A new consulting market evolves, as e-commerce companies fret over consumer privacy violations.

Brian Tretick's business is helping companies mind theirs. Tretick, a principal at Ernst & Young, is a privacy consultant. On a recent October day, he handled three calls from clients asking for guidance on online privacy.

His clientele includes large companies with multiple Web holdings and New Economy upstarts launching Internet businesses. To both sets of companies, Tretick provides advisory and assurance services. That means helping them develop privacy blueprints and making sure any resulting policies comply with applicable laws and industry standards.

Privacy has become a big business for E&Y, which has been training a growing cadre of "privacy-enabled" consultants. This past summer, E&Y consultants from Canada, France, Germany and other countries visited the United States to be schooled in data privacy and the company's privacy-engagement methodology. The ranks of E&Y's privacy practitioners have doubled over the last 12 months.

"The market is just tremendously hot," says Tretick.

What is generating all of that heat? Data-mining products and other Web "personalization" tools let online sellers create customer profiles and craft marketing strategies accordingly. But such efforts raise sticky privacy-related questions: What type of information is being collected? How will it be used? And will it be shared withââ,¬"or sold toââ,¬"third parties?

Those kinds of questions are at the heart of recent privacy controversies. Take, for example, the Toysmart.com case, in which the e-tailer first promised not to sell customer data, but then contemplated doing precisely that as part of the now-bankrupt company's liquidation process. Amazon.com also got slammed this year when it disclosed that customer information may be considered an asset in the event of a sale.

Amid such events, the online industry is facing a "consumer backlash," based on the perception that Web sites are misusing customer information, asserts Eric Gertler, CEO of Privista Inc., a privacy-protection software company. The problem goes beyond privacy, he says. "I would argue that the industry has a much broader consumer confidence problem," notes Gertler.

Jupiter Research numbers back up his claims. The market researcher projects that privacy concerns could result in a revenue loss for online sellers of about US$3 billion this year. That loss could deepen to $18 billion by 2002, Jupiter projects. Add to that the potential for sweeping federal online legislation next year, and Web players have compelling reasons to call in consultants.

"There's enough critical mass for privacy-issue consulting," says John Marshall, director of the national technology infrastructure group at Emerald Solutions Inc. "It's really going to dominate what's happening for the next year-and-a-half to two years."

Inventing a market

A number of consultancies and integrators are heeding the privacy call. Big-time firms such as Arthur Andersen, Deloitte Consulting, E&Y and PricewaterhouseCoopers all have launched privacy consulting activities. IBM Global Services also offers such services to "assess, create and monitor policy and procedures to protect the privacy of information," according to the company.

Internet professional services firms and Web integrators, which face increasing competitive pressures from the traditional integration community, are getting into the privacy act, as well.

All of that activity has led some observers to declare the birth of a privacy consulting market. "What we are going to see is a market for e-commerce and privacy integration, going in and doing turnkey solutions," says Steven Lucas, chief privacy officerââ,¬"the latest in the line of c-level executivesââ,¬"at Persona Inc., a maker of personal information tools and a privacy consulting firm. While few question that privacy services are in demand, opinions differ regarding how important the market will become and how those services will be delivered.

Horst Joepen, CEO of Webwasher.com, a Siemens AG spinoff that markets privacy and content-filtering products, says privacy will be the next hot market, following in the footsteps of enterprise resource planning and customer-relationship management. "Privacy consulting will probably be the next wave," he says.

Big Five firms stand to collect seven-figure fees from full-blown privacy engagements for Global 1000 customers. "There's money to be made, and people are going for it," says David Zimmerman, chief technology officer of YOUpowered.com, which develops privacy-protection products for consumers and businesses. He credits PricewaterhouseCoopers with "spearheading" the concept of privacy consulting.

However, most of the Internet professional services firms that are starting to offer privacy services haven't yet broken them out as standalone practices.

Etensity, an Internet professional services and development firm, offers privacy consulting as a component of an overarching e-business solution. "We haven't found people running around looking for an online privacy solution," says Connie Ling, chief marketing officer at Etensity. "We lead with the business application piece, not online privacy," she adds.

