Kristy Irvin

Assignment #2

INLS 187

February 26, 2003

 

Privacy Policy Analysis

 

Introduction

 

With the advent of the world wide web, a whole new industry was born, e-commerce.  With e-commerce, it became easier than ever to gather information about consumers and to share this information with others.  After all, the consumers enter the information directly into the database and the company can track their buying trends, etc. This information is extremely valuable not only the company itself, but to other companies who are trying to target specific markets and expand their customer base.  As a result, privacy policies have become very important. Consumers do not want their information to be shared and they do not want to feel insecure about using the internet to conduct business.  Consumers want to know what companies are doing with their information before they give it away.  I have, therefore, chosen to analyze a privacy policy of an e-commerce type company.

 

 

Privacy Policy Summary

 

I chose to evaluate Amazon.com’s privacy policy (http://www.amazon.com/exec/obidos/tg/browse/-/468496/102-6478252-1923350)  since I ordered some of my textbooks from Amazon for this semester.  It is obvious from using Amazon.com that they collect enormous amounts of information about a customer since they have recommender services, your name appears in their web page if you have purchased from them before, etc.  Therefore, I thought it would be interesting to analyze their privacy policy to see what they do with the information they collect.

 

Amazon.com’s privacy policy is rather lengthy, in printed form it totals 5 pages.  The policy has a last updated date which is nice.  The policy is layed out almost exactly the same as the criteria I developed.  What I find interesting about their policy is that they explain technical terms such as cookies and even explain how the customer can disable the cookies from being accepted by their browser.  This seems surprising since it is to Amazon.com’s advantage for their customers to enable cookies.  They do, of course, discourage their customers from disabling the cookies because it will prevent them from providing the best customer service possible. The policy is also fairly explicit about the exact information collected and the situations that it may be shared. Throughout the entire policy, Amazon.com stresses that all of the information they collect and store is only in the best interest of their customers.

 

 

Privacy Policy Criteria

 

There is some basic information that a privacy policy should cover such as:

 

·        What information is being collected?

·        Why is the information is being collected?

·        Is the information shared with other companies?  If so, who are the companies and what information, specifically is shared.

 

I decided to base my analysis on the following criteria according to what is important to me and trends that I noticed after reading several e-commerce privacy policies:

 

1.)    Information Collection

2.)    Information Storage

3.)    Information Usage

4.)    Disclaimers

5.)    Policy Updates

 

Information Collection.  Information Collection relates to what personal information is collected.  Do they store addresses, phone numbers, credit cards, demographic information, etc?  It also includes how this information is collected.  Does the site require a username and password?

 

Information Storage. What information is stored and how is it stored?  Is the demographic information stored with the consumer’s personal information? What is the persistence of this information?  Can the consumer request that this information not be stored after placing an order?

 

Information Usage. How is the information that is collected used?  What does the company do with the information?  Is it used to send catalogs and mail promotions?  Is it sold to other companies or shared with other companies? If so, what information is given to the other companies?

 

Disclaimers. Are there any indications that the company will violate their policy in certain situations?

 

Policy Updates.  What is the company’s policy for amending their privacy policy?  What happens to the information the consumer agreed to submit based on the previous privacy policy if he/she does not agree with the current policy?

 

 

Privacy Policy Analysis

 

1.      Information Collection

 

Amazon.com collects all of the information that they possibly can about a customer.  This includes any information provided through the web site, emails, phone calls, discussion boards, wish lists, chats, etc. The information they collect includes personal information such as addresses, phone numbers, credit card information, etc.  They also record sales information including the books you have purchased, whom you may have sent them to (including their addresses and phone numbers), email addresses, the actual content of the emails sent to them, and social security and driver’s license numbers.  They do require a user profile to be created with a username (your email address) and password for conducting business with Amazon.com.  You may have multiple accounts if you register with more than one email address.

 

While I personally am not thrilled with the large amounts of information that Amazon.com collects, it is good that they explicitly state the information they are collecting and that they are collecting so much information.

 

2.      Information Storage

 

Basically Amazon.com stores all of the information they collect that is mentioned above.  There is no way for the consumer to have this information removed, or rather, it is not mentioned in the privacy policy. The only option a consumer has it not to supply certain information to Amazon.com.  However, choosing not to provide some information will prevent the consumer from being able to conduct business with Amazon.com

 

I feel that the consumer should be allowed to request that information not be stored about them.  The consumer should be allowed to request their records to be deleted especially if they will no longer be conducting business with Amazon.com. 

