A survey has delivered a damning verdict on the standards of protection which operators of websites around the globe provide in respect of personal information.

The survey organised by Consumers International covered a total of 751 websites in the US, the European Union and Hong Kong. Approximately two-thirds of these sites asked users for personal details which would make it easy to identify and contact them. More importantly, in the vast majority of cases, users were not given a choice of whether their details were put on a mailing list for use by either the site's host, its affiliates or unrelated third parties.

This is contrary to legislation in the European Union where companies are required to provide consumers with an opportunity to opt out of having their personal information used for marketing purposes. Further, under restrictions imposed by Hong Kong Personal Data (Privacy) Ordinance, personal information may only be used for direct marketing if this is one of the purposes for which it has been collected and, on the first occasion the information is used for direct marketing, the individual is provided with an opportunity to opt out of future marketing.

In order to comply with Hong Kong legislation, companies should include on their website a privacy policy which states clearly the purposes for which personal information is collected. This statement should also set out the web-site operator's policy in relation to the certain key practices, including:

  • the type of personal information that is being collected
  • whether the information will be transferred to third parties
  • how long the information will be stored
  • to whom the information will be disclosed
  • direct marketing policy
  • security of the data
  • the right of consumers to request access to, and correction of, personal information

However, only just over half the websites surveyed by Consumers International had any policy in place at all, with most policies being inadequate from a consumer's point of view. One particular problem encountered by Consumers International was in locating the policy on the website, with most policies not being referred to on the site's home page or at the point where personal information was being collected.

Whilst it may be tempting for operators of websites to dismiss the findings of this survey as being mere drum banging on behalf of consumers, it would be unwise to do so. The Privacy Commissioner's Office in Hong Kong checked on the compliance of 400 websites last year, following up with enforcement notices against those which failed to meet the minimum standards set by Hong Kong legislation.

Any operator of a B2C website which is serious about its business should not, however, be satisfied in merely avoiding the embarrassment of a call from the Privacy Commissioner. An all important step in the online business world is to gain and retain the confidence and trust of consumers. Privacy is a genuine and legitimate concern for on-line consumers and a transparent privacy policy which is presented in a positive way can be a useful tool in allaying such concerns and attracting business.

A copy of the full report published by Consumers International can be found at on their website at www.consumersinternational.org. First published in SCMP Technology Post on 6 February 2001.