As Director Global Privacy for Pharmacia (NYSE: PHA) Jean-Paul Hepp is in charge of making sure that more than a dozen public Web sites including Arthritis.com, Nicotrol.com and Rogain.com and their accompanying email marketing programs, go beyond just meeting legal standards in order to proactively grow consumer trust.

We spoke with him at length to find out what marketers in other types of companies can learn from Hepp's research into best practices in email and Web site privacy standards.

-> Best practices in gathering email addresses

Hepp recommends marketers gather email using one of these three tactics (no, opt-out is not included):

1. Opt-in: Hepp advises against pre-checking an opt-in box on your site. “From the customer level the box has to be left open.”

If you pre-check a box Hepp says it should be “no I don’t want your service.” Consider using radial buttons instead of a box for yes/no options so visitors do not have to uncheck one to check the other.

2. Confirmed opt-in: Although many marketers confuse this term with double-opt-in, according to Hepp what it actually means is that your email list server sends a single message to the new opt-ins email address to confirm that to confirm the address is valid. Names have the chance to unsubscribe at that time, but they are not required to do anything to stay on the list.

If you are buying names though co-registration deals, you should insist on only paying for names that pass this test.

3. Double opt-in. In this scenario, visitors must take two positive steps to be added to your list. First they must opt-in, and then they must respond to an email you send, either by replying or clicking on a link to prove they want to stay on this list permanently.

Hepp says double opt-in is critical for lists that people might be tempted to enter friends' names into as a "spoof" as well as any lists regarding highly sensitive or personal information such as health and financial matters. Also, lists intended for rental should be double opt-in.

Once you collect an opt-in list, how can you protect it?

Hepp says, “The whole flow of information has to be secured. You have to follow it and protect it, even physically, from front end to back end.”

This is no light matter. Another pharmaceutical company's lists were leaked in the recent past, revealing private information such as what drugs consumers were taking.


-> What If You Are Accused of Being a Spammer?

No matter how careful your opt-in tactics and list security are, it is inevitable that you will be accused of sending spam when a consumer forgets they signed up at your site (or another mailer forges your "from" line).

Hepp protects Pharmacia against complaints in four ways:

1. Quick response team. Pharmacia staff immediately email or call spam-complaints (depending on what contact info they have) to discuss, try to explain or correct the problem.

2. "Do Not Email" list. Pharmacia carefully collects a list of consumers who have asked not to be emailed in the past. Similar to telemarketing “do not call lists," these lists are used as suppression files whenever marketers rent outside names for email prospecting.

3. A mailbox to reach the Privacy Officer appears in the privacy statement in Pharmacia’s corporate website.

4. Pharmacia has also set up a toll-free hot line for consumers to use for questions about email and to get off lists.


-> Tips on Constructing Your Site's Privacy Statement

It took Hepp and a team of lawyers almost 9 months of hard work to get a privacy statement in place for the corporate website that was both consumer-friendly and legally appropriate.

Was it worth it? Hepp's site stats show consumers are reading privacy statements more these days.

In the six-month period between Aug. ‘01 and Jan. ‘02 privacy statement page views doubled (93%) while total traffic only increased by 39%. He estimates that the percent of privacy page views/total number of page views is approximately 0.5%. “Even if only 1/2 percent of the content visited is about privacy this might still represent tens of thousands of people per year, per site and growing!”

Hepp's advice for others putting together privacy statements:

1. Do not let the lawyers write it. Yes, you have to involve your legal department, but consumers find overly legal writing impenetrable and less-than-trustworthy. (You look like you are trying to protect yourself instead of putting visitors' needs first.)

Hepp recommends your statement be written “in 6-8th grader language” but you can include a link to "lawyer speak" on an additional page if you feel its necessary.

2. Put a link to your privacy statement above the fold. Do not make consumers scroll down and hunt to find it. Even if they do not click to read, they find this link's prominent presence reassuring.

3. In general every statement should tell the consumer what information you are capturing, what you are doing with that information, who you are sharing that information with, and give them the opportunity to opt-out.

Definitely make sure your statement distinguishes between the two types of cookies (session cookies that track how visitors move through your site during a particular visit versus persistent cookies that are added to their individual computer to track when they return).


-> Playing Well With Others Part I: Vendors

But creating privacy and opt-in rules are not the hard part, “it’s turning around and doing what you say.”

Pharmacia asks all vendors to sign a strict Data Privacy Agreement so that they will abide by the same rules.

Hepp says, “It’s a tedious job with all the vendors accessing this information and all the email activity. So we regularly have to map it, do a gap analysis and then fix where the gaps are.”

One key: All Web site information (including opt-ins) sent to an outside the hosting agency must be transmitted over a secure line.

Pharmacia also sends an audit team on-site to physically check every place data is hosted or stored. These third party vendors have such high security that visiting them is a bit like going to a wartime bunker with a three-lock system ID:

1. Password, ID, and Camera ID
2. Biometrics (such as eyeball scans)
3. Keys to access the cage where the database sensitive
information resides


-> Playing Well with Others Part II: Marketers

Hepp spent more than a decade in marketing himself before becoming a privacy officer, so he really understand marketers. “They’re the toughest guys to watch [from a privacy compliance standpoint]. They have to be fast, they want to be ahead of the competition, and they always want to use the latest technology.”

Marketers want to push the envelope, and it is Hepp's job to slow them down making sure everything is compliant to in-house rules. He manages this in 3 ways:

1. Educating marketers about limits and best practices.

2. Previewing all related campaigns (Web pages and email campaigns) before they launch to ensure compliance. Hepp reads each project plan in detail, sends out checklists to brand managers, and then follows up with a call to get more details.

“I try not to slow down any business, but I’ll always postpone email acquisition completely if I don’t trust it. I’ll hold until it complies, or I’ll halt it completely. If a project wants to go beyond the limits I am going to stop it or find another method so I don’t have to change the privacy statement.”

3. Requiring proof that all email lists rented are guaranteed double opt-in lists. “List brokers have to have the proof of that double opt-in; and they must sign our data privacy agreement saying they follow our business standards.”