Implementing a Privacy Policy | Handling Personal Data of Users

ARTICLES

So you want to be the next Google… Really?

November 16, 2010

Every business owner dreams of being the next Google or Facebook. Yet, when it comes to handling of privacy, these two giants have attracted their fair share of bad publicity and lawsuits. Respect of privacy (or lack thereof) is a serious matter and can lead to major legal headaches.  

  • Don’t be evil overseas. Earlier this year, three executives at Google were found guilty of criminal charges in an Italian courtroom, in a well-publicized case stemming from video made by Italian students who were bullying a classmate with Down Syndrome. The video was posted to Google Video in 2006, online for two months and removed by Google within 24 hours of complaint. The Milan court ruled that the Google execs (including, notably, its global privacy counsel) were guilty of criminal invasion of privacy, and sentenced them to six months in jail.  
  • Don’t be evil here, either. Google recently dodged a huge bullet in the US when the FTC decided to slap them on the wrist for past privacy violations, including the use of roving vehicles for its Street View mapping project, not only photographing streets and residential houses, but also to collecting data from private, unsecured wi-fi networks. The FTC concluded its privacy probe after Google apologized, promising not to use the data and pledging to improve their privacy safeguards.  
  • That Social Network. Facebook’s CEO and co-founder Mark Zuckerberg famously said that the era of social networking has ushered in a new “social norm” which essentially renders many conventional notions of privacy obsolete. Unsurprisingly, the website has been the subject of much litigation related to privacy, yet continues to grow in mass appeal, at 500 million members and counting, despite repeated allegations that it breaches its own published privacy policies.

Every business is bound to handle some sort of personal data, whether that of its employees or its users. For Web 2.0 companies, this means they must respect current federal and state regulations by posting the right privacy policy and terms of use (TOU) on their website. This issue of POINTERS deals with the privacy notices required of most US businesses and generally found on their websites. The next issue will address Terms of Use for websites more specifically.  

What is PII, exactly?

Personally Identifiable Information (“PII”) typically includes any information about a person which is collected by a company and which can be used to identify, contact or locate that person. PII includes a person’s name, address, phone or fax number, e‐mail address, social security or driver’s license number, credit card or financial account number, age, etc. PII can also encompass computer- or device-specific information, such as IP addresses or browsing history. This information would not normally be considered “personally identifiable,” but since it can be used (often in conjunction with other PII) for data profiling, it should be treated as PII for purposes of a privacy policy.  

Privacy Policies – what are they, and what do they cover?

In general terms, a privacy policy is a company’s comprehensive promise to safeguard PII.  In the US, the Federal Trade Commission (“FTC”) has issued "self-regulatory guidelines” for companies that collect and share information, emphasizing requirements for notice, disclosure and consent. “Self-regulatory” should not be misinterpreted as “optional.” The FTC is federally authorized to sanction unfair or deceptive marketing practices by bringing enforcement proceedings against violators, as further discussed below.  

What laws and regulations apply to privacy policies?

Although it may come as a surprise, the US has no explicit, constitutional right to privacy aside from the general guarantees provided by the First and Fourth Amendments against privacy invasions by governments and state actors. Individuals are not otherwise protected from collection and use of personal information by private businesses, and tort remedies are often inadequate where monetary damages are difficult to prove. In response to these concerns, the FTC enacted regulations to protect PII, including:  

  • The FTC Act: prohibits unfair or deceptive acts and practices in the marketplace by enforcing companies' own privacy promises about how they collect, use and secure consumers' personal information.
  • The Gramm-Leach-Bliley Act: governs privacy policies for financial institutions, and mandates industry-specific privacy notices and safeguards for PII. The FTC works with the Securities and Exchange Commission, the U.S. Treasury Department and other federal agencies to protect and enforce consumer privacy in the financial sector.

Some states have also implemented their own –sometimes- more stringent regulations for privacy policies. For instance, The California Online Privacy Protection Act of 2003 requires "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site."  And of course, international rules and regulations protecting consumer privacy vary widely and often impact tech companies, as illustrated in the Google-Italy case above. For instance, Canada passed in 2000 the Personal Information Protection and Electronic Documents Act (abbreviated PIPEDA or PIPED Act) to govern how private-sector organizations collect, use and disclose personal information in the course of commercial business.  

What should my company’s privacy policy contain, and why?  The requirements for privacy policy content are complex, but the nuts and bolts of a compliant privacy policy include the following:  

