Your website could be giving out subtle warning signs to visitors that you might not be protecting their personal data. If it is, it could be damaging your business. You could be turning away customers and impacting your profitability. Here are five common warning signs and how to address them. (By the way, I came across all 5 of these on one website today! They didn’t get my business even though I need what they offer and I wanted to use their service!) We have all been there, on a website, feeling a bit uneasy but not really sure what it is that is bothering us. Is this website safe, really? You have to hand over credit card details and you are really not sure whether its safe to do so. It's a bit like reading body language. You may be picking up tell-tale warning signals that the website isn’t taking great care of your data without realising what is causing your uneasiness. If you are running a website don’t give out warning signs to your customers. If your website screams “Don’t trust me!” then it will not matter how careful you are behind the scenes. You will have potential customers hesitating and backing off and you will be losing out on potential revenue. Think of it like having a dirty shop front or missing letters from your shop sign. You should take care to keep your web shopfront clean and appealing to your potential customers.
CAN YOU BE EASILY CONTACTED?
The biggest, reddest flashing warning light is when a website is missing contact details. It might offer a phone number but no address, an email contact but no phone. A website that takes its duty of care to its customers seriously will have phone, email and business address details on the site. It will also be complying with company legislation and will list the company registration number. Make it easy to contact your company. Offer your customers multiple ways to contact you.
ARE YOUR TERMS AND CONDITIONS DIRECTLY RELEVANT TO THE SERVICE?
The next clue will be whether the company has terms and conditions of use and then whether these are consistent. Generally, there should be a cookie statement, a privacy statement and terms and conditions. But just having these statements is not enough – customers can tell if your company is taking these seriously or just paying lip service to them. There are a few giveaways. It is easy to see if your policies are inconsistent with what your company does. Are your policies vague? Do they lack detail? And then there are the “cut and paste” clues – I was on a European website last week where the privacy policy referred to “zip codes” and “personalizing” my experience while giving me vague statements about what it would use my data for (mainly more “personalizing” rather than anything specific and descriptive of their services.)
CAN YOUR PRIVACY STATEMENT BE READ IN UNDER 5 MINUTES?
My next favourite warning sign is the 18-page privacy policy written in technical legal language. A website that is taking customer data seriously will have a short, clear and relevant privacy statement. It will tell customers exactly why it is asking for each piece of data customers are sharing, what it will do with that data, how long it will keep the data and how customers can make contact to have it updated or deleted. Larger organisations will publish information on how to contact their data protection officer.
ARE YOU ASKING FOR TOO MUCH INFORMATION?
Asking for too much information is another sign that someone is not thinking about customers privacy. Do your customers have to think “I wonder why they need that?” If its not information immediately relevant to the service you are offering and you don’t explain why you are asking for it then its another clue to how seriously you are taking your customers data. I have come across a number of competitions recently where the over-enthusiastic marketing person practically wanted to know what I ate for breakfast just to enter to win a toaster! Its one of the principles enshrined into data protection law that data should be “adequate, relevant and not excessive”. Companies who are taking it seriously will always ask if they really need a piece of data before they ask their customers for it. Think before you ask and only collect data that you need in order to deliver the service.
ARE YOU ASKING CUSTOMERS TO CREATE A LOGIN BEFORE TELLING THEM ABOUT YOUR SERVICES?
I have to admit, I have worn this particular tee-shirt in the past. Its tempting, to try and get information from your visitors before they swing off your website and are gone forever. I recently checked and I – cautious and data-aware person that I am – have created accounts on >70 websites split between personal and professional accounts. (That number will be halved by next week as I will go on a big clear-out). More recently, I am inclined to leave my email but I won't create an account and leave a password unless the service is essential and I am confident that they are trustworthy. So, establish if someone is interested in hearing more from you and take email contacts by all means but don’t ask anyone to create an account until they are signing up for a service and if possible make this optional.
FINALLY …. A BONUS WARNING SIGN!
If you are creating password-protected customer accounts make sure you have a https certificate for your site. It used to be that these were necessary if you took credit card payments on the site but I always recommend https: is used as soon as you take more than just an email address from your customers.
FINAL WORD
The sad thing is that I took one random website as my reference point when I was writing this post and guess what – it violated every single one of these 6 signs. Its a site that wanted me to do business with it this week, that’s put a lot of effort into marketing and getting its service out there. Its an interesting service and a very good idea but then I visited it and felt uneasy. Sadly that marketing budget is being wasted because there was so little thought put into how it would build customer trust. Don’t put customers off doing business with you!
Marie Murphy
Marie's interest is in data protection operations focusing on people and process to manage personal data processing risk in large and small organisations with a special interest in privacy by design.