PWC and Watchfire prioritize privacy

When the Privacy Practice at New York-based PricewaterhouseCoopers (PWC) found that auditing company Web sites manually was getting to be a virtually impossible feat, the company sought a technological means to automate the process. Teaming with Ottawa-based Watchfire Corporation, the two companies recently developed WebCPO privacy management software.

According to Mike Gotta, vice-president of META Group in Stanford, Conn., most people associate issues surrounding privacy with the Web. The risks, however, lay elsewhere.

“The biggest risk is that I am fouling up somewhere inside the company either in terms of application development or data sharing,” Gotta said. “Putting a privacy policy on a Web site is not sufficient. Nobody reads them. This is about making sure your practices are being put into action as opposed to policies, which might not be followed.”

According to Watchfire and PWC, WebCPO allows organizations and chief privacy officers (CPO) to have better understanding of their data collection, use and potential data sharing practices through alerts and ongoing reporting.

“People are very concerned with what is happening to information that is collected on them and they are very worried about being tracked,” said Michael Weider, president and CEO of Watchfire. “It is sort of the ‘Big Brother’ mentality. Thus, Web sites have tried to proactively educate customers and appease their concerns by coming out with those privacy statements and coming out strong on this issue.”

Weider said that unfortunately, both PWC and Watchfire have found that what companies say in their privacy statements often does not correspond with what they do. Weider attributes this not to trickery on the business’ part, rather that sites are changing constantly and there are a large number of people involved in the publishing practice.

According to Brendon Lynch, a senior manager in PWC’s privacy practice, a lot of businesses do not know that they have breached privacy issues.

“The whole notion of user tracking facilitated by the use of cookies or Web bugs is out there,” Lynch said. “A lot of companies do not think that they have these Web bugs. It is really important to know where you are using them and then to disclose that in your privacy policy.”

Both Lynch and Weider said that WebCPO crawls a company’s Web site looking for potential privacy problems and creates ongoing reports in real-time. The administrator is notified of concerns through either e-mail or pager.

“The data collection report is one of the key ones because it identifies every single point on the Web site [[from which] you are collecting information from Web site users,” Lynch said. “At the same time, it reports on whether that is being collected over a secure server and if there is a link to the privacy policy. That is very powerful. A lot of people have no way to do it without a tool like this.”

META’s Gotta said he is reluctant to call tools like WebCPO necessary, but said it definitely helps.

“The tool is not going to help you if you do not have the processes in place,” he said. “My question to a client would be, are you dealing with privacy in terms of practices, organizational structure and do you have a CPO? That reflects that the organization has a program in place. Privacy is a program management initiative.”

Weider agreed. “When you find a privacy problem on your site, it is usually indicative that some other business processes are not in place.”

WebCPO is available now and pricing starts at US$15,000. For details, visit the companies on the Web at and