Tag policy

Tag policy

Should Your Business Have a Privacy Policy?

Tags: , , , Privacy, Privacy Policy, Small Business No comments

Small business owners often ask me the following questions about privacy policies:

  1.   What is a privacy policy (notice, statement, etc.) (“Privacy Policy”)?
  2.   Does my business need one?
  3.   What should be included in a privacy policy?

I am usually surprised by 1, although I should not be since ½ of online Americans don’t know what a privacy policy is.  But that question is reasonably straightforward to answer:

Privacy Policy (df): Statement or document about how a company or website collects, uses, and discloses, information about a visitor. It usually declares what specific information is collected, the purpose for collecting it, how a company uses the information, and whether it is shared with others.

The purpose of a Privacy Policy is to give notice to an individual that the business is collecting information about the particular consumer, the types of information being collected, and what’s being done with that information. For example, check out Target’s privacy policy.

2 and 3 require a little more consideration as the answers are not clear-cut, and some businesses may be better off without a Privacy Policy.

DOES MY BUSINESS NEED A PRIVACY POLICY?

As with many things in life, the answer to this question for businesses in the United States is “it depends.” There is no federal law that requires every business to have a privacy policy that discloses how the business collects, uses and discloses information collected from potential customers.

Some types of businesses, however, are required to have Privacy Policies because of specific federal or state laws that apply, as well as certain business activities they engage in.

Businesses Required to have Privacy Policies

There are several ways a business can be forced to have a Privacy Policy:

Federal and State Laws

California Online Privacy Protection Act California Bus. & Prof. Code §§ 22575-22578: Requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an internet website or online service for commercial purposes, to post a conspicuous Privacy Policy on its website or online service (which may include mobile apps) and to comply with that policy. Among other things, the law requires the Privacy Policy to identify the categories of personally identifiable information collected about consumers and the third parties with whom the operator may share the information.

Connecticut Gen. Stat. § 42-471: Requires any person who collects Social Security numbers [presumably of Connecticut residents] in the course of business to create a privacy protection policy. The policy must be “publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

Children’s Online Privacy Protection Act of 1988:  Requires (1) operators of websites and online services directed at children under the age of 13, including mobile app developers, and (2) operators of general audience websites and online services, who know that they are collecting personal information about children under the age of 13, to post a Privacy Policy on the homepage of their website and a link to the Privacy Policy on every page where personal information is collected.  Very detailed requirements of what needs to be included in Privacy Policy. See e.g. Relay Recess COPPA Privacy Policy.

Gramm-Leach Bliley Act:  Requires financial institutions to provide clear and conspicuous privacy notice to consumers initially and annually about the institution’s information-sharing policies and practices.  Privacy notice must contain the following: what information the financial institution collects about its consumers and customers; with whom it shares the information; how it protects the information; and an explanation of how a consumer can opt out. See e.g. Chase U.S. Consumer Privacy Notice.

Health Insurance Portability and Accountability Act of 1996:  Requires covered entities (Healthcare providers, Health plans, and others) to provide a detailed privacy notice at the date of first service delivery. Very specific detailed elements that must be included in the privacy notice, including detailed statements about individual’s rights with respect to their personal health information.  See e.g. Health and Human Services Model Notice of Privacy Practices.

If any of these statutes apply to your business, you must have a Privacy Policy or face the penalties for non-compliance.  Consult with an attorney or the applicable statute and regulations to ensure that your Privacy Policy contains the required elements as each of the statutes differs.

International Law

Your business also must have a Privacy Policy if you conduct business or collect information about citizens in the European Union, Canada, and many other countries.   Many countries have more universally applicable laws regarding data privacy than the United States and every business that collects personal information about individual citizens needs to have a Privacy Policy.   Consult with a local attorney in the specific country where you conduct business to ensure that your Privacy Policy and other aspects of your business comply with applicable data privacy laws.

Google AdSense

Another business activity that requires your business to create a Privacy Policy is displaying Google AdSense advertising on your website.  As part of the  terms and conditions, Google AdSense requires you to “have a clearly labeled and easily accessible privacy policy that provides end users with clear and comprehensive information about cookies, device-specific information, location information and other information stored on, accessed on, or collected from end users’ devices. . . .”

