Respecting user privacy, Part 3

This article first appeared on IBM developerWorks.

Don't just implement effective policies -- stick with them!

Peter Seebach (

April 2001

Last time <>, we examined why it's critical to have effective privacy policies in place, and what goes into one. Here, we add a few more suggestions for implementing policies that work and discuss the importance of sticking by your policy.

Now for the hardest part: You have to stick with your policy. You have to mean it. If you say you won't send people marketing e-mail, don't send it to them and then say "Sorry, that wasn't marketing -- that was an administrative notice, but we tacked an ad onto it." Just don't send it. The customers will not appreciate the fast talk.

...of course, if you have a good enough excuse, you might get away with it. Does it strike you as odd that people think in terms of /getting away with a policy? We talk about maintaining a relationship/ with the customer. We talk about customer loyalty. Loyalty? Does loyalty involve clever use of language designed to make people give up and not try to understand their relationship with us?

The customer is always right

You can ignore all of this; you can fast talk customers, you can call them for another week after they ask you to stop, you can sign them up for a list "because of their past interest." But remember this: For every sale you get by pushing the envelope, you will lose a customer -- not just a single sale, but a customer, a person who might have developed a lasting relationship with your business. If you take "four to six weeks" to process opt-out requests, as so many companies do, the people who keep getting those ads are not looking at them longingly and with regret, thinking to themselves, "My God, this could be the last catalog these people ever send me. After all we've been through together! No, it is unbearable; I must go to the post at once, to rescind my ill-considered opt-out request." No, they are thinking "My God, how hard can it be to click three buttons on a computer!" (Many of my readers will doubtless be aware that, with modern technology, it should take four to six seconds to process an opt-out request.)

Opt-out = cop out

Many industry groups (such as the Direct Marketing Association) have tried to push the opt-out business model -- in which you get spammed until you say uncle. It doesn't work. Indeed, in early meetings with anti-spam community members, the DMA leadership agreed that opt-in (in which customers are not put on a list until they ask to be included) was clearly technically better. Unfortunately, opt-in works just fine without the DMA. It's only when people are bombarded, constantly, with junk that the DMA's function of preserving your "right" to bombard them becomes relevant. When companies use opt-in methods, the complaints evaporate -- and with them, the need for lobbyists to preserve the "right" to do the things that used to generate those complaints. So, the DMA is pushing opt-out and recommending "standards of behavior" that are carefully designed to push the envelope.

Imagine, for a moment, a company sexual harassment policy based on the DMA's marketing standards. Think about all the implications of it. Now, go ahead and laugh a little. Does this trivialize sexual harassment? I don't think so; privacy is privacy. Invasion of personal space, stalking, and harassment are abuse no matter what the goals are. The question is always, "Are you in my personal space without my permission?"

Seal programs

A "seal" program is one in which an organization's members are required to display a seal indicating membership in the organization, which is expected to demonstrate adherence to certain principles. In practice, seal programs are driven by dues paid, not by actual adherence to principles.

Don't rely on seal programs: Many consumers have been burned often enough by "certified" privacy programs that they will assume you have problems that you are paying to cover up. As of this writing, I am not aware of a major online seal program that has ever, even once, revoked seal privileges, but I'm aware of dozens of complaints that I think should merit careful examination. A privacy seal, in the end, means only that you pay dues for a seal. It doesn't mean your policy is any good, it doesn't necessarily even mean you follow your policy, and the really good policies -- offered by companies that truly stick with them -- almost never have seals. Consumers aren't dumb, and you can safely assume that many of them are aware of this.

Playing games

What you can get away with is not the same as what you should do. To build lasting relationships with your customers, you need to offer them attractive terms, and you need to stick by those terms forever. If you build a good relationship with customers, they will ask you to add them to mailing lists, they will ask you to recommend products from marketing partners, and they will stand by you forever. If you play games with them, they will play games with you. Games like, "Hi, this is Bob, and I just wanted to let you know that I just spent $15,000 on a competing product. Just wanted to thank you fully for that wonderful series of spams you sent last October. Take care!"

If you stick with these basic principles, your policy will practically write itself. You may have to come up with some wording to explain that the company that does your mailings may temporarily have customer addresses; if you plan to outsource, be sure to include that information. The policy should be short, it should be clear, and customers should feel safe with it. They should be safe with it.

This week's action item: Talk to people in your company about doing something that blatantly violates your privacy policy. See if they try to stop you. If they don't, find out why.


About the author

Peter Seebach has been having trouble navigating through badly designed pages since before frames and JavaScript existed. He continues to believe that, some day, pages will be designed to be usable, rather than being designed to look impressive. You can reach him at