Month February 2015

Month February 2015

Should Your Business Have a Privacy Policy?

Tags: , , , Privacy, Privacy Policy, Small Business No comments

Small business owners often ask me the following questions about privacy policies:

  1.   What is a privacy policy (notice, statement, etc.) (“Privacy Policy”)?
  2.   Does my business need one?
  3.   What should be included in a privacy policy?

I am usually surprised by 1, although I should not be since ½ of online Americans don’t know what a privacy policy is.  But that question is reasonably straightforward to answer:

Privacy Policy (df): Statement or document about how a company or website collects, uses, and discloses, information about a visitor. It usually declares what specific information is collected, the purpose for collecting it, how a company uses the information, and whether it is shared with others.

The purpose of a Privacy Policy is to give notice to an individual that the business is collecting information about the particular consumer, the types of information being collected, and what’s being done with that information. For example, check out Target’s privacy policy.

2 and 3 require a little more consideration as the answers are not clear-cut, and some businesses may be better off without a Privacy Policy.

DOES MY BUSINESS NEED A PRIVACY POLICY?

As with many things in life, the answer to this question for businesses in the United States is “it depends.” There is no federal law that requires every business to have a privacy policy that discloses how the business collects, uses and discloses information collected from potential customers.

Some types of businesses, however, are required to have Privacy Policies because of specific federal or state laws that apply, as well as certain business activities they engage in.

Businesses Required to have Privacy Policies

There are several ways a business can be forced to have a Privacy Policy:

Federal and State Laws

California Online Privacy Protection Act California Bus. & Prof. Code §§ 22575-22578: Requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an internet website or online service for commercial purposes, to post a conspicuous Privacy Policy on its website or online service (which may include mobile apps) and to comply with that policy. Among other things, the law requires the Privacy Policy to identify the categories of personally identifiable information collected about consumers and the third parties with whom the operator may share the information.

Connecticut Gen. Stat. § 42-471: Requires any person who collects Social Security numbers [presumably of Connecticut residents] in the course of business to create a privacy protection policy. The policy must be “publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

Children’s Online Privacy Protection Act of 1988:  Requires (1) operators of websites and online services directed at children under the age of 13, including mobile app developers, and (2) operators of general audience websites and online services, who know that they are collecting personal information about children under the age of 13, to post a Privacy Policy on the homepage of their website and a link to the Privacy Policy on every page where personal information is collected.  Very detailed requirements of what needs to be included in Privacy Policy. See e.g. Relay Recess COPPA Privacy Policy.

Gramm-Leach Bliley Act:  Requires financial institutions to provide clear and conspicuous privacy notice to consumers initially and annually about the institution’s information-sharing policies and practices.  Privacy notice must contain the following: what information the financial institution collects about its consumers and customers; with whom it shares the information; how it protects the information; and an explanation of how a consumer can opt out. See e.g. Chase U.S. Consumer Privacy Notice.

Health Insurance Portability and Accountability Act of 1996:  Requires covered entities (Healthcare providers, Health plans, and others) to provide a detailed privacy notice at the date of first service delivery. Very specific detailed elements that must be included in the privacy notice, including detailed statements about individual’s rights with respect to their personal health information.  See e.g. Health and Human Services Model Notice of Privacy Practices.

If any of these statutes apply to your business, you must have a Privacy Policy or face the penalties for non-compliance.  Consult with an attorney or the applicable statute and regulations to ensure that your Privacy Policy contains the required elements as each of the statutes differs.

International Law

Your business also must have a Privacy Policy if you conduct business or collect information about citizens in the European Union, Canada, and many other countries.   Many countries have more universally applicable laws regarding data privacy than the United States and every business that collects personal information about individual citizens needs to have a Privacy Policy.   Consult with a local attorney in the specific country where you conduct business to ensure that your Privacy Policy and other aspects of your business comply with applicable data privacy laws.

Google AdSense

Another business activity that requires your business to create a Privacy Policy is displaying Google AdSense advertising on your website.  As part of the  terms and conditions, Google AdSense requires you to “have a clearly labeled and easily accessible privacy policy that provides end users with clear and comprehensive information about cookies, device-specific information, location information and other information stored on, accessed on, or collected from end users’ devices. . . .”

Failure to do so may lead Google to suspend or terminate your account, and prohibit you from creating a new account or monetize content on other Google products.  Consult with an attorney to make sure that your privacy policy contains all of the elements required by Google AdSense.

Mobile App Developers

Another business activity that requires a Privacy Policy is developing mobile applications (“Apps”).   In 2012, California struck an agreement with the six largest platforms for mobile apps (Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research in Motion), where the platforms agreed to a set of principles for mobile apps that would ensure compliance with California Online Privacy Protection Act.

These platforms will require developers of apps that collect personal information to include Privacy Policies in their apps that can be reviewed before consumers download the app. Thus, if you want your app downloaded from these platforms, your app needs a Privacy Policy that complies with California’s laws. Consult with an attorney to make sure that your Privacy Policy includes all of the elements required by California law.

