DIRECT: Does HP maintain one central database for all customers across its various product lines?

LAWLER: No. For smaller, newer companies I think that's possible, but HP is a nearly 65-year-old company that historically has been very decentralized. Just in the last few years we had upward of 70 product lines and each had autonomy to run as its own independent business. Every product line had its own sets of data including customer databases. What the company's been doing over the last few years is moving away from that decentralized approach into about 15 to 17 product lines, and putting strategic layers above that, so you don't have what was at one time a few hundred databases. Now they're being consolidated into just a few strategic ones by customer segments.

DIRECT: Do you have rules about sharing data across the various lines of business?

LAWLER: We have significant rules. The privacy team, key representatives from each business segment, and the customer information policy and management team spend a lot of time on establishing those rules. If you look at HP's online privacy statement today, that is our policy, period. We don't have multiple policies online vs. offline or by different products, or for the most part, even by country.

The policy is fairly rigorous and it's a pretty high standard. We've tried where possible to retain accuracy and the right legal protection for HP while at the same time making the language simple to understand. I work very closely with our legal team ¡ª they always approve any edits or changes, but they don't write the policy. We try and write [our policies] for real people to read.

DIRECT: What international challenges have you encountered?

LAWLER: Basically, we're trying to achieve a single global policy and make room for translating and localization. There's a global legal review process that goes with that for any substantive changes. Typically where we see local laws being stricter than [the policy] is around language related to opt-in or all marketing contact, or the enforcement language. We reference the U.S.-E.U. Safe Harbor principles and our participation in the BBBOnline Privacy Seal program. We have made that privacy seal available and covered across all of our privacy statements globally.

But obviously, the actual enforcement agency is different in Germany or Australia or in Canada than it is in the United States, so those things are accounted for. What we've found is there is very minimal localization in terms of specific language changes in the policy, because it's a very rigorous policy that's not too far off from, say, the European standards, which are the most strict to begin with.

DIRECT: Do you find it's better to almost err on the side of being too rigorous?

LAWLER: Yes, that was a very specific business decision for HP, because we are so large and so global and we still have a very strong decentralized element that I expect to continue moving forward. So the thought of having multiple policies managed independently on a country or segment basis for us creates a huge amount of complexity and challenge we didn't feel we needed to create for ourselves. It's easier to work with a standard that's fairly high and make tweaks where we need to on a local level. There's still a significant bulk of countries that don't have laws. This works for them also. One of the global challenges is the constant education at the local level, and making sure individuals actually implementing privacy work with their own legal department. We make sure they follow whatever is stricter, the law or the policy. Sometimes the interesting challenge we have is our legal team gets caught in whatever the local law is and forgets that sometimes our policy is stricter than local law. We've had some interesting discussions with the Canadian folks in particular, because our policy covers areas the Canadian law doesn't. So we've had to reset some of the thinking around what should be in the policies to keep the global peace.

DIRECT: How actively is HP seeking customer input on privacy?

LAWLER: Ultimately, privacy is about the data and handling the data properly. You can't do that with technology alone. You have to do that with good business rules and business processes, because you can say you have a given practice or policy. But then when someone is implementing a specific program using this set of data, and if that data is legacy data, you have to have some rules and guides for people [regarding] what they can and can't do.

Let's [consider] a fairly large database with data that's coming from an offline source, a call center environment. But it's a pre-sales call center, and until recently no one ever asked customers what their privacy preferences are about the data, the phone numbers, the e-mail addresses that are collected. One of the major rule-setting efforts we put in place over the last year was how do you go back to the customer in a friendly, respectful way and say, 'Gee, we have your information, but we need to update your privacy preferences.' How do you do that but not be intrusive and at the same time have the accuracy in the data that is not there today? There is a significant amount of legacy data that we've been addressing over last year with exactly that issue, where there is no privacy choice.

DIRECT: Are you hearing concerns from customers about certain privacy areas?

LAWLER: The biggest set of feedback we get is about marketing contact, opting out from e-mail or postal mail. It tends to be things related to that. 'I got something I don't think I signed up for.' What we see is just an assumption that the model for all types of contact should be opt-in. In the consumer space, we are really there for opt-in for e-mail marketing and kind of mixed for the other media. But our B-to-B sector is still moving from an opt-out to an opt-in model. It's very difficult.