Failure to do so may lead Google to suspend or terminate your account, and prohibit you from creating a new account or monetize content on other Google products.  Consult with an attorney to make sure that your privacy policy contains all of the elements required by Google AdSense.

Mobile App Developers

Another business activity that requires a Privacy Policy is developing mobile applications (“Apps”).   In 2012, California struck an agreement with the six largest platforms for mobile apps (Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research in Motion), where the platforms agreed to a set of principles for mobile apps that would ensure compliance with California Online Privacy Protection Act.

These platforms will require developers of apps that collect personal information to include Privacy Policies in their apps that can be reviewed before consumers download the app. Thus, if you want your app downloaded from these platforms, your app needs a Privacy Policy that complies with California’s laws. Consult with an attorney to make sure that your Privacy Policy includes all of the elements required by California law.

Businesses Not Required to Have Privacy Policy

If none of the above situations apply, your business does not need a Privacy Policy. Many businesses, however, choose to adopt a Privacy Policy, particularly on their website.  These businesses want to create a competitive advantage for their business and believe that customers value their privacy and will choose businesses that care about privacy.  Also, for some businesses – such as social media – customers expect to have a Privacy Policy before turning over their personal information and want to know what the company is going to do with it.

It’s unclear whether these are valid reasons for adopting a Privacy Policy.   First, not many consumers actually read and/or understand the privacy policies included on websites.   A recent study by Internet Society revealed that less than half (42%) of U.S. citizens read Privacy Policies most of the time or all of the time on websites or internet services used.  I actually think that it’s probably much less than 42%, since I have yet to find anybody (except for a privacy attorney) that has read a Privacy Policy more than once!  That’s not surprising, since a recent study found that it would take approximately 76 working days to read all of the Privacy Policies from websites visited in a single year. Thus, it’s hard to see a Privacy Policy can show customers that a business cares about privacy since customers are not even reading them.

Second, Privacy Policies create an enormous risk for a lawsuit or government investigation if your business does not accurately represent your information collection, use, or disclosure practices. For example, the FTC recently brought a case against Snapchat, in part, over alleged misrepresentations made in Snapchat’s Privacy Policy about Snapchat’s information collection practices.

Snapchat apparently transmitted geolocation data from users of its Android App, despite a Privacy Policy that says that Snapchat did not track or access such information. Snapchat also allegedly collected contacts information from iOS user’s address book despite claiming that the app only collected the user’s email, phone number and Facebook ID for the purpose of finding friends.  Snapchat ultimately settled with the FTC and is required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

The Snapchat case, as well as other cases, shows that statements and promises made in your Privacy Policy can come back to haunt your business.  The statements made in a Privacy Policy are promises made to users about what your business is doing with their information.  If the Policy does not reflect your businesses’ actual information collection or use practices, then you can be sued or investigated for misrepresentations.  And if your business ever suffers a data breach, any lawsuit over the data breach will invariably raise a claim for making misrepresentations in your Privacy Policy.  See e.g. In re: Target Corp. Customer Data Security Breach Litigation, MDL No. 14-25222, Consolidated Class Action Complaint, D. Minn. 2014, at ¶¶127-134.

So if you are considering whether to adopt a Privacy Policy, consult with an attorney to see whether it makes sense for your business. And if you decide to adopt a Privacy Policy, make sure the Policy accurately reflects your information collection, use and disclosure practices. Below are some best practices about what would be included in a Privacy Policy and where it should be displayed on your website.

BEST PRACTICES IN CONNECTION WITH PRIVACY POLICIES

Conspicuously Display Privacy Policy

If you need a Privacy Policy, or decide to have one, post a link to this document on your website in a conspicuous, easy-to-find location.  The home page of your website is the best place as it will be available to site visitors before they ever submit any private or personally identifiable data on your website.  The font used should be large enough for site visitors to view easily.  Also, if you own an e-commerce website, the link to the Privacy Policy should also be prominently displayed on any products page and in the shopping cart.

Disclose Information Collection and Use Practices

One of the most important aspects of a Privacy Policy is to explain the types of information collected on your website and how your business uses the information. The following should be clearly explained regarding your information practices:

  • Types of Information: The types of information collected and used;
  • Purpose: The purpose of collecting this type of