In a new brief, Forrester Research (Nasdaq: FORR) made its feelings about the FTC's new agenda clear: It "pours gasoline on the fires of the privacy debate ... a company that thinks that the FTC's backing off of legislation means that the issue will go away is sadly mistaken. Instead, addressing privacy one technology or business practice at a time only adds to the confusion."

What It Really Means

Forrester did not hold back in its criticism of the FTC. The commission's new approach, the consulting firm said, will backfire in a number of ways.

First, instead of keeping the privacy debate limited to the Web, the new agenda will expand the debate to firms' offline practices. "By taking on telemarketing in this new agenda, the FTC has expanded the scope of the privacy debate to include existing offline practices," Forrester said.

Second, as the FTC launches its new agenda, it has failed to present an overarching framework. "This means that businesses are left out in the cold with no clear guidelines for what is acceptable," Forrester said.

Finally, Forrester concluded, the FTC's new direction will only embolden privacy advocates and, worse, will give them even more ammunition by expanding the debate to offline telemarketing. "By putting this much emphasis on privacy, the FTC has only validated the claims of watchdogs ... [and] advocates will continue to highlight companies' errant practices in their press releases and news conferences."

Measures Business Must Take

For companies fearful of being accused of playing fast and loose with customer information, Forrester did offer some guidelines for protecting themselves from "what easily could be a multimillion-dollar PR nightmare." This risk, coupled with the new uncertainty in policy, "makes it even more important for companies to clearly assess the risks and costs of their data practices and systematically update and enforce their privacy policies."

The Forrester brief recommended the following:

• Anoint a chief privacy officer. The CPO will serve as the focal point for developing systems and best practices in customer information handling. This is not to say that a company must develop a whole new level of bureaucracy to accompany the new position, Forrester said. "Successful CPOs at companies like IBM and Microsoft have leveraged existing systems and personnel."

• Assess exposure. Audit and document online and offline privacy practices to create an enterprise-wide view of how data is used and shared.

• Regularly review privacy policies. "Many firms have policies that were thrown up in the late 1990s and have been collecting dust since then," Forrester said. Clearly, this is not the best tack to follow.

• Develop a PR action plan. Companies need to assume a worst-case scenario about possible privacy violations being made public, then plan how to address subsequent PR fallout. "The strategy should include a clear escalation process, an accurate statement on the privacy practices of the organization and an education plan for the executives involved," Forrester said.