Businesses Not Required to Have Privacy Policy

If none of the above situations apply, your business does not need a Privacy Policy. Many businesses, however, choose to adopt a Privacy Policy, particularly on their website.  These businesses want to create a competitive advantage for their business and believe that customers value their privacy and will choose businesses that care about privacy.  Also, for some businesses – such as social media – customers expect to have a Privacy Policy before turning over their personal information and want to know what the company is going to do with it.

It’s unclear whether these are valid reasons for adopting a Privacy Policy.   First, not many consumers actually read and/or understand the privacy policies included on websites.   A recent study by Internet Society revealed that less than half (42%) of U.S. citizens read Privacy Policies most of the time or all of the time on websites or internet services used.  I actually think that it’s probably much less than 42%, since I have yet to find anybody (except for a privacy attorney) that has read a Privacy Policy more than once!  That’s not surprising, since a recent study found that it would take approximately 76 working days to read all of the Privacy Policies from websites visited in a single year. Thus, it’s hard to see a Privacy Policy can show customers that a business cares about privacy since customers are not even reading them.

Second, Privacy Policies create an enormous risk for a lawsuit or government investigation if your business does not accurately represent your information collection, use, or disclosure practices. For example, the FTC recently brought a case against Snapchat, in part, over alleged misrepresentations made in Snapchat’s Privacy Policy about Snapchat’s information collection practices.

Snapchat apparently transmitted geolocation data from users of its Android App, despite a Privacy Policy that says that Snapchat did not track or access such information. Snapchat also allegedly collected contacts information from iOS user’s address book despite claiming that the app only collected the user’s email, phone number and Facebook ID for the purpose of finding friends.  Snapchat ultimately settled with the FTC and is required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

The Snapchat case, as well as other cases, shows that statements and promises made in your Privacy Policy can come back to haunt your business.  The statements made in a Privacy Policy are promises made to users about what your business is doing with their information.  If the Policy does not reflect your businesses’ actual information collection or use practices, then you can be sued or investigated for misrepresentations.  And if your business ever suffers a data breach, any lawsuit over the data breach will invariably raise a claim for making misrepresentations in your Privacy Policy.  See e.g. In re: Target Corp. Customer Data Security Breach Litigation, MDL No. 14-25222, Consolidated Class Action Complaint, D. Minn. 2014, at ¶¶127-134.

So if you are considering whether to adopt a Privacy Policy, consult with an attorney to see whether it makes sense for your business. And if you decide to adopt a Privacy Policy, make sure the Policy accurately reflects your information collection, use and disclosure practices. Below are some best practices about what would be included in a Privacy Policy and where it should be displayed on your website.

BEST PRACTICES IN CONNECTION WITH PRIVACY POLICIES

Conspicuously Display Privacy Policy

If you need a Privacy Policy, or decide to have one, post a link to this document on your website in a conspicuous, easy-to-find location.  The home page of your website is the best place as it will be available to site visitors before they ever submit any private or personally identifiable data on your website.  The font used should be large enough for site visitors to view easily.  Also, if you own an e-commerce website, the link to the Privacy Policy should also be prominently displayed on any products page and in the shopping cart.

Disclose Information Collection and Use Practices

One of the most important aspects of a Privacy Policy is to explain the types of information collected on your website and how your business uses the information. The following should be clearly explained regarding your information practices:

  • Types of Information: The types of information collected and used;
  • Purpose: The purpose of collecting this type of information;
  • Cookie Policy: Your practices regarding cookies, including any tracking cookies;
  • Do Not Track Policy: Many browsers have a “do not track” feature that lets users tell websites that they do not want to have online activities tracked. Make sure and state whether your website will respond to browser “do not track” signals.
  • Sharing/Selling Practices: Information about all parties, including third-parties, that you will share or sell information to;
  • Contact Information: Your contact information and the contact information of all third parties who receive the information from your website in case customers have a question or want to make a complaint.

Choice

Your Privacy Policy should explain what options the consumer has with respect to how/whether her data is collected and used by your website. For any choice, provide the customer with a way to opt-out of the information collection or use practice. For example, you may give customers the choice of not receiving any promotional materials, so you would provide them with an email or phone number by which they can opt-out of receiving this material.

Access

Your Privacy Policy should explain how a customer can see what data has been collected by your business about him/her and how the customer can change or correct the data if necessary. Provide a way that a consumer can contact you to make any changes and then be sure to honor any requested changes.

Security

Your Privacy Policy should state the security measures that you have implemented and how any data that is collected or stored is protected. Be accurate about your security practices and give an honest assessment. Far better to under promise and over deliver. Don’t say that your organization follows all applicable laws regarding data protection if you are uncertain about all legal requirements or that your business is actually following them. These promises can come back to haunt you if you have a data breach.

Redress

Your Privacy Policy should provide a way that a customer can contact you and seek redress if the Policy is being violated.  It should also include a limitation of liability for any damages that may be suffered by any breach of your Privacy Policy or for use of your website.

Updates

Your privacy Policy should inform users about how changes to the Privacy Policy will be communicated.  Document all changes to your Privacy Policy over the years and keep all versions of your Privacy Policy.  You never know when a regulator or individual will ask questions about a particular Privacy Policy version.

That’s it for this week.  Hope everyone is not getting buried in snow like me.  Please let me know if you have any questions or comments about Privacy Policies or anything else related to privacy.