Tailoring your content is critical on the Web. A reader may well skip an irrelevant article in a magazine, newsletter, or newspaper, but chances are that he or she will continue reading the publication. Not so on the Web: With a seemingly infinite number of choices, readers jump quickly to another site.

To keep readers hanging around, Web publishers need to offer what author Mai-Lan Tomsen calls "killer content." Tomsen defines killer content as content so compelling that it hooks readers and keeps them coming back to the site. [1]

Web publishers have at their disposal a range of tools to help them identify and understand their audiences so they can deliver killer content to them. Unfortunately, some of those tools have led to abuses that have aroused feelings of suspicion and hostility among consumers and legislators.

In a word, the problem is privacy — or the lack thereof. During the past year, privacy issues have been at the forefront of discussions about the Internet (second possibly only to the topic of the dot-com implosion). Some surveys of consumers rate privacy as their No. 1 concern, an issue that keeps some people from going on line and others who are already on line from joining the e-commerce revolution.

A number of recent high-profile cases are no doubt to blame for some of this uneasiness. For example, Amazon.com announced Sept. 1, 2000, that it would no longer guarantee that it would not share customer data with third parties. In response, the company was slammed in the media and dropped by two privacy advocacy organizations.

Fortunately for Web publishers, many consumers are still happy to share personal information with Web sites. But, as a recent CNET News.com commentary points out,

Businesses need to remember that privacy is a quid pro quo issue, and they need to give consumers something in return for providing information about themselves. They also need to set forth clear privacy policies that comply with regulatory guidelines and set clear expectations for how information will be used. [2]

Writing in this journal, Judith A. Turner has set out the issue in stark terms:

Laws and rules aside, it's an issue of trust. ... To keep the trust that we, as publishers in the scholarly environment have built, we need to reassure our subscribers, authors, and readers as we move into new technologies. And we can reassure them by letting them know what we collect, what we do with it, and what rights they have. [3]

Searching for Guidelines

It seems reasonable, then, for any online publisher to follow regulatory guidelines. But there are no uniform guidelines at this point. While the 106th Congress made loud noises about the need to pass privacy legislation (and considered more than a dozen bills), as of this writing none had made it into law. In fact, earlier this year a report to Congress revealed that the federal government itself hasn't been able to follow its own rules on information gathering. Despite the fact that a June 2000 Clinton administration memorandum restricted the process of using electronic "cookies" to gather information about Web site visitors, dozens of federal Web sites were still using them early this year.[4]

Lacking a federal privacy policy, what's a publisher to do? One option would be to try to stay abreast of regulations being drafted by individual states. For instance, last year the Michigan attorney general formally notified several U.S. Web sites that the state was considering filing lawsuits against them if they failed to modify their privacy policies to comply with existing Michigan consumer notification laws. The state's assistant attorney general, Tracy Sonneborn, said that all Web sites serving residents of Michigan — in effect, all Web sites — would be expected to meet the state's regulations. [5]

If the prospect of trying to accommodate dozens of conflicting state standards seems daunting, consider the issue of foreign statutes. Many European nations, as well as Japan, Australia, and other countries, have developed their own standards on privacy — which again would apply to all Web sites that are accessible within their borders. To get an idea of the range of international regulations, visit the Web sites of the Privacy Exchange or Privacy International. [6]

Basic Fair Information Practices

Fortunately, most publishers will find that they are covered in most cases by posting and following privacy policies that meet four simple standards:

Notice: You should provide a clear and conspicuous notification of the type of information your site collects, how it is used, whether it is disclosed to third parties (e.g., advertisers), whether third parties collect information through the site, and how the site addresses choice, access, and security concerns. Place links to the privacy policy throughout your site, being diligent to place it on every page that requests user information. Make sure the policy is written in plain English, not legalese. And post a policy even if you don't collect personal information: Publishing a statement that declares that fact will keep visitors from wondering. (If you're wondering: JEP's not-so-easy-to-find privacy statement is at [formerly http://www.press.umich.edu/jep/privacy.html.])

Choice: You should offer your visitors a choice in how their information will be used both internally (for marketing back to the consumers) and externally (providing the data to third parties). Industry watchdog TRUSTe requires sites seeking its seal of approval to allow users to opt out of secondary uses of information; some privacy experts recommend additionally allowing users to opt out of primary uses — or, even better, requiring them to opt in.

Security: Your site must take precautions to protect the information you collect. If your site gathers, uses, or distributes credit card or other personally identifiable information, it's mandatory to encrypt it.

Access: You should offer users the chance to review the information you have collected on them, as well as to correct any errors in that information. [7]

Model Privacy Statements

While you can address those four areas in a fairly brief policy statement, privacy is one topic on which the more said, the better. TRUSTe, an independent, non-profit organization whose mission is to build users' trust and confidence in the Internet by promoting the use of fair information practices, offers its members a Model Privacy Statement [formerly http://www.truste.org/bus/pub_sample.html]. That statement covers all the points noted above, as well as a wide range of other issues.

TRUSTe's site also provides information on joining its Privacy Seal Program [formerly http://www.truste.org/programs/pub_how_join.html]. The process is simple, and the annual license fee is only $299 for companies with revenues of $1 million or less. (For larger companies, fees soar to as high as $6,999 a year.)

TRUSTe also offers its licensees the chance to join the European Union Safe Harbor Program for an additional fee. Safe Harbor membership requires a site to abide by seven voluntary principles (the four listed earlier as well as Transfers to Third Parties, Data Integrity, and Enforcement).

In addition, TRUSTe offers links to several privacy resources [formerly http://www.truste.org/bus/pub_privacy.html], but the EPIC Online Guide to Privacy Resources offers a much richer resource full of links to organizations, printed publications, U.S. privacy sites, international privacy sites, privacy tools, mailing lists and electronic newsgroups, and upcoming privacy-related conferences and events.

