Editor’s note: This is an extremely important post written by the highly qualified Sara Hawkins.
When it comes to privacy policies, many companies just go through the motions because they know they have to have one. Periodically, I’ll see a company that’s done a ‘cut and paste’ job because they didn’t’ even bother to read through the entire policy they copied and left in references to the prior company, incorrect URLs, or information that is clearly unrelated. Privacy policies may seem like a new idea, but the reality is companies have had to have some type of privacy policy for decades, well before the Internet was the main means of communication with customers. Just like a social media policy sets expectations within the company, a privacy policy sets expectations with people outside the company.
The Federal Trade Commission (FTC) oversees consumer-focused business privacy laws and policies in the US. For over 40 years, the FTC has been protecting consumer privacy. Companies have had to have privacy policies for their off-line interactions with customers, but in the past decade we’re seeing a trajectory that includes policies for websites and mobile communications. More importantly, more and more consumers under the age of 13 get online privacy concerns for collecting data on children can not be avoided even if your company may not intentionally target that market.
As a consumer, you know you don’t want your private information accessed without permission or shared with third parties without your consent. However, in reality, you also know many social networking and app platforms you access on a daily basis are collecting data and mining your habits. As professionals in the field, you may be aware of how to access the protections. However, the average consumer may not.
Interestingly, except for most regulated industries, there is no federal (US) law requiring an online business to have a privacy policy. More importantly (as of this writing), no company has ever been sued for not having a privacy policy. But, for those businesses in California or those that do business in California (many online companies!), the California Online Privacy Protection Act (often referred to as OPPA so as not to confuse it with COPPA) requires the posting of a privacy policy.
When it comes to privacy policies, we are often both the creator and the target. In your role as a business professional you may have some level of involvement in creating or advising on the creation of a corporate privacy policy. As a consumer, for whom that same policy will apply, you may be bound by that same policy. Because we are likely to wear both hats, creating the privacy policy may actually be more difficult. Since were are immersed in the business we may not see things as the “average consumer”.
Why is it important to have a privacy policy, one that your consumers can easily find?
While there is no federal law requiring one, the FTC will look for one if there is any question about how your company protects consumers’ private information. Without a clear policy, which is actually followed, the company risks are significantly higher than if there is a policy and the company experienced a one-time breach. In February, 2013, the FTC entered into an $800,000 settlement with an app developer (the largest such settlement of its kind with an app developer to date) due to the interface illegally collecting information on children. The FTC is vigilant in its response to consumer complaints regarding privacy breaches. And this shows the FTC is serious when it comes to protecting consumer privacy despite the speed at which new technologies emerge.
There are several key points to remember when creating a corporate privacy policy. This isn’t a policy that should be written by one department, linked in the footer of a website or buried on a terms and conditions page. A privacy policy is your agreement with your customers, whether they be other businesses, individuals, charitable organizations, schools, students, or young children. Your customers need to understand it and be able to find it.
7 Considerations for Creating a World-Class Privacy Policy
1. Write in language your customers can read and understand. If your target market is children under 13, create a policy for the parent or guardian, and also address the concerns of their children. If your consumers’ primary language is not English provide your policy in their language. In Canada, for example, there are laws regarding the dual-language requirements for online communication.
2. Determine what information you will collect. If you are unaware of what the back-end capabilities are for the interface then bring in the appropriate people to find out. No one is expecting you to understand website architecture, however, if the site is collecting information that is not disclosed or for which there is no meaningful means to opt-out the potential consequence of collecting that data can be very costly. If consumers or users are able to engage on your platform or share images or video, consider those factors and determine what information you want to collect and what information may be required to be collected for legal reasons.
3. Explain how the information will be collected. This is where you need to ensure a plain-language discussion. Don’t throw in a litany of web jargon consumers won’t understand. And, don’t create a long list of any and all information that may or may not be collected. If you don’t track or collect it, don’t say you do.
4. While you may want to ensure confidentiality, be very clear that if compelled by law the information may be shared with third parties.
5. Speaking of third parties, if information will be shared with third parties clearly state what and with whom information will be given. Even if the information is aggregated and not personally identifiable, consumers have the right to know. If individually identifiable information is sold to third parties, be very clear about this fact.
5. Even if it means not being able to access the site, give consumers a way to opt-out of the information collection. If a consumer or site visitor wants to be removed make it easy for them and then follow through. Equally as important is to actually update the records so those who opt-out are no longer having their information maintained or collected.
6. Not only do we make mistakes when we provide information, but information changes. Allow consumers to update and/or change their information. I often suggest having a separate email or specific form just for this purpose.
7. Update your policy as needed, and always include the date of the creation. As new platforms are added, website capabilities added, or other changes require a revisit, review and update to the privacy policy. This is not a static document that is created once then never looked at again. Also, be certain that users and consumers are aware of any updates, whether they be additions or deletions, and provide an opportunity to opt-out if they do not wish to be bound by the new policy.
Creating a world-class privacy policy is not only for big companies. The best privacy policy is one that, when read, is easy to understand and gives both your company and your customers the security and protections they need. Privacy will always be an important topic. The protection of private, sensitive and confidential information will always be monitored. Even as we get more comfortable with sharing online, consumers will always demand some level of privacy protection. And while there is no mandate (except in California) to have a privacy policy, having one further establishes your company’s professionalism as well as respect for your customers.
What are some “best practices” you think should be part of a corporate privacy policy?
Disclosure: For information purposes only. The information contained in this article is not offered as legal advice. Please consult a legal professional if you need legal guidance.
Sara Hawkins is the creator of a Blog Law series aimed to help other bloggers, entrepreneurs and online professionals gain legal confidence. Her goal is to make the law understandable and approachable without being overwhelming. On her blog, she also writes about ways to save on everything items so you can stop waiting for “someday.” She can be found on twitter at @Saving4Someday.
Leave a Reply