Will all this lead to a surge in demand for privacy-related software and services? Vendors are convinced privacy is the next big thing. But chief privacy officers are more concerned with policies and business practices than technology.
That doesn't stop privacy tool vendors from trying to convince Seagraves otherwise. "I'm bombarded by all sorts of companies that have tools to monitor everything," he says.
A wave of tools for developing and managing privacy policies hit the market in the past year. In mid-2001, Watchfire Corp. debuted WebCPO, which companies use to scan their Web sites to make sure they comply with their own privacy policies. Some large businesses have Web sites with as many as 10 million pages, says Watchfire CEO Michael Weider. "They have so many pages, they don't know where the land mines are buried," he says.
Zero-Knowledge Systems Inc. is developing Enterprise Privacy Manager, which helps companies ensure that back-end IT systems, such as databases and enterprise resource planning applications, conform to their privacy policies. It plans to test the product in January. Zero-Knowledge also markets Freedom, privacy-protection software for consumers, although analysts say the market for consumer privacy products hasn't taken off.
Other privacy-related tools include IDcide Inc.'s Privacy Wall, which competes with Watchfire's WebCPO and PrivacyRight Inc.'s TrustFilter for managing customer opt-in/opt-out processes. IBM is adding privacy capabilities to its Tivoli systems-management software, due in mid-2002, including the ability to create data-access audit trails. That follows IBM's recent news that it's creating a privacy institute for developing privacy-enabling and data-protection technologies.
However, analysts are skeptical about demand for privacy-specific products. "I don't think privacy initiatives are driving technology purchases right now," says Steve Hunt, a Giga Information Group analyst. Although most companies post privacy policies on their Web sites, Hunt says, many are still developing practices to back them up and aren't yet at the automation stage. It will take a year--perhaps several years--before privacy audit and compliance tools are considered mainstream technologies, he says.
Some companies are developing their own privacy-related software. The Royal Bank of Canada in Toronto is designing a system that will help its 1.8 million customers control how the bank uses information about them. For example, checking-account or home-mortgage customers will be able to prohibit the bank from sharing account data with its brokerage operations and avoid getting marketing calls about investing. The software, to be deployed in 12 to 18 months, will run on a sophisticated rules-based engine, says Peter Cullen, the bank's chief privacy officer. Once it's deployed, users will be able to choose the level of privacy they want.
Royal Bank of Canada is giving customers free privacy-securing software, privacy chief Cullen says.
Consultants such as IBM, Guardent, and PricewaterhouseCoopers are building up privacy practices. The U.S. market for privacy consulting, legal services, and software products combined is about $100 million a year, says Patrick Sullivan, Guardent's privacy and information policy VP.
E-Loan Inc. in Dublin, Calif., enlists Privacy Council Inc., a privacy services and consulting firm, to audit its business practices to certify that they comply with the online mortgage lender's own privacy policies and applicable financial-data-protection laws. "It's absolutely essential that customers feel we are going to treat their data respectfully," E-Loan CEO Chris Larsen says.
The biggest potential driver for the privacy-protection software and services market this year is Platform for Privacy Preferences (P3P), the standard created by the World Wide Web Consortium that lets Web surfers screen Web-site privacy policies and prevent their PCs from sending private information about themselves. Companies develop machine-readable code versions of their privacy policies that P3P-enabled Web browsers can scan. Microsoft and AT&T provide freeware development tools for turning written privacy policies into code.
Microsoft built P3P into Internet Explorer 6.0, letting users select their privacy preferences from a menu. For instance, they can tell the browser to prevent Web sites from loading cookies onto their PCs. The browser also warns users when Web sites don't live up to their privacy parameters. "This is giving individuals more knowledge about and control over how their data is collected, stored, and used," says Michael Beresik, national director of PricewaterhouseCoopers' privacy practice.
With an estimated 10 million to 15 million copies of Internet Explorer 6.0 already in use, consumer awareness of privacy issues could heighten dramatically in coming months. And that could fuel demand from businesses for products and services to make sure their Web sites don't set off privacy alarms when Web surfers with Internet Explorer 6.0 come calling. Three-fourths of the top 100 U.S. Web sites will become P3P-compliant in 2002, Beresik predicts.
Others are more skeptical of P3P's impact. "P3P will be the V-chip of the Internet," says Gartner analyst John Pescatore, referring to the mostly ignored chip that lets parents block out TV programs with violent or sexual content. But no matter how lukewarm the consumer response, P3P is likely to spur demand among businesses for tools that make their Web sites P3P-compliant, Pescatore says.
Other factors also will fuel demand for privacy tools. In the financial-services industry, the Gramm-Leach-Bliley federal legislation restricts how much data financial-services companies can share with third parties. Though the law is already in effect, some banks, brokerages, and insurance companies still are scrambling to comply, Beresik says.
E-Loan's privacy spending will increase in 2002 if, as Larsen expects, California and other states enact financial-data-protection laws stricter than Gramm-Leach-Bliley.
The health-care industry is also a prime target for privacy software and service providers. That's because the Health Insurance Portability and Accountability Act mandates that health-care providers, insurers, and transaction houses implement patient-data-confidentiality safeguards by June 2003. To comply with the act, health-care organizations will likely adopt secure messaging systems, Giga's Hunt says.
The terrorist attacks have affected how companies view privacy issues, as well. "The big problem with privacy is that after Sept. 11, privacy has gotten pushed way down the priority stack," Gartner's Pescatore says. For the short term, IT system security has been uppermost in most IT managers' minds. But Pescatore says that as the government aggressively seeks access to customer data for its terrorism investigations, there could be a consumer backlash and increased demands for confidentiality protections.
As EarthLink has already figured out, privacy is a way for businesses to differentiate themselves. "Privacy is becoming a branding issue," Beresik says. Respecting privacy is a way to forge stronger bonds with customers. "It's much more important than cutting three seconds off the time it takes a call-center worker to answer the phone."
Privacy-protection technology has its place. But businesses shouldn't lose sight of the fact that maintaining customer trust is the ultimate goal. KBtoys.com in Denver uses homegrown tools to restrict unauthorized access to data. "We'll be evaluating a number of privacy protection technologies in 2002," says Scott Wilder, product development and marketing VP. "But our big priority is talking to customers. At the end of the day, it's usually a customer who raises a red flag."