ETHICAL ISSUES RELATED TO E-BUSINESS AND E-COMMERCE (STUDY OBJECTIVE 11)
Companies that engage in e-commerce, B2C sales with consumers have the same kind of obligations to conduct their business ethically as companies transacting business any other way. However, the lack of geographic boundaries and the potential anonymity of Web-based commerce suggest that B2C companies have an even greater necessity to act ethically. A customer who orders merchandise or services on a website may not be able to easily assess the ethics or trustworthiness of a company who sells online. For example, if you buy a defective or spoiled product from your local grocery store, you can simply return it quickly. Your grocery store has a local presence, and you buy there because you know the company is real and trustworthy. However, anyone can establish a website that looks like a bona fide company, but may be just a false storefront used to defraud customers. In B2C e-commerce, customers do not have the same capability to visit and become familiar with the company as they do when they are buying from a local store.
In a previous section of this chapter, the “Online Privacy” section of the AICPA Trust Services Principles was described. For the most part, these types of practices are an ethical obligation, but not necessarily a legal requirement. For example, there is no legal requirement to disclose privacy policies on a company's website. However, ethical obligations would suggest that customers should be so informed regarding customer privacy. The practices described in the Trust Services Principles are more than good business practices. The online privacy policies represent ethical obligations to customers. As a reminder, the privacy practices include the following concepts:
- Management
- Notice
- Choice and consent
- Collection
- Use and retention
- Access
- Onward transfer and disclosure
- Security
- Quality
- Monitoring and enforcement
These principles can be distilled into the ethical concept that management has an obligation to treat customer information with due care. Companies should honestly and fully disclose to customers the information they will collect and how they will protect it, use it, and share it. Management has an ethical obligation to create and enforce policies and practices which ensure that private customer data are not misused. Unfortunately, the profit motive sometimes leads management to focus too much on potential revenue and not enough on customer privacy.
When a customer engages in e-commerce, she is sharing data such as name, address, e-mail address, credit card number, and buying habits. These data have potential value to many other companies and are sometimes sold to other companies. You may have even received a mail or e-mail solicitation and wondered how that company ever came to know your name and address. This might mean that your name and address have been sold to another company or shared with a related company or subsidiary. There are many, many examples of companies who have compromised customer privacy to earn revenue. Customer lists or other private data about customers are a valuable resource. Too often, companies are willing to sell or share customer lists or customer data. In some cases, companies have no policies about the privacy of customer data and are thus willing to sell or share the data. In other cases, companies with policies regarding the privacy of customer data have violated their own policies.
THE REAL WORLD
Gateway Learning Corporation, the company behind Hooked on Phonics®, was charged by the Federal Trade Commission with deceptive and unfair practices. Starting in the year 2000, Gateway disclosed a privacy policy on its www.hop.com website stating that it would not share customers' personal information with any third parties without explicit consent from the customer.
In April 2003, Gateway allegedly began violating this policy by renting to telemarketers customer information such as name, address, phone number, age, and gender of children. A retroactive change was posted to the company's privacy statement on its website.
To settle this charge out of court, Gateway was required to pay a fine, was restricted from using deceptive claims regarding its privacy policy, and cannot materially change its privacy policy without customers' consent.8
While there is no requirement to disclose a privacy policy on a website, it is an ethical obligation to disclose and follow the policy. Moreover, when a policy is disclosed, the Federal Trade Commission holds companies to a legal standard of following their stated policy.
There are also regulations passed by the U.S. government regarding the privacy of medical information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes a section on the security of health care information. The Act requires health care providers, health plans, hospitals, health insurers, and health clearinghouses to follow regulations that protect the privacy of medical-related information.
As the issue of consumer privacy continues to become more important, there may be new regulations and requirements affecting companies. Even if there were no new regulations, ethical obligations would dictate that companies take adequate care to guard the security and privacy of data collected through e-commerce.