Emerald Solutions, another specialty e-services firm, also treats privacy as a component of a broader offering. The company includes privacy as part of its infrastructure services, which include such elements as security, database administration and stress testing. Jim Ruggiero, chief technology officer at e-business consultancy Novo Corp., says the creation of a separate privacy practice might be warranted if the federal government were to pass an online privacy law. Presumably, a law would create enough turmoil to justify a distinct service line.

Finding dollars in market dislocation has long been a staple of the consulting trade. And for a foretaste of what disruption a comprehensive federal privacy law might cause, one only has to look at the April enactment of the Children's Online Privacy Protection Act (COPPA). The law prohibits Web sites from collecting profile information from children under 13 without their parents' consent. A number of Web sites deemed compliance with COPPA too costly, in some cases shutting down operations geared toward the under-13 set.

But even without a nationwide mandate, privacy concerns appear to be growing among e-businesses. Marshall of Emerald Solutions says privacy has become a hot button among his customers in the last six months. Clients that first were interested in just getting the rudiments of e-commerce up and running now consider privacy a top priority.

"They're matured to the point where they are thinking of needs other than food and sleep," Marshall says of his e-commerce customers. To reach "the next level of maturity," he adds, those companies must cater to their customers' comfort level. That means developing privacy policies and deploying processes and tools for ongoing management. And to the extent companies are outsourcing those functions, both traditional integrators and their Internet services rivals have a business opportunity within their grasp.

Hot selling services

That said, what exactly are privacy customers buying?

Industry executives report that advisory services of various kinds are topping the list of customer demands. Privacy advice, says Ernst & Young's Tretick, boils down to "helping people figure out where they are, where they need to be, and helping to get them there."

A privacy project might start with the consultant or integrator conducting an assessment of the customer's current privacy situation. The result can be a revelation for Web merchants who have difficulty distinguishing between personalization activities that enhance the customer experience and privacy violations. Tim Rohrbaugh, CIO at Etensity, says well-intended companies don't always realize "they are crossing the line."

The next step involves getting customers up to speed on best practices in the privacy area. That includes a review of applicable laws, such as COPPA. But the lack of an overarching national online privacy law means consultants also will help customers digest the privacy tenets set forth in various privacy "seal programs."

Seal programs are a key tool in the industry's effort to regulate itself on matters of privacy compliance. The programs set forth a series of policy guidelines that Web sites must follow in order to earn the seal. The Better Business Bureau's BBBOnLine subsidiary; TrustE, an industry-sponsored privacy organization; and the American Institute of Certified Public Accountants are three of the groups running seal programs.

A successful seal program, however, must contain a mechanism to determine whether Web sites remain in compliance. Seal programs claim to periodically check up on Web sites. Consultants and integrators, meanwhile, are stepping in with their own "assurance" services. Such services involve reviewing a customer's systems and processes and seeing whether they map with the customer's privacy statements. Some integrators also conduct security audits to make sure customers have the proper controls in place to secure customer data.

Privacy practitioners often sell services to customers with existing e-commerce sites. But experts say customers would be better off building privacy practices into their sites from the beginning. Otherwise, they could end up investing in a business model that turns out to be a privacy disaster, says Russ Gates, global managing director of Arthur Andersen's Technology Risk Consulting Practice.

"What companies have to do is get the [privacy] issue overlaid on the business solution," he notes.

Novo's Ruggiero says his company uses a checklist to get companies focused on privacy during the design phase of an e-commerce engagement. That checklist asks customers some basic questions: Have you considered how you will use the customer data you collect? Do you expect to purchase data from other sources? And, are you planning to join a Web seal program?

Novo also has a checklist that covers the development phase of a project. This list helps customers avoid such privacy no-no's as storing unencrypted credit-card data. "We have a series of guidelines ... we use for every client," Ruggiero says.

The human factor

But integrators that want in on the privacy scene had better be prepared to deal with human issues as much as technological concerns. The privacy consulting craft calls for a certain amount of handholding and mentoring.

