PRIVACY EXPECTATIONS IN E-COMMERCE (STUDY OBJECTIVE 5)

Chapter 4 described the relationship between IT risks and controls, using the AICPA's Trust Services Principles and criteria as the framework to examine risks and controls. That section of Chapter 4 provided details regarding four (items 1, 2, 3, and 5) of the five risk areas identified in the Trust Services Principles. The fourth risk area of IT systems described in the AICPA Trust Services Principles is “online privacy.” Regarding this risk area, the Trust Services Principles states that the “online privacy principle focuses on protecting the personal information an organization may collect from its customers, employees, and other individuals”¹ through its e-commerce systems. This personal information consists of many different kinds of data. The Trust Services Principles provide the following partial list of personal information to be protected:

• Name, address, Social Security number, or other government ID numbers
• Employment history
• Personal or family health conditions
• Personal or family financial information
• History of purchases or other transactions
• Credit records

In the course of conducting business with customers, an organization may have legitimate reasons to collect and keep these customer data. However, to conduct e-commerce, the organization must provide to customers a level of confidence in the privacy and security of this kind of personal information shared. To engender such confidence, the organization must demonstrate to customers that it has taken appropriate steps to ensure privacy. The Trust Services Principles explain ten privacy practices that an organization should follow to ensure adequate customer confidence regarding privacy of information, as follows:²

1. Management. The organization should assign a specific person or persons, the responsibility of privacy practices for the organization. That responsible person should insure that the organization has defined and documented its privacy practices. That person should also insure that privacy practices have been communicated to both employees and customers. Management would also include the responsibility to insure that privacy practices are followed by employees.
2. Notice. The organization should have policies and practices to maintain privacy of customer data. Notice implies that the company provides the privacy practices to customers in some form. At the time that data is to be collected, a notice should be available to the customer that describes the privacy policies and practices. Many e-commerce organizations accomplish this by providing a link on their website to privacy policies. Notice should include information regarding the purpose of collecting the information, and how that information will be used.
3. Choice and consent. The organization should provide choice to its customers regarding the collection of data, and also should ask for consent to collect, retain, and use the data. The customer should be informed of any choices that the customer may have to opt out of providing information. The customer should have access to descriptions about the choices available. The customer should also be able to read policies about how the data will be used. As in “notice” above, these descriptions usually are in the form of a link to privacy policies.
4. Collection. The organization should collect only the data that is necessary for the purpose of conducting the transaction. In addition, the customer should have provided implicit or explicit consent before data is collected. Explicit consent might be in the form of placing a check mark by a box indicating consent. Implicit consent occurs when the customer provides data that is clearly marked as voluntary, or when the customer has provided data and has not clearly stated that it can not be used.
5. Use and retention. The organization uses customers' personal data only in the manner described in “notice” from part a. on page 590. The use of this data occurs only after the customer has given implicit or explicit consent to use the data. Such personal data is retained only as long as necessary.
6. Access. Every customer should have access to the data provided so that the customer can view, change, delete, or block further use of the data provided.
7. Disclosure to third parties. In some cases, e-commerce organizations forward customer information to third parties. Before this forwarding of data occurs, the organization should receive explicit or implicit consent of the customer. Personal data should only be forwarded to third parties that have equivalent privacy protections.
8. Security for privacy. The organization has necessary protections to try to insure that customer data is not lost, destroyed, altered, or subject to unauthorized access. The organization should put internal controls in place that prevent hackers and unauthorized employees from accessing customer data.
9. Quality. The organization should institute procedures to insure that all customer data collected retains quality. Data quality means that the data remains “accurate, complete, current, relevant, and reliable.”
10. Monitoring and enforcement. The organization should continually monitor to insure that its privacy practices are followed. The organization should have procedures to address privacy related inquiries or disputes.

In summary, these practices require that a company establish, enforce, monitor, and update policies and practices that protect the privacy and security of customer information. The company should consider not only its own privacy practices and policies, but also the practices and policies of any third parties who will share information. Companies that fail to establish good policies or that fail to enforce policies have violated the ethical standards that customers expect when conducting e-commerce. The ethics-related aspects of privacy are addressed at the end of this chapter.