 

3.      Information Usage

 

Amazon.com uses all of the information it stores in a variety of ways.  They, for the most part, explicitly list these uses.  These uses include Amazon.com features such as “Personal Circles”, “Top Sellers”, and “Just Like You”.  The information is also used to send emails and promotions.  The user does, however, have the option not to receive these emails and promotions.  Amazon.com explicitly states that they do not sell consumer information to other companies.  However, they do share this information.  Amazon.com has so many partnerships and alliances with other companies that it is quite obvious the consumer’s information is not just for Amazon.com.

 

4.      Disclaimers

 

Amazon.com is very open in their policy about the information that they collect and its uses. They even mention that their policy will be violated when it is legally necessary.

 

5.      Policy Updates

 

Amazon.com does state their policy is likely to change.  They will mail policy changes to customers who have not disabled this feature. This is nice because it prevents the consumer from having to check the privacy notice before every purchase or use of the site.  The other nice thing about Amazon.com’s policy is that they state they will never make their policy less protective than it currently is without permission from its customers.  This will prevent Amazon.com from changing their policy to one that compromises information already collected.

 

The fact that Amazon.com sends automatic notifications about changes in their policy is great, especially since so much information is stored. 

 

6.      Anton, Earp, and Reese’s Taxonomy

 

I found a taxonomy created by Anton, Earp, and Reese.

Antón, A., Earp, J. and Reese, A. "Analyzing Web Site Privacy Requirements Using a Privacy Goal Taxonomy." 10th Anniversary IEEE Joint Requirements Engineering Conference (RE'02), Essen, Germany, pp. 605-612, 9-13 September 2002.  

I noticed that several of the elements they mentioned are included as part of Amazon.com’s privacy policy so I wanted to mention those features.

 

Anton, Earp, and Reese have conducted considerable research analyzing e-commerce privacy policies. As a result, they developed a taxonomy for analyzing web-site privacy.  Their taxonomy includes the following criteria:

 

• Notice/Awareness – This indicates that a website should have a privacy policy.
• Choice/Consent – Relates to allowing the consumer to determine what the information collected is used for and whether or not this information can be shared.
• Access/Participation – Allows consumers to access/correct any information about them.
• Integrity/Security – The data collected should be correct and secured.
• Enforcement/Redress – Indicates that the privacy policy is actually enforced.

 

1.      Notice/Awareness

 

In Amazon.com’s privacy policy, they meet notice/awareness as they have a privacy notice publicly available on their web site. 

 

2.      Choice/Consent

 

They allow the customer to choose whether or not to enter certain types of information, but for the most part, the customer has no control over the information collected about them since much of it is inherent to doing business with Amazon.com or is collected automatically through the use of the web site, phone calls, emails, etc. The consumer does not have the ability to specify what information is shared or not shared with other companies Amazon.com partners with.

 

3.      Access/Participation

 

Amazon.com does allow a customer to access most of the information collected about them.  Some of this information is actually up-datable by the user such as “Wish Lists” and registries.  They also may update their “About You” area information.  Other information such as recent orders, recent product view history, and prior order history are viewable but not up-datable.

 

4.      Integrity/Security

 

Amazon.com explains how information about the consumer is collected including the use of SSL to encrypt the information.

 

5.      Enforcement/Redress

 

The policy indicates that Amazon.com will adhere to their own policy.

 

 

Privacy Policy Recommendations

 

This policy is rather extensive so there is not much to suggest.  They even include things that I would expect them to leave out such as explaining to the user how to disable cookies.  They are explicit about when they will violate their policy. 

 

I personally do not care for the tone of the policy.  They often stress that any information the consumer provides is up to him/her. However, the user cannot conduct with business with Amazon.com unless they provide this information so there really aren’t very many choices for the consumer.

 

Another issue that I have with the privacy policy is its  location on the website.  It is buried at the very bottom of the site in a tiny link.  This does not remind or encourage consumers to read the policy.

 

The biggest recommendation I could make is to allow the consumer more control over what information is collected about them and how it is used.  The consumer may not view the personalized web shopping experience as a benefit.  I also think that if the consumer no longer agrees with the privacy policy of Amazon.com they should be allowed to request that all of their stored information be destroyed.