somewhere on the Web.

With all that in the news, it's no wonder online privacy — or rather, the lack of it — has Internet shoppers spooked. A new Business Week/Harris poll lays it all on the line: Some 41 percent of online shoppers say they're very concerned about how personal data is used, up ten points in the last year. And of those who haven't bought online, the numbers are even larger: 63 percent say they're very concerned. Privacy's the number one reason why people are staying off the Internet, ahead of such things as cost and concerns about the technology.

This is not good news for your business's e-commerce efforts. But you can do something that, according to that same poll, will help sooth your customers' fears: provide a policy that guarantees the security of consumers' personal data.

Your small business may not collect huge quantities of data that the big-name sites regularly gather, but that shouldn't stop you from deciding on a privacy policy, and putting it down for all to read on your Web site.

Spell it out

When customers arrive at your Web site, they'll want to know what you plan to do with any information you collect. You'll want to tell them two things:

What you're collecting, in detail.

If you're tracking them with cookies, say so. If you're only asking for their name and e-mail address as part of a registration, tell them that, too.

What you're going to do with that data.

This is even more important. Everyone coming to your site to shop or just sightsee wants to know how their information will be used by you or someone else. Go into detail so that there's no misunderstanding between you and your customers. If you want to use their e-mail address in order to contact them periodically with a sales newsletter, tell them. If you'll sell the information to another party - typically a list provider - tell them that as well. Full disclosure is the best policy, by far.

Let them opt out

Don't force customers to either love your site or leave it. No matter what information you collect, give them a choice about how theirs will be used and ask their permission.

The simplest way to handle this is with an opt-in box or button. Let's say you've created a registration page where you ask for a name and e-mail address. At the bottom of the page, place a pair of check boxes labeled "I'd like to receive e-mail related to sales and specials" and "I do not want to receive e-mail."

Draft a privacy policy

With these parameters in mind, your next job is to craft your site's privacy policy. For ideas, take a spin through some of your favorite major commerce sites to scope out their privacy policies. Most sites provide a link on the front page, usually buried near the bottom. You may be able to glean an approach that fits your business. For an example, take a peek at eBay's privacy policy. It covers all the bases by not only telling users what's collected and how that information will (or may) be used, but when and why that information may be disclosed to others. For example, although eBay says it doesn't sell or rent any personally identifiable information about its users, its policy spells out the specific circumstances in which some data may be divulged.

You can also start fresh by coming up with your own policy, but that's a daunting task for a small business. If you have a do-it-yourself attitude, get a running start by looking at this model privacy policy from the TRUSTe site (also available in Microsoft Word format from here). BBBOnline, a Better Business Bureau-sponsored program, also provides a sample policy. Both example policies include the necessary basic sections, from a general statement why that you're disclosing your policy to instructions on how users can access or correct the info they've handed over.

Or you can generate a customized policy by walking through the make-a-policy wizard available on the Direct Marketing Association's Web site. Essentially a multiple-choice Q&A, the wizard asks you to respond to statements such as "The information we collect is..." by clicking buttons labeled "used for internal review and is then discarded" to "shared with other reputable organizations to help them contact consumers for marketing purposes." When you're through with the wizard, you end up with a page that you can post to your site.

You've gone to a lot of trouble to draft and post a privacy policy on your small business's Web site, so don't hide your light under a basket. Make it clear to customers that you're doing your part to allay their worries. You can do that any number of ways, including bringing the link to your privacy policy up higher on the page so it's prominently displayed.

Another route: slap a symbol on your site that lets customers know you're playing by the rules. Both TRUSTe and BBBOline, for instance, have programs in place that allow you to display such symbols. TRUSTe's program runs $299 a year for businesses with annual revenues under $1 million, while BBBOnline's costs $150 for firms of the same size, plus a one-time $75 registration fee. Be aware that there's paperwork and time involved: both organizations conduct an evaluation of your privacy policy before letting you join.

But with privacy concerns so important to consumers, can you afford to let this slide? I don't think so.