Electronic commerce is powered by an insatiable need for demographic, socio-economic and personal information on customers. Such information is beginning to acquire enormous financial value as a new form of currency in e-economy. However, its use and storage is vulnerable to abuse.

The Wal-Mart chain of supermarkets has been described as possessing “an information trove so vast and detailed that it far exceeds what many manufacturers know about their own products”. It is allegedly second in size only to that of the US government. When such information is combined with that stored by government or that available through credit card engines, the possibility of profiling and tracing an individual's entire history, purchasing preferences and relaxation habits becomes a frightening reality.

In the online world, virtually every piece of data is for sale. Governments and businesses everywhere are concerned about the implications of this and the possible backlashes over breaches of privacy. Many countries are already reviewing data protection legislation.

Many ebusinesses oppose such an approach and are opting for self-regulation. While many popular sites now post their own privacy policies and seals of approval, the public has little confidence in them. So much data is shared or sold and so many databases are joined or recreated during mergers and acquisitions that privacy pledges are often rendered unenforceable. Even though European privacy laws are more stringent, just the fact that data is consolidated in one place makes it more vulnerable to theft or abuse.

Data mining can lead to market segmentation. Some US-based organisations already employ it in day-to-day operations – they focus their best services on their best clients through analysis of their data. One Californian bank uses internet-based programmes to classify customers into A, B, and C categories. The less valued C-category clients find themselves “on hold” far more than those designated A or B.

Privacy policy can be managed very differently. The Safeway website, for example, has a privacy policy that is easy to find. The chain clearly states what it does with personal information. The data privacy policy of Tesco is either difficult to find or completely absent, although the two supermarket chains compete for business on local, national and international levels.

A report by the Federal Trade Commission's investigation in March 2000 showed that, while 85% of the 1,400 commercial websites reviewed collected personal information from customers, only 14% had posted any privacy-related notices, and only 2% were viewed as “comprehensive”.

In the US there are no laws that prevent the gathering and exchange of consumer information, and consumer data privacy policy is left to industry self-regulation. However, the Federal Trade Commission is concerned about business practices and privacy practices and has stated it would take action against those that did not adhere to their own privacy statements.

The European Parliament rejected the US system of data privacy protection, contending that it did not represent the adequate level of protection required by European legislation. Under a general directive, residents of EU countries may be able to appeal to the agency that regulates and enforces data privacy law for that nation and there would be penalties attached to violations of the regulations.

Every organisation is required to comply with the data privacy or protection acts of all states, countries or economic areas from which they trade or from which customers have been identified. This compliance can prove difficult, as different countries' data protection requirements are often incompatible or contradictory.

Money laundering recognition, cross-border trading, taxation, liability, the duty of care, management information, sales and marketing, regulatory and legislative control and compliance and due diligence process are particular areas of risk. All involve potential data privacy and protection conflicts. The organisation that does not recognise this is unlikely to reap the benefits of the digital economy and may find itself subject to bad PR and considerable financial penalties.

  • Edrich is a visiting professor of operational risk management at Warwick University and makes regular television and radio appearances. She is the founder and principal of Kai Corporation (Risk)