HOW TO
How to Build a Small-Business Web Site, Part 10: Minding Your Privacy Ps and Qs

This is the tenth in an ongoing series on building a Web site for your small business. Part 1 looks at essential elements of a business Web site. Part 2 offers basic site design guidelines. Part 3 tackles some advanced design issues. Part 4 examines social media tools for building traffic. Part 5 compares outsourcing against doing maintenance work in-house. Part 6 offers tips on marketing your site. Part 7 covers analytics for measuring effectiveness. Part 8 delves into content management issues. Part 9 investigates security and transaction processing.

At a time when identity theft is a common concern, protecting the personal information of anyone visiting your Web site is something that every business should be thinking about.

While legislation may vary from state to state in terms of how much you're required to do to protect your customers' personal information, putting measures in place -- and letting your customers know you have done so -- is good for business, pure and simple.

Securing Customer Trust

"Customers rate privacy and security very highly according to our research," Carolyn Hodge, vice president of marketing for TRUSTe, an online privacy specialist, told TechNewsWorld. "And sharing personal information is the No. 1 reason consumers do not complete their purchases online."

In spite of this lack of consumer confidence, it appears that small businesses aren't that diligent about putting the necessary privacy measures in place. A recent TRUSTe survey, in fact, showed that 56 percent of small-business owners with Web sites admitted to having no privacy policy on their sites. Of those that did, one-third "cut and pasted" their privacy policy from somewhere else.

Other surprising results from the survey:

• 21 percent of small businesses don't know if they have encrypted pages on their Web site.
• 30 percent admitted they didn't know if they were PCI (payment card industry) compliant.
• 79 percent of businesses that are aware of trustmarks don't display them on their sites.

Checking the Blind Spots

Avivah Litan, a senior analyst with Gartner (NYSE: IT) Research, said that one of the reasons businesses may be lax in their privacy practices is that the laws protecting PII (personally identifiable information) data are inconsistent. "There is a lot around debit and credit card data with the PCI standards. But when it comes to collecting people's names, address, driver's license or Social Security numbers; it's dealt with at the state level [for the most part]."

Securing personal information can be a blind spot for businesses, according to Stephen Brunetto, product manager for Websense. However, the times are definitely changing as governments are becoming increasingly vigilant. "When you are dealing with personal information, you need to protect any identifiable information that can lead to identity theft," he told TechNewsWorld.

Concern is definitely climbing, given the rise in attacks on small-business Web sites, Litan added. "They're an easy target because they don't have an IT department, security officer or strong infrastructure. It's pretty easy to walk away with sensitive data."

The Business Case

Beyond these worst-case scenarios, though, there's also the simple fact that consumers don't like doing business with a site they can't trust. "Having a privacy statement [and trustmark] plays a big role in where consumers will purchase online," Hodge said. "Those that don't are missing a competitive advantage. It increases consumer confidence, which means more purchases."

TRUSTe, for example, will help you develop and/or update your privacy statement, issue a trustmark or privacy seal for display on your site, perform ongoing reviews to make sure you are compliant with relevant jurisdictional requirements, and provide support in resolving any disputes that may arise over your privacy practices. Annual fees for this service are based on revenues generated on the site and start at around US$600.

Best Practices

If you don't have any kind of privacy measures in place, then it's probably time you did. Following are some best practices to consider:

1. Ensure that your Web site has a true and accurate privacy statement that is easy to read and understand. It should include information on what customer data is collected and tracked, the parties with whom this information is shared, and how customers can opt out. Provide a link or reference to it on the home page so it's easy to find. Also make sure that your terms of service are consistent with that policy to avoid confusion.
2. Don't cut and paste your privacy statement from another site. "Remember, it's a legal contract," Hodge said. "Take a few minutes to make sure it is accurate for your business."
3. Register with a privacy organization and post a seal of approval or trustmark on your site. This should be prominently displayed on the home page, with the privacy policy statement, on the shopping page, and next to any online forms that collect information from customers.
4. Create a page that educates customers about your site's information security practices and controls. Explain how card payment information is protected during transmission, while on your server and at your physical work site.
5. Create an FAQ page that includes questions and answers on how customers can protect themselves when shopping online.
6. Do not collect credit card details by email. This is not a secure communication method.
7. Encrypt sensitive information during purchases. "You can get a certificate from your domain name, SSL (secure socket layer) or other provider that specializes in encryption services," Hodge explained.
8. Clearly state your purpose when collecting information from visitors. "If you are collecting email information for sending out an e-newsletter, be very clear that is what you are doing. And don't forget to provide a link to your privacy statement," Hodge advised.
9. Make sure any online marketing services you use meet industry standards for privacy and that they are certified.
10. Don't keep information you don't need. When it comes to maintaining a secure site and customer privacy, look at your data retention, advised Martin Elliott, senior business leader at Visa. "If you don't need it, don't store it. That reduces your security risk," he told TechNewsWorld. Establish a retention policy, Brunetto suggested. "This determines how long you need to keep data and how much. Figure out what is sensitive data and what you need to have in place to protect it."

"When conducting business online, it is essential that you create a positive customer experience," Elliot said. "Having digital content policies should always be clear and accurate, and not set false expectations. Customers want to know you are maintaining a safe and secure site."

How to Build a Small-Business Web Site, Part 1: Nuts and Bolts

How to Build a Small-Business Web Site, Part 11: Roping In That Rascally ROI