IBM: A Pioneering Advocate of Online Privacy

Initiating a uniform and consistent online privacy policy is a daunting task for any large organization. Enforcing that policy in a meaningful way, more daunting still. Maintaining that policy worldwide across approximately 400,000 Web pages, well, that's almost Herculean.

But, then again, we're talking about IBM.

The venerable computer giant has not only made online privacy a company-wide priority, it has also taken a leadership role in encouraging everyone doing business on the Web to follow their example. And for good reason. A huge majority of Americans have concerns about Internet privacy. If left unaddressed, these concerns have the potential to stymie the explosive growth of e-commerce. Federal online privacy legislation also looms on the horizon, not to mention the fact that IBM's own fiercely protected brand name and image is on the line.

A recent IBM survey of consumer perceptions toward online privacy drives home the importance of this issue. Conducted by Louis Harris & Associates, the survey showed that of the more than 3,000 respondents in the United states, the United Kingdom and Germany, only 10 to 12 percent were confident that Internet businesses were handling their information securely. Forty percent of those polled have, at some point, decided not to purchase something online due to privacy concerns. Clearly, there's a gap in confidence that needs to be filled.

Privacy Pioneer
On IBM's part, the company has been actively addressing privacy issues internally since the early 1970s, and was actually one of the first companies to put a privacy notice up on its Web page. That was close to three years ago. The company has tinkered with its Web page since then, for example, adding information on "cookies" technology. But, essentially, IBM's privacy policy is driven by the philosophy of disclosure and informed consent.

Harriet Pearson, IBM's director of public affairs, puts it this way: "You may give me information when you register, or I may use technology like cookies to follow your browser's movement through my site-but I want you to know that I'm doing it and that I'm offering you a choice as to whether or not we share that information." Today IBM's privacy policy statement appears in five different languages across the globe. It varies in content only slightly in accordance with local regulations, for example, to comply with the European Union's Data Privacy Directive.

IBM is also active in a number of industry groups like the Online Privacy Alliance, a coalition of more than 90 global corporations and associations-including some of the biggest names in U.S. business and e-commerce-which promote self-regulation of privacy in electronic commerce. As a member of the Alliance, IBM encourages other companies to adopt and post a privacy policy as one of the key things the private sector needs to do to create a credible system of self-regulation. In addition, IBM will only place its advertisements on Web sites that have a privacy statement.

IBM's own online privacy strategy was developed in accordance with the five principles outlined by the Alliance. These five principles are described in detail on the Alliance's Web site at and are summarized below:

1. Adoption and implementation of a privacy policy that takes into account consumer anxiety over sharing personal information online.

2. Notice and disclosure of information collection and use practices.

3. Choice and consent to give users the opportunity to exercise control over their information.

4. Data security measures to help protect the security of personally identifiable information.

5. Quality and access assurances that the data is accurate, complete and timely for the purposes for which it is to be used.

Monitoring Compliance
Like many companies interested in furthering trust on the Web, IBM is also a

member of a "seal" program. A seal program consists of an independent third

party-like TRUste and BBBOnLine-which monitors a company's compliance with

its own stated privacy policy. One of the first supporters of TRUste, IBM displays its seal on the company Web site. Somewhat like a "good housekeeping" seal, the TRUste seal signifies to visitors that the site adheres to established privacy principles and has agreed to comply with TRUste's oversight and consumer resolution process.

TRUste monitors IBM and all of its licensees for compliance through a variety of means:

1. Initial and periodic reviews of the site by TRUste.

2. "Seeding," whereby TRUste tests its licensees by submitting personal information online to verify that a site is following its stated privacy policies.

3. Compliance reviews by a CPA firm.

4. Feedback and complaints from the online community.

5. Use of a click-to-verify seal to deter piracy of the TRUste seal. (Clicking on the seal takes the user to TRUste's secure server and verifies that the site is indeed a legal licensee of TRUste.)

"We do ongoing maintenance to make sure the policy is followed," says Pearson. "All of our webmasters have to monitor it." In fact, IBM's digital space has become so important and complex that there is a person within the company's corporate marketing department whose sole function is to formulate customer information policy.

If consumers perceive that a site may not be in compliance, they are required to contact the Web site first to resolve the issue, and TRUste provides them with a Watchdog Report for communicating their complaints or concerns. If they don't receive satisfaction, TRUste will serve as liaison between the consumer and the site, working with both parties for resolution.

If a site fails a compliance review, or if TRUste has reason to believe that a site isn't following its stated privacy policy, TRUste will conduct an escalating investigation which may include an on-site compliance review by a CPA firm. In the case of extreme violations, the matter may be referred to the appropriate attorney general's office, the Federal Trade Commission or the Consumer Protection Agency.

Compliance Between Partners
Of course, privacy is more of an issue in the context of a business-to-consumer relationship because, in a business-to-business context, partners can agree in advance what information they are going to share. Since IBM markets its products through business partners, its Web site is not consumer-oriented. "You can't go on and shop for Thinkpads," notes Pearson. What a consumer can do is register to receive mailings--either hard copies or e-mail. IBM uses the information gathered for traditional direct marketing purposes and to target ads. In a business-to-business context, that type of information is used to have people sign up for marketing programs.

Even with the best efforts to put a privacy policy on every e-business Web site, worries about online privacy won't disappear overnight. But in the long run, as more and more companies like IBM commit to fostering consumer confidence in the Internet, online commerce-and bottom line profits-will continue to grow and thrive.

CRM Covers
for qualified subscribers
Subscribe Now Current Issue Past Issues