Ruggiero says his company is sometimes called upon to mediate between a Web enterprise's marketeers, who want to mine customer data for all it's worth, and user advocates, who don't want to scare off customers. "It's always an internal struggle," Ruggiero says. "We almost have to play referee."

Emerald Solutions' Marshall describes his privacy work as balancing the interests of a client's stakeholders: customers, activist groups and the government.

In addition to keeping the peace among a Web merchant's constituencies, privacy consultants also may be asked to serve as mentors. Lucas says he and other Persona personnel serve as mentors to chief privacy officers (CPO). "We can get them up to speed much more quickly" through mentoring, says Lucas.

Ernst & Young also finds itself working with CPOs. "We spend a lot of time comforting them," says Tretick, who says the fledgling CPO job can be a lonely one at times. Thus, Tretick and his fellow consultants do a fair amount of matchmaking, as well, introducing CPOs to their peers for the sake of camaraderie.

In short, privacy services can be a pretty touchy-feely business for a market ignited by sophisticated data capture and analysis. "It's not just a technology or infrastructure issue," Tretick says. "It involves every aspect of business."

And a healthy one at that, for the well-rounded consultant.

The business as software

Privacy is mostly a consulting business today, but a software implementation phase may not be far off. Some software makers are rolling out offerings to help businesses comply with privacy-policy guidelines,and some of those companies are seeking implementation help.

YOUpowered.com, for example, is starting to train implementation partners on its "permission-based personalization" software line, which, among other things, lets businesses accommodate consumers' information-sharing preferences.

Connie Ling, chief marketing officer at Etensity, an Internet professional services firm, says her company is in the midst of signing a partnership agreement with YOUpowered. Ling says she believes YOUpowered's technology will prove useful for some of her clients.

Webwasher.com, which makes a privacy and content-filtering product, initially targeted consumers but now is enlisting the channel to pursue corporate accounts. Siemens Business Services already acts as a Webwasher.com reseller in Germany (Webwasher itself is a Siemens spin-off). Horst Joepen, Webwasher.com's CEO, expects 60 percent to 70 percent of the company's sales to eventually flow through the partner channel.

Industry executives, however, note that privacy software is in its infancy and potential buyers are still in the tire-kicking stage.

"It's a wait-and-see attitude," one software marketer says, adding that a comprehensive federal online privacy law could spark demand.

But with Congress out of session, this fledgling software niche will just have to wait till next year.

Privacy and the law

A handful of privacy laws, fairly narrow in scope, already are on the books:

Children's Online Privacy Protection Act (COPPA):
This 1998 law, which went into effect in April, prohibits Web sites from collecting, using or disclosing personal information from children under 13 without parental consent. Prior to enactment, the Federal Trade Commission conducted a study of children's Web sites and found that 89 percent collected personal information, but only 24 percent posted privacy policies and just 1 percent required parental consent.

Health Insurance Portability & Accountability Act (HIPAA):
HIPAA, signed into law in 1996, includes a provision calling for security standards to protect the confidentiality of "individually identifiable" health-care information. The Department of Health and Human Services drafted a proposed standard last year but has yet to issue a final rule regarding health-care information privacy. Heath-care organizations, employers and other organizations handling personal health-care data have two years to comply with the security standard, once the final rule is published.

Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act:
This law requires financial institutions to disclose their privacy policies regarding the sharing of personal information with other parties. Financial institutions must comply next year.

Meanwhile, more comprehensive privacy legislation is brewing in Congress, with many observers expecting action next year. Here are a couple of pending developments:

The Consumer Internet Privacy Enhancement Act
requires Web sites to post descriptions of how they plan to use personal information, including a statement on whether the information may be sold, disclosed or otherwise made available to third parties for marketing purposes. The bill also directs Web sites to describe "the means by which a user may elect not to have the user's personally identifiable information used ... for marketing purposes."

The Online Privacy Protection Act.
calls for Web sites to provide a notice regarding the nature of personal information collected and how the information will be used or shared. The bill also would require Web sites to provide (upon the consumer's request) descriptions of the specific types of personal information sold or transferred to an external company.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.