Many privacy experts cite the way eBay handles privacy issues as a model policy. Users are required not only to view the policy but also to agree to its terms and conditions.

Leave It to Browsers

Some parties are pushing to spread the burden of protecting privacy between Web publishers and consumers. The World Wide Web Consortium's (W3C) proposal for the Platform for Privacy Practices is the most visible initiative on that front. As W3C explains on its Web site:

P3P enables Web sites to translate their privacy practices into a standardized, machine-readable format (Extensible Markup Language XML) that can be retrieved automatically and easily interpreted by a user's browser. Translation can be performed manually or with automated tools. Once completed, simple server configurations enable the Web site to automatically inform visitors that it supports P3P.

On the user side, P3P clients automatically fetch and read P3P privacy policies on Web sites. A user's browser equipped for P3P can check a Web site's privacy policy and inform the user of that site's information practices. The browser could then automatically compare the statement to the privacy preferences of the user, self-regulatory guidelines, or a variety of legal standards from around the world. P3P client software can be built into a Web browser, plug-ins, or other software.

P3P provides information on nine aspects of privacy:

  • Who is collecting this data?
  • Exactly what information is being collected?
  • For what purposes?
  • Which information is being shared with others?
  • And who are these data recipients?
  • Can users make changes in how their data is used?
  • How are disputes resolved?
  • What is the policy for retaining data?
  • And finally, where can the detailed policies be found in "human readable" form?

Microsoft, one of the major supporters of P3P, is already building some privacy control into the latest version of its browser, Internet Explorer 6. The browser includes a "privacy thermostat" that lets users choose one of five levels of control for dealing with cookies:

  • High: Blocks all Web site cookies.
  • Medium-high: Accepts cookies from a Web site only if it has an "opt-in" or "opt-out" policy on cookies. Also accepts cookies from third-party Web sites that are partners of the host site, provided they too have opt-in or opt-out policies.
  • Medium (default): Accepts all cookies, but deletes them when the browser is closed. Also accepts cookies from third-party Web sites that are partners of the host site, provided they too have opt-in or opt-out policies.
  • Medium-low: Accepts all cookies from a host site and third-party partners, but deletes them when the browser is closed.
  • Low: Accepts all cookies. [8]

Best Practices

Despite consumer concerns about privacy, it doesn't take much to get many people to give up personal information. Offering a small premium for registration — e-mail news updates, a discount on publications or services — can make many people rethink their opposition to parting with private information. This august journal, for instance, offers readers who "subscribe" notification of each new issue. To date, more than 1,200 unique readers have signed up, handing over such intimate details as their favorite flavors of ice cream.

Finally, keep in mind that while there is no national law requiring you to have a privacy policy, but if you post one, you must comply with it. The Federal Trade Commission and a number of state attorneys general have charged several popular Web sites with unfair and deceptive practice for failure to follow their own privacy policies.

Thom Lieb is an associate professor of journalism and new media at Towson University in Baltimore. Among his courses is Writing for the Web. He is the author of Editing for Clear Communication and has written and edited for magazines, newspapers, newsletters and online publication. He holds a Ph.D. in Public Communication from the University of Maryland at College Park and a master's of science in Magazine Journalism from Syracuse University. You may contact him by e-mail at lieb@towson.edu.


1. Mai-Lan Tomsen, "Killer Content: Strategies for Web Content and E-Commerce" (Reading, Mass.: Addison-Wesley, 2000).return to text

2. Meta Group, "Commentary: Net Privacy, the Perennial Issue," CNET News.com, 9 May 2001 at http://news.cnet.com/news/0-1005-202-5877774-0.html.return to text

3. Judith A. Turner, "Privacy in the Electronic Environment: All Smoke and Mirrors," Journal of Electronic Publishing, September 1999.return to text

4. "Report: Privacy Not Protected Online," latimes.com, 17 April 2001.return to text

5. Brian Livingston, "Do Privacy Policies Really Protect You?" CNET News.com, 30 June 2000 at http://news.cnet.com/news/0-1278-211-3287300-1.htmlreturn to text

6. Michael Peck, "Crossing Borders," Publish, February 2001, p. 49 [formerly http://www.publish.com/ic_450803_6558_1-2743_138_13.html].return to text

7. Pamela Blackstone, "Making Privacy a Policy," Publish, 25 January 2001, pp. 58-59 [formerly http://www.publish.com/ic_388145_6558_1-2743_138_13.html].return to text

8. Leslie Walker, "Browser Aimed at Protecting Users' Privacy," The Washington Post, 29 March 2001, sec. E, p. 4.return to text

Links from this article:

Amazon.com, http://www.amazon.com

eBay Privacy Policy, http://pages.ebay. com/help/community/png-priv.html

EPIC Online Guide to Privacy Resources, http://www.epi c.org/privacy/privacy_resources_faq.html

JEP Privacy Policy, [formerly http://www.press.umich.edu/jep/privacy.html]

Platform for Privacy Practices, http://www.w3.org/P3P/

The Privacy Exchange, http://www.privacyexchange.org

Privacy International, http://www.privacyinternational.org/survey/

Safe Harbor, http://www.export.gov/safeharbor/

TRUSTe, http://www.truste.org

  • TRUSTe's Model Privacy Statement [Formerly http://www.truste.org/bus/pub_sample.html]
  • TRUSTe's Privacy Resources [Formerly http://www.truste.org/bus/pub_privacy.html]
  • TRUSTe's Privacy Seal Program [Formerly http://www.truste.org/programs/pub_how_join.html]