Amazon.com’s recent brush with the Federal Trade Commission over consumer privacy (the agency claimed the company’s practices were “deceptive” but did not take action, although Amazon did spend $1.9 million in legal fees as a result) is further proof that senior executives should take a hard look at their companies’ policies. A recent FTC survey estimates that 97 percent of all commercial Web sites collect personally identifiable information, a fact not lost on consumers or the government. Privacy and American Business (P&AB), a public policy think tank, is currently tracking 60 lawsuits brought against companies by state and federal agencies alleging violations of Internet privacy standards.

While there are laws that address medical and financial information, as well as information about children, the legal landscape is getting fuzzier, according to P&AB president Alan Westin. Dozens of bills are wending their way through Congress, and many states have or are attempting to pass laws that further restrict what companies can do with the data they collect via the Internet. On the global front, 49 countries, including most in the E.U., have national data protection laws, many of which restrict the flow of consumer information to countries without similar safeguards.

To protect themselves, many companies begin by creating a privacy policy. About one-third of U.S. businesses have such a policy, a number that’s expected to increase to 50 percent by the end of 2002, according to Computer Economics, a research firm in Carlsbad, California. But complying with your own policy is essential. “If you have a privacy policy and then violate it, the FTC can come down on you like a ton of bricks,” says Chris Kelly, chief privacy officer (CPO) at Internet portal Excite@Home. He says cash-hungry Excite has turned away “six- and even seven-figure deals” in order to comply with the privacy policy on its Web site, which states that the company will share personally identifiable information with third parties only if a consumer has given permission.

When Kelly was appointed CPO last spring, he was among the first in the country to hold the title. Today there are about 350, and Westin predicts that there will be “hundreds to thousands” of such positions by 2003, since customer privacy concerns often fall outside the expertise of departments that typically handle data, such as IT and marketing.

Some companies are also trying to preempt federal standards by voluntarily submitting to third-party auditors. Online travel site Expedia.com, for example, has seals of approval from no fewer than three such firms: TrustE, BBBOnline, and PricewaterhouseCoopers LLP. Audits can cost from several hundred to tens of thousands of dollars. Privacy consulting, a $300 million business in 1999, is expected to grow to $1.8 billion by 2003, according to Gartner Dataquest.

Other options for privacy protection are still nascent. One item on the horizon is WebCPO, a software package developed by PwC and Watchfire Corp. Launched in May, the software will monitor Web pages for privacy violations and automatically alert managers when one is detected. Several other firms are developing products now, but most prospective buyers are likely to agree with Kelly that “it’s a great idea, but it’s a waiting game to see who puts the best package together first.” IDC Corp. analyst Jonathan Gaw says that privacy auditing tools will soon be part of most E-commerce suites.

Alix Nyberg is a staff writer at CFO.