  • Notice:  What information am I collecting, and what am I doing with it? The privacy policy should specify the various types and categories of PII collected, and explain the reason for its collection and use. This includes not only specific personal data (names, addresses, etc.), but also information collected by cookies and other web technologies. Common reasons for collecting and storing PII include customizing advertisements to suit consumers’ specific interests, fulfilling orders, contacting customers for promotions and gathering statistics for marketing strategies, surveys, etc.
  • Sharing:  Who am I sharing information with? The privacy policy should disclose whether PII will be sold or otherwise shared with third parties, and identify those parties (e.g. advertisers, merchants, etc.).
  • Consent:  What choices do my users have? The privacy policy should provide users with mechanisms to “opt-out” of information gathering (i.e., cookies), information sharing with third-parties, direct marketing, etc. If there are consequences for refusing to provide such information (i.e., access to all or part of the website is conditioned upon disclosure of PII), then the privacy policy should state that fact.
  • Access:  How can my users view and correct their personal information? Companies should allow users to access and review PII concerning them upon request, and should establish a quick, easy and inexpensive process by which consumers can correct factual inaccuracies.
  • Security:  How am I keeping my users’ information secure? The privacy policy should explain what security mechanisms your company will put in place to ensure that PII is safe from unauthorized access – for example, SSL encryption to protect data transmission, and company policies governing PII protection by employees, agents, contractors and others.
  • Contact:  What if my users have questions or concerns about my privacy policy? Your privacy policy should include your contact information, and open communication should be encouraged.  

What other best practices should I follow?  

  • Can my users find and understand my policy? Avoid “legalese” and “fine print.” The privacy policy should be clearly written, easily understood by a layman, and easy to find on a website. Buried or cryptic disclosures about controversial practices like behavioral advertising can trigger FTC involvement.
  • How will I notify my users of changes to the policy? If you make material changes to your privacy practices, you should ensure your users are aware of the changes – for example, requiring acceptance of the updated policy, sending an email notification, or posting a conspicuous website announcement. The FTC has flagged the retroactive application of new privacy policies, or unannounced policy changes, as potentially deceptive or unfair as a business practice.
  • What practical steps am I taking to protect my users’ PII? Obviously, physically safeguarding your users’ sensitive data in your files and on your computers is the first step in preventing fraud or identity theft, and should be fundamental to your overall privacy policy. Take an inventory of all PII that you possess, reduce your liability by keeping only information that you need, responsibly purge what you don’t, and guard it under (virtual or not) lock and key. Develop a plan in case you do experience a security breach. In short, uphold your privacy policy promises with real action.

What remedies might I face for privacy violations?

The FTC and State AGs are empowered to impose fines, restitution damages and other sanctions if a law or regulation has been breached. They can increase notice and disclosure requirements and require affirmative consent for certain practices such as online data collection. Just this year, the FTC has brought high-publicity cases against Rite-Aid for HIPAA violations, Twitter for failure to establish an adequate information security program, Dave & Buster's for compromising customers' credit and debit cards, and ControlScan for misleading its customers about certification of online retailers as private and secure. As we saw in the Google-Italy case, repercussions can include criminal prosecution and imprisonment in rare cases. In countries were laws and religious culture are intertwined, seemingly innocuous business practices or offerings might result in criminal liability.   

What about “safe harbor”?

Companies in the technology sector are exposed to foreign liability for privacy violations under a myriad of international laws and regulations. International laws related to sales taxes are a common problem area, as are contests, sweepstakes and other promotions, which may violate foreign consumer protection laws. US companies transacting business in Europe can opt-in to the Safe Harbor program, designed to streamline compliance with the EU Data Protection Directive. Participation in the Safe Harbor program mitigates risk by certifying that the US company took good faith measures to follow the Directive, thus limiting or eliminating liability for legitimate mistakes or excusable violations.  

Why can’t I just copy and paste another company’s privacy policy on my website?  

Duplicating another company’s privacy policy is a risky practice. Privacy policies should not be viewed as mere forms. Boilerplate language not specifically tailored to a company’s industry, geographical location (either the company or of those accessing the site), or business model can subject a company to significant exposure. Plus, many policies online are simply outdated. As we’ve seen, privacy mandates vary widely from industry to industry, and certain states have enacted additional statutory requirements. Even within the same industry and location, privacy practices are impacted by countless variables such as the nature of the data, the purpose of use and retention, and customer preferences. No two companies or websites are identical; a one-size-fits-all policy is impossible. In the inevitable event that some small yet significant difference exists, the privacy policy will fall short. The FTC regularly investigates whether companies’ actual practices with respect to data collection, use and disclosure conform to their stated privacy policies, and enforces sanctions against companies who are not in compliance with their own policies. Plagiarism is rarely a good line of defense!  In other words, that language that you snag from your partner’s or competitor’s site is likely to be out of date or otherwise insufficient for your unique needs and circumstances.  

Call to action.

It’s imperative that your privacy policy be custom tailored, up-to-date, and compliant with your state’s laws and regulations, and those affecting your users. New companies should have a privacy policy created by competent counsel with expertise in internet law. Established businesses should have their current policy reviewed regularly to ensure its adequacy.  It is relatively inexpensive to do so. Privacy is a current “hot topic” – the FCC is committed to taking aggressive action against violators, and regulatory reform is in demand and overdue. All companies, from startups to giants, must safeguard their most valuable assets – their customers – and simultaneously shield themselves from unnecessary litigation expenses and needless negative publicity. Creating a solid privacy protection program is a part of basic due diligence for your company, and it’s an area where you shouldn't cut corners. You want to reach Goggle like fame; just not for the wrong reasons!