Toysmart.com and Borders.com came to a fork in the road that winds through the privacy jungle, and chose different paths.

The toy e-tailer went to the left, and ended up being prosecuted by the Federal Trade Commission (FTC) for, among other things, data-privacy violations and deceptive trade practices. Bricks-and-mortar bookseller Borders.com took the right path, taking a hard line on consumer privacy. "Our privacy statement says we will never sell or rent customer data, and we've adhered to it," says Rich Fahle, content manager for the company's Web site. By doing so, Borders.com put itself in a good position to fend off accusations of privacy malfeasance.

Times have never been tougher for e-businesses dealing with data privacy and security issues. The ease with which user preferences can be tracked and a big push to personalize the consumer's Web experience has prompted Congress to pass strict new laws, the first salvos in what could be a barrage of privacy legislation this year.

But Web-enabled businesses can steer clear of the privacy quagmire by becoming familiar with privacy laws (both those currently on the books and coming down the pike) and following basic privacy guidelines in Web development. A new breed of software that lets companies personalize their content without trampling on visitors' privacy can also help keep the lawyers at bay.

Getting the lay of the land

Grasping existing data-privacy laws and the potential consequences of pending legislation is an essential first step in crafting an effective privacy policy. Section 5 of the Federal Trade Commission Act gives that agency broad powers to investigate and prosecute deceptive and unfair trade practices, including invasions of privacy. The FTC used this 65-year-old law to prosecute GeoCities in 1998 (the first prosecution of an Internet business site), and Toysmart last year, among others. More recent legislation includes the Children's Online Privacy Protection Act (COPPA), and the Graham-Leach-Bliley Act.

COPPA, enacted in 1998, requires operators of children's Web sites to obtain parental consent before collecting information from minors. Kids' sites must also give parents total control over information obtained on their child, and post a clear notice describing how that information will be used. The 1999 Graham-Leach-Bliley Act obliges any financial Web site that asks for identification during a visit--either directly or indirectly--to clearly state the company's privacy policy. It also bars financial institutions from sharing customer information with marketers without the person's consent.

Data miners and consumer profilers aren't likely to catch a break on Capitol Hill anytime soon. William B. Baker, a data-privacy specialist and partner at Wiley, Rein & Fielding, a Washington, D.C. law firm, advises Web enterprises to keep a sharp eye on the 107th Congress. Of the 30 pieces of data-privacy legislation that died in the 2000 session, these four are among those likely to be re-introduced:

Internet Growth and Development Act--would require commercial Web site operators to provide notice of their collection, use, and disclosure policies regarding personally identifiable information.

Privacy Commission Act--seeks to create an 18-month commission to study privacy issues, including those associated with the Internet.

Electronic Rights for the 21st Century--a broad-based electronic-privacy bill that focuses on government access to information.

Internet Integrity and Critical Infrastructure Protection Act--would restrict the legal or illegal collection, use, and disclosure of personal information by Internet sites.

Choosing the right path

Getting bushwhacked by privacy issues can be a humbling and expensive experience. Just ask Toysmart. The now defunct e-tailer's Web site explicitly stated that the company would never divulge information gleaned from visitors to any third party. But after filing for bankruptcy, Toysmart tried to sell its store of consumer data to the highest bidder in an effort to raise cash. In the end the FTC forced Toysmart to comply with the privacy pledge it made to its customers, prohibiting the sale of customer lists.

What can you do to avoid Toysmart's fate? Offer "notice, choice, access, and security," Baker says, echoing the FTC's recommendation that Web sites provide consumers with clear and conspicuous notice of their information practices, choices as to how their personal information is used, access to that information, and assurance that their data are secure. Baker advises his clients to post a privacy policy on their sites, for business as well as legal reasons. "There are a number of studies that show that sites without privacy policies are viewed less favorably than sites that have them," he says. "Also, there's a decent chance that in the near future businesses will be required to have one."

Melise R. Blakeslee, a data-privacy attorney and partner with the international law firm McDermott, Will & Emery, warns against making sweeping statements in a privacy policy that make you a liar in the eyes of the FTC or U.S. attorney general. The term "third parties," for example, can encompass a wide range of entities, some of which may indeed have access to customer information. "If you're using a third-party hosting company who reviews personally identified information to gather reports, even though that information is for the site owner, it is a third party," she explains.

Fahle of Borders.com has taken that advice to heart. Not only does Borders.com categorically refuse to sell customer information to anyone, but it also makes third parties with whom the firm has relationships comply with its policy. "We can't say to our customers, 'trust us,' and then turn around and deliver them to a retailer that misuses that information," he says.

Blakeslee also points out that no Web site is hack-proof. Because all data is potentially vulnerable, no privacy policy should state that consumer information is and always will be secure. That's tempting fate, and lawsuits. She recommends inserting a "hack-attack caveat" into a privacy statement: "Despite our security efforts, TrustUs.com, its affiliates and their service providers do not represent, warrant, or guarantee that personal information will be immune from unauthorized third-party access, misuse, or alterations...." or words to that effect.

In addition, a business should provide its customers and subscribers with easy access to their own personal information, and state clearly what it intends to do with that information. Visitors should also be able to choose whether or not to allow personal information to be used in that manner. "For example," Baker says, "a Web site might say, 'We want to sell our customer list to a vendor. Would it be OK for us to do that?'"

Finally, privacy statements need to describe the method, process, and technology used to safeguard consumer information gathered from a Web site. Data encryption and databases maintained behind firewalls can shield customer data against theft and tampering.

Survival tools

Businesses aren't without resources in their efforts to comply with privacy laws and allay the fears of consumers. New services and technologies have sprung up to help companies win the confidence of site visitors and gather customer intelligence without breaking the law.

Baker is a big proponent of privacy seal programs such as BBBOnline, TRUSTe, PrivacyBot.com, and PricewaterhouseCooper's Better Web Program, which give shoppers an extra level of comfort on the Web. Sites that participate in one of these programs must observe rigorous data privacy standards in order to receive a seal of approval. Most seal programs incorporate a mechanism for consumers to file and resolve complaints.

Privacy-savvy personalization software satisfies e-marketers' craving for customer data while giving individuals a measure of control over that information. New York City--based YouPowered Inc., which describes itself as the "leader in permission-based personalization," offers three products designed to lead companies out of the privacy thicket: SmartSense, Consumer Trust, and Orby Privacy Plus. Installed on a Web server, SmartSense follows user preferences in tracking user activity at a variety of levels (site-specific, entire Web, etc.), and generating detailed summaries of site activity.

Consumer Trust lets Webmasters visually map their privacy policies to The Platform for Privacy Preferences Project (P3P), an emerging industry standard for consumer vetting of Web privacy policies. The software provides detailed information about how a site's privacy policy stacks up against P3P standards. Orby Privacy Plus, a free download, is the client-side complement to SmartSense and Consumer Trust. Orby users can review their personal information maintained on a participating site, indicate what information they're willing to have tracked, and evaluate a Web site's privacy policies.

Borders.com doesn't use YouPowered's software, but Fahle says he understands the balance such tools try to strike in the right-to-market vs. right-to-privacy debate. "We're looking for ways to let the customer customize our site," he says. "We want to give more control and power to the customer...to provide them with the tools and flexibility to shape their shopping experience into whatever they want." But, he adds, Borders also wants them to know "we consider our relationship with our customers sacred."

Cary Griffith is president of The Electronic Book Co., a Minneapolis-based new media firm. Look for his monthly Web Site Advisor column in ComputerUser magazine.