ways in which corporate policies affecting privacy are brought into being.

Private firms, especially those that do business with individual consumers, have always had a privacy policy of one sort or another, even if the policy was implied by routine practice rather than explicitly stated. However, in recent years more firms are establishing formal policies and informing consumers of the nature of those policies than was common in the past. Firms within information-intensive (and therefore privacy-sensitive) businesses such as insurance, health care, finance, telecommunications, and direct marketing to consumers are more likely than other firms to establish a set of formal policies governing the collection and use of personal information.56 The establishment and posting of privacy policies by firms doing business over the Internet has become a standard business practice, and the lack of a published policy has become an exception.

These policies are often based on guidelines developed by membership associations representing the sectoral interests of firms within a particular industry. Trade associations, such as the Direct Marketing Association, often develop and publish a set of standard practices or codes of ethics that members are expected to honor.

Two privacy-related organizations are also influential in shaping corporate privacy policies. One organization is Privacy & American Business, which is an activity of the non-profit Center for Social & Legal Research, a non-profit, non-partisan public policy think tank exploring U.S. and global issues of consumer and employee privacy and data protection. Launched by Alan Westin in 1993 as a “privacy-sensitive but business-friendly” organization to provide information useful to businesses about privacy,57 it began training and certifying corporate privacy officers in 2000. A second organization, the International Association of Privacy Professionals, offers the Certified Information Privacy Professional credentialing program and a variety of information resources (newsletters, conferences, discussion forums, and so on).58

Firms within industrial sectors that have traditionally been the target of government oversight are more likely than firms in other sectors to have established their own privacy policies—financial services and health care are two of the most obvious, and privacy efforts in these areas have been driven legislatively with the Gramm-Leach-Bliley Act of 1999 for the former and the Health Insurance Portability and Accountability Act of 1996 for the latter. Firms in other business sectors tend not to develop


Gandy, The Panoptic Sort, 1993.


Westin, “Social and Political Dimensions of Privacy,” 2003, p. 443. More information on privacy and U.S. business can be found at http://www.pandab.org/.


For more information on the IAPP, see http://www.privacyassociation.org.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement