For the past 10 years, Ann Cavoukian, coauthor with Don Tapscott of Who Knows: Safeguarding Your Privacy in a Networked World (McGraw-Hill, 1997), has been assistant commissioner of the Information and Privacy Commission for the province of Ontario, Canada. Among other things, Cavoukian's commission ensures that the provincial and municipal governments of Ontario don't abuse the data entrusted to them by the public. In Who Knows, she argues that companies should uphold a customer's privacy not only because of a legal or moral obligation but because it makes good business sense. She recently spoke with Inc. Technology about how small companies can protect customer data.

On protecting customers' data:
Most privacy laws in North America apply only to governments and not to the private sector. That means companies must be responsible enough to create their own privacy codes. The most crucial elements of any code are that it clearly state that the company will inform customers of how their personal information could be used, and that it provide customers with a chance to revoke their consent when the information is used for other purposes. In other words, you may sell your customers' names and addresses only if you have informed consent. Once you have defined a policy, make sure you communicate it to your employees via E-mail or intranet and physically post it at cash registers or other open places.

On the benefits of a privacy code:
Businesspeople traditionally rail against the notion of privacy legislation, claiming that it impedes free enterprise. But that's not necessarily true. When Quebec recently extended its privacy laws to the private sector, businesses were not crippled, as many feared. In fact, privacy codes may actually help you gain customer trust and loyalty. Some companies have even found that privacy protection is a cost-reduction tool. Companies often have archaic information practices, and they collect a good deal of information from their customers that they just don't need. A company that begins to scrutinize its information holdings from a privacy perspective may discover that it can save valuable computer processing time and memory. And it might also find that its employees will be more efficient if it doesn't have to collect data that never gets used.

On the fallout from violating privacy:
In the next five years, we are going to see a much more militant group of consumers, who will demand to know how their personal information is used and what sorts of electronic security systems have been installed to protect that data. We are already beginning to see more consumer lawsuits. Consider the consumer in San Diego who sued Computer City. When the buyer paid for his original purchase, he saw the clerk typing his name and address into the computer. When he asked if his name was going to be added to a mailing list, the clerk replied: "No." The man then wrote on the back of his check that he would sue for a particular amount if Computer City violated the agreement not to place his name on any mailing list. When he received mailings from the company, he sued and ultimately won. The judge ruled that the check had been transformed into a contract that the company subsequently violated.