By law, majority of business institutions are required to provide their customers with information regarding their privacy policies on an annual basis. Business institutions are prohibited from sharing nonpublic personally identifiable customer information with non- affiliated third parties, unless consumers are clearly provided with an opportunity to opt-out. However, there have been concerns among people, as the opt-out process is time consuming for many individuals and in some cases privacy notices have been found too difficult to understand. Customers also indicate that current privacy notices are too long, contain too much legal jargon, or are too hard to read.
The privacy notices that business firms traditionally send to their customers are not new, however, with the growing explosion of the information systems and the Internet, the federal agencies have begun to question whether the traditional types of the privacy notices are adequate or there is a need to revamp the notices given to the consumers. But executives at banks, thrifts, and credit unions argue that their institutions have already invested time and money in creating notices that comply with the law and therefore changing the format of privacy notices now would render that work irrelevant and add cost to the consumers. They argue that change in the privacy notice would be a waste of time and money.
Examples of Privacy Notices
State agencies generally regulate rules on privacy law. Because of the different kinds of privacy notices that are delivered to consumers, there has been a push toward the uniformity. Presently, the complaint is that most of the privacy notices are long and require the customer to fill the form or call a telephone number for opting out. This has created too many variations in the privacy notices. Toward this end, state agencies are claiming that uniformity in the notices makes it easier to compare and monitor privacy policies. State agencies have suggested three formats: first, the use a simple format in which a business would list a data-sharing practice and indicate with a "yes" or "no" whether it engages in that practice. A second suggestion relies on the use of a template, in which a bank could describe its practices and specify what information is collected and how it is shared, and how a consumer can contact the department that oversees privacy. The third model tells consumers that they can ask their companies not to share their data with other companies and would offer them two "opt-out" options: One would bar the organization from sharing information with outside companies, and another would bar it from sharing with affiliates. However, many consumer advocates argue that each of the suggestions has a fatal flaw: They encourage customers to opt out. And this is a big shortcoming, because majority of consumers do not pay any attention to privacy notices, and even if they read, they forget to contact their companies because often the number provided by these companies are either busy or none is available to record their choice on the opt out (Linder, 2004).
Though the Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act of 1999, opened the door for financial services companies to merge and create partnerships with each other and other types of businesses. In response to consumer criticism and numerous lawsuits alleging serious privacy violations, the act included a provision aimed at protecting consumer privacy. This provision was supposed to allow consumers to bar these companies from sharing their names, addresses, social security numbers, account balances and other personal information (Lee, 2002).
Certainly, companies are working hard to comply with a bewildering array of fast-changing regulations that are under the preview of state, federal, international and industry-specific privacy rules. Writing a standard privacy notice that summarizes all regulatory and legal requirements can be a huge challenge for the companies. Privacy notices, which are required in every state, spell out clearly company's policies for handling personal data. Several laws require companies to clearly articulate what they can or can't do with confidential information. But differing requirements make it hard to draft a standard policy. For instance, many states still use privacy provisions from a 1982 information practice act that requires insurance companies to use specific phrases -- relating to how information might be shared for law enforcement purposes. Some other states require that companies include opt-in policies in their privacy statements. Opt-in policies require companies to seek and receive a user's permission to collect and use personal data.
To comply with private data, companies are required to establish a detailed inventory of all sensitive data everywhere in the corporation, review all controls relating to the use of that data and set up controls and procedures to protect the data. For example, several companies have built a database that consolidates customer information from multiple applications and production systems. Each customer record in the database has an embedded "privacy indicator" that describes in detail that customer's privacy preferences (Vijayan, 2004).
The goal is to make sure that a customer's privacy preferences are always respected, regardless of which application is accessing the customer data. However, the laws on the privacy issue are vague. For example, companies in many states are required to "encrypt" data, but it doesn't specify the level of encryption required. Similarly, the law requires companies to inform customers of any "unauthorized access" to their data but doesn't define what constitutes unauthorized access. As a result, companies may decide to do the very minimum and comply with the letter of the law to provide the protection that the spirit of the law was meant to address.
As privacy is often defined as the ability of individuals to exercise control over the disclosure and subsequent uses of their personal information, privacy notice is fundamental to the individual's ability to protect his or her privacy. The representations that organizations make about their information collection and sharing practices provide the basis for consumers to make informed decisions about whether or not to disclose their personal information. The use of notice alone does not insure that an organization abides by its policy or observes fair information practices, or that individuals can pursue a complaint against the organization (Vijayan, 2004). It is nonetheless the key anchor of the fair information practices of notice, choice, access, security and enforcement, as without notice, individuals have no knowledge about the organization's information practices and no basis for deciding whether or not to interact with the organization.
Benefits and Present Environment
With the heavy use of the Internet, companies doing business electronically are required to fill Web-based self-assessment forms that show how they are going to use privacy practices and sort them into separate risk categories. Depending on the sensitivity of the information being handled, the companies are required to implement stronger privacy policies. Each company also needs to submit to regular privacy audits.
There are several advantages to the companies by using the privacy notices. First, the companies can create powerful trust with their customers. The use of the trust has been a useful catalyst for increasing the business with the customers. In some situations, trust has also been found to create long-term relationships with the customers. When customers become certain that their private information is safe and it would be not shared with others, they become more confident of the company's lawful practices, which, in turn, may lead loyalty between the company and the customers.
It is true that with the advent of the Internet, there have been several attempts to hack the private information, it, nevertheless, does not mean that consumers should not take the advantage of convenience of doing business electronically. Certainly, the federal rules are required be enforced vigorously and those companies that violate the customer trust should be brought to the justice as mandated by federal government under the liability suits. However, at the same time, when customers begin to trust companies and willingly share their preferences and interests to the companies, they can gain the advantages of customization. This is useful not only to companies as they can track the customer interests and preferences to suit their choices in products and services, but also becomes useful to customers as they can gain the advantages of the convenience.
In a technological environment, the first step for a business is to build links among the business units' databases to create a consolidated view of its customers across the different divisions. The second step…