Our guiding principle is that rules from the consumer space should be applied to the B-to-B space. We see this in focus groups and in the feedback. E-mail in particular is very sensitive. I won't say it's as sensitive as Social Security numbers, but sometimes it feels awfully close in the way people react about their e-mail address. The best way I tell people in the company to think about it is if you as an individual consumer have had an experience, positive or negative, you're going to take that [personal] experience and apply that to your work and make decisions about who you want to interact with and do business with.

DIRECT: Are high-tech consumers more privacy-wary?

LAWLER: Certainly in many, many segments of B-to-B, and certainly in high tech, these people are more savvy, they know the laws, they know the technology, they know what's going on. You can't fool them, you can't put a marketing spin on stuff. Sometimes they know what you're doing better than you do, if you're not careful. In that sense, the message we've been giving to our B-to-B folks over the last year is the faster you can move to opt-in and fairly strict practices in the B-to-B space, at least for these customer segments, the better off you will be. These people can be among the most vocal and can also create a lot of damage. If you run an e-mail newsletter campaign or go through a name acquisition process that doesn't work right, and you don't handle that properly, you've got the anti-spam people after you. And I don't think anyone wants Marc Rotenberg and EPIC scrutinizing their policies.

DIRECT: Has HP had any of those problems?

LAWLER: No, we've been fortunate that we've been able to head off anything internally that could have been a potential problem.

DIRECT: How do you see privacy as an opportunity for marketers?

LAWLER: I think it's an opportunity to show that you're a trusted partner that someone would want to do business with. The approach we're trying to drive for is customer-managed relationships. From a customer standpoint, that's 'Know me, know who I am, know what I want.' But then the privacy piece is, 'But when I want to and when I say it's OK.' The advantage is that the stronger the trust is, the stronger that business relationship is. When those two things work well, along with good products and good solutions, trust equals revenue. The better you invest in the [relationship] component, the more successful you're going to be as a company.

The other opportunity is that the information industry is moving forward into the next chapter of the Internet where virtually all products and services will be information-based. If companies don't do the right things now in terms of good solid data-management practices around customer data, companies that have not done a good job there are going to be out of the picture. They're going to be minor players because they haven't set the right framework and foundation to move forward into a business environment that's completely driven around personal data, whether in a professional or a consumer space. HP Privacy Policy Excerpt

HP and its subsidiaries respect your privacy and are committed to protecting it. HP provides this privacy statement to inform you of our privacy policy and practices and of the choices you can make about the way your information is collected and used. We've structured our Web sites so that, in general, you can visit HP on the Web without identifying yourself or revealing any personal information. To make this notice easy to find, we make it available on our home page and at the bottom of every hp.com Web page. Some hp.com Web pages are P3P-enabled.

This privacy statement applies to all hp.com-owned Web sites and domains, and our wholly owned subsidiary, . This statement is not applicable to or , which maintain their own privacy statements.

Our policy regarding the privacy of your information covers privacy principles consistent with the Fair Information Practices and the U.S.-E.U. Safe Harbor principles: notice, choice, access and accuracy, onward transfer security and oversight (enforcement).

HP is a founding sponsor of the BBBOnline Privacy Seal program, the 'gold standard' for privacy certification. HP privacy practices meet the requirements of the Privacy Seal program and we are proud to display their Privacy Seal. HP privacy practices are self-certified to the U.S. Department of Commerce Safe Harbor program. ¡­

HP uses your information to help us understand your needs and interests and provide you with better services. Specifically, we use your information to help you complete a transaction or order, to communicate with you, to provide service and support, to update you on services and benefits, to personalize promotional offers and to personalize some hp.com Web sites. Occasionally we may also use your information to contact you for market research regarding HP products or services. We will give you the opportunity to opt out of market research and customer surveys. Credit card information is used only for payment processing and fraud prevention, and is not used for other purposes.

Data collected online may also be combined with information you provide through other sources such as product registration, call centers or public events such as trade shows or seminars.