Small business owners often ask me the following questions about privacy policies:
- Does my business need one?
Some types of businesses, however, are required to have Privacy Policies because of specific federal or state laws that apply, as well as certain business activities they engage in.
Businesses Required to have Privacy Policies
Federal and State Laws
Connecticut Gen. Stat. § 42-471: Requires any person who collects Social Security numbers [presumably of Connecticut residents] in the course of business to create a privacy protection policy. The policy must be “publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.
Gramm-Leach Bliley Act: Requires financial institutions to provide clear and conspicuous privacy notice to consumers initially and annually about the institution’s information-sharing policies and practices. Privacy notice must contain the following: what information the financial institution collects about its consumers and customers; with whom it shares the information; how it protects the information; and an explanation of how a consumer can opt out. See e.g. Chase U.S. Consumer Privacy Notice.
Health Insurance Portability and Accountability Act of 1996: Requires covered entities (Healthcare providers, Health plans, and others) to provide a detailed privacy notice at the date of first service delivery. Very specific detailed elements that must be included in the privacy notice, including detailed statements about individual’s rights with respect to their personal health information. See e.g. Health and Human Services Model Notice of Privacy Practices.
Mobile App Developers
BEST PRACTICES IN CONNECTION WITH PRIVACY POLICIES
Disclose Information Collection and Use Practices
- Types of Information: The types of information collected and used;
- Purpose: The purpose of collecting this type of information;
- Do Not Track Policy: Many browsers have a “do not track” feature that lets users tell websites that they do not want to have online activities tracked. Make sure and state whether your website will respond to browser “do not track” signals.
- Sharing/Selling Practices: Information about all parties, including third-parties, that you will share or sell information to;
- Contact Information: Your contact information and the contact information of all third parties who receive the information from your website in case customers have a question or want to make a complaint.
That’s it for this week. Hope everyone is not getting buried in snow like me. Please let me know if you have any questions or comments about Privacy Policies or anything else related to privacy.