The privacy policy is written and posted on a company's Web site. The 2002 privacy-policy notice, a complicated statement required of financial-services companies under the Gramm-Leach-Bliley Act, is in the mail. Top executives and perhaps even the board of directors have reviewed the policy to make sure it will protect the company's good name. So it's mission accomplished on the privacy front. Or is it?

Hardly. Privacy policies on Web sites and in mailings are just words. The hard part is backing them up with the employee training and information technology to make them work. Regulatory actions such as the Gramm-Leach-Bliley Act, which requires financial-services companies to notify customers of their information-sharing practices, have produced a mountain of mail for consumers and much moaning from banks about the cost, but they've done little to help customers understand or businesses enforce their privacy policies. "Many companies are still focused on the regulator's agenda. The ones that are more advanced are working on the customer's," says Leigh Williams, chief privacy officer at Fidelity Investments.

So far, the companies making the extra effort and investment have been the exception. Privacy spending throughout the economy is hard to gauge, since it's generally mixed in among IT, training, and customer-support budgets, rather than broken out as a line item, even for internal budgeting. But Mike Beresik, national director of PricewaterhouseCoopers' privacy practice, says much of the spending has been focused on regulation compliance, with banks and other companies covered under the Gramm-Leach-Bliley Act spending far more than retail, entertainment, and consumer-goods companies. Financial-services companies last year collectively spent about $1 billion to prepare and mail privacy-policy statements required by that law, according to the American Bankers Association. That's not a huge number, given the size of the industry, and there hasn't been very much privacy-related spending beyond that. "Banks in the U.S. probably spend more on striping their parking lots," says Gartner analyst Richard DeLotto, who researches privacy issues.

Some companies aren't even doing the basics. Almost half of companies don't have privacy policies, two recent surveys found. One that research and consulting firm Computer Economics conducted earlier this year found that only 51% of companies have privacy policies, even though 97% of the more than 300 companies surveyed have Web sites and slightly more than half conduct E-commerce. Another study found that barely half of companies post privacy policies on their Web sites, and 60% don't monitor their sites to make sure they deliver the privacy that's promised, according to a survey of 600 companies that site-monitoring application vendor Watchfire Corp. conducted this spring and PricewaterhouseCoopers analyzed.

But the leaders in providing privacy protection are taking aggressive steps to turn their policies into strategic advantages, and they're looking to technology to take a far more important role. So far, nontechnology issues, such as setting policy and complying with regulations, have dominated the privacy debate within companies. Now, a market is emerging for software focused on privacy management and monitoring of customer data. In some ways, it's the flip side of the cybersecurity evolution. Cybersecurity started as a purely technical problem and climbed the ladder to become a CEO-level issue. Privacy emerged as an executive-level concern, thanks to some high-profile scandals and regulations, and now is being handed to technologists and other specialists to turn policy into reality. "Businesses are still trying to understand what privacy means at the IT level, at the data level," says Alex Fowler, senior policy director for Zero-Knowledge Systems Inc., which makes software for managing companies' adherence to their privacy policies.

Royal Bank of Canada is in the midst of making the technological changes it needs to automatically enforce its customer-privacy policies, which the bank's executives believe will differentiate it in the market. Customers can choose whether they want to be contacted about other banking services, such as consumer credit, loans, and mortgages, and whether they want personal data shared with the bank's full-service and discount-brokerage operations.

Royal Bank of Canada is developing a rules engine to control the flow of information based on customers' privacy preferences, Cullen says.

Royal Bank of Canada's banking division maintains in its databases a file of customers' privacy preferences, says chief privacy officer Peter Cullen. Before managers undertake any marketing initiative, they must check mailing and calling lists against that database. The two brokerage divisions have similar data warehouses with client privacy preferences.

The next step will be for the bank to build links among the three business units' databases to create a consolidated view of its customers across the banking and brokerage divisions. An early version of the linked system is slated for completion this fall, and full deployment is expected next year. Included will be a rules-engine application, custom-built by bank programmers, that automatically manages the flow of information among the databases based on customers' privacy preferences. That way, one of the bank's brokerage-services telemarketers won't be able to access data about a banking-services customer who asked not to be contacted.

Fidelity's Williams puts the company's privacy-related initiatives into four categories. One is regulatory-compliance efforts such as the privacy notices mandated by the Gramm-Leach-Bliley Act. Another is privacy practices, such as a customer going to "My Profile" on Fidelity's Web site to define how his or her data can and can't be used within the company, and the technology to honor those preferences. The third is improved communications with customers, such as XML-based versions of privacy policies that comply with Platform for Privacy Preferences technology. P3P lets people set privacy standards on their browsers and warns them when a site doesn't meet those standards. The fourth involves leveraging privacy for competitive advantage.