As online marketing matures, many companies are finding privacy policies that once seemed acceptable as constricting as clothing that has been outgrown and, like a too-tight suit, must be altered.
"It's standard practice to say information will not be shared with third parties. But a company may then realize that sharing is part of their core business," Ponemon explained. "So they tweak the policy to reflect that. It's a growing trend."
Businesses with a strong brand and companies with a strong trust element, such as youth-oriented sites and banks, are at the vanguard of this trend, Ponemon noted.
Yahoo! was one of the first online companies to institute broad changes in its data sharing policy in March of last year. eBay also made adjustments. Walt Disney, which has a network of sites including Disney.com, ESPN.com and Movies.com, is the latest such example.
People spend a lot of time on Disney's parks and resort sites, planning activities, building travel itineraries and the like, Kerscher commented. But when it comes to making final arrangements and paying, many want to transact with a live person, so they telephone the call center.
Disney says revised its policy to allow the company to share information with its non-Internet businesses, primarily the theme parks. These businesses will also be able to use the information to market services and information. Disney will now permit outside companies to send promotions to users via postal mail (though not e-mail), and Disney itself can send e-mail and U.S. mail promotions to its customers. Finally, Disney can obtain information about its users from third parties, such as the postal service.
"My gut tells me Disney have been good players," with regard to privacy, Ponemon commented. "The public is more concerned with whether a company is honest than whether it provides opt-in or opt-out."
When making the change, Kerscher said, Disney realized the dangers and decided it was important to act conservatively.
Another factor affecting the California company's online privacy practices is a number of new laws in that state that passed in 2003. One of these, SB 27, provides that consumers can request lists of the kinds of information that companies share with third parties, as well as the names of these third parties. SB 27 takes effect Jan. 1, 2005.
Disney's Kerscher says Disney is on the case.
"We have teams of people looking at all the legislation and will do whatever it takes to comply. My sense is we're already in compliance with many of them," Kerscher affirmed.
Ponemon said the new laws are a factor in the overall trend of companies tweaking their privacy policies.
"Clearly, an organization would have a difficult time operating two sets of requirements, one for California residents and the other for another 49 states. So, most companies treat the regulations below as national requirements," Ponemon said.
But California's new laws aren't the only ones on the books supporting privacy. A number of such laws already exist, attesting to a move toward better notice and options for consumers, according to J. Trevor Hughes, executive director of the International Association of Privacy Professionals (IAPP).
"There's the Gramm-Leach-Bliley Act, which provides us with greater choices and notice with regard to financial data. The Health Insurance Portability and Accountability Act, HIPAA, provides us with greater notice and control over health information. And of course there's the Do-Not-Call list and the recent Can-Spam act giving us greater control over e-mail," Hughes pointed out.
"The fact that Disney is giving (registrants) a choice represents an enormous shift over where we were 10 or 15 years ago," Hughes maintained. "In the broader scheme of things it really represents a very granular piece of a much broader tectonic shift."