The privacy policy is written and posted on a company's Web site. The 2002 privacy-policy notice, a complicated statement required of financial-services companies under the Gramm-Leach-Bliley Act, is in the mail. Top executives and perhaps even the board of directors have . . .
The privacy policy is written and posted on a company's Web site. The 2002 privacy-policy notice, a complicated statement required of financial-services companies under the Gramm-Leach-Bliley Act, is in the mail. Top executives and perhaps even the board of directors have reviewed the policy to make sure it will protect the company's good name. So it's mission accomplished on the privacy front. Or is it?

Hardly. Privacy policies on Web sites and in mailings are just words. The hard part is backing them up with the employee training and information technology to make them work. Regulatory actions such as the Gramm-Leach-Bliley Act, which requires financial-services companies to notify customers of their information-sharing practices, have produced a mountain of mail for consumers and much moaning from banks about the cost, but they've done little to help customers understand or businesses enforce their privacy policies. "Many companies are still focused on the regulator's agenda. The ones that are more advanced are working on the customer's," says Leigh Williams, chief privacy officer at Fidelity Investments.

So far, the companies making the extra effort and investment have been the exception. Privacy spending throughout the economy is hard to gauge, since it's generally mixed in among IT, training, and customer-support budgets, rather than broken out as a line item, even for internal budgeting. But Mike Beresik, national director of PricewaterhouseCoopers' privacy practice, says much of the spending has been focused on regulation compliance, with banks and other companies covered under the Gramm-Leach-Bliley Act spending far more than retail, entertainment, and consumer-goods companies. Financial-services companies last year collectively spent about $1 billion to prepare and mail privacy-policy statements required by that law, according to the American Bankers Association. That's not a huge number, given the size of the industry, and there hasn't been very much privacy-related spending beyond that. "Banks in the U.S. probably spend more on striping their parking lots," says Gartner analyst Richard DeLotto, who researches privacy issues.

The link for this article located at InformationWeek is no longer available.