Privacy Policy Capitalism

When we view the exchange of identity information through the lens of a transaction where the customer perceives some benefit and thus parts with bits of identifying information in consideration for that benefit, privacy policies take on a new feel. Many companies view their privacy policy as something they have to do to keep their customers from being angry with them, because their industry demands it, or because someone convinced the CEO or CIO that she'd be liable if the company didn't have one. All of these may be true statements, but they're only ancillary to the real reason for a privacy policy: your privacy policy represents the terms of service you're offering for whatever benefit the customer perceives.

For example, say you're an online merchant. You collect identity information from your customers at various stages of the transactions, and the customer receives some benefit. At the most basic level, whenever a customer visits, you install a cookie on his browser so that your shopping cart works. Cookies are a way of maintaining program state across HTTP, an otherwise stateless protocol. In addition to making the shopping cart work, you realize that you can use the cookie to recognize the customer the next time he returns and even to track his shopping habits. When the customer buys something, you collect personal information, such as his name, address, and credit card number, and can link that to the cookie as you create a customer profile.

What should this online merchant's privacy policy say? First, tell the truth. Tell customers what data you collect, why you collect it, and what you do with it. Be specific. In this example, the merchant might say, in part:

A real privacy policy would be longer, and your lawyers will probably want to fill it with lots of other information. While it's a good idea to involve lawyers in the process, since it's ultimately a term sheet between you and your customers, make sure that the privacy policy is readable and understandable by your customers, or it won't do what you need it to do: inform them in clear language the terms of the bargain that you're proposing.

If you approach your privacy policy as a term sheet, with a clear understanding of what each side is giving and getting in the relationship, you and your customers will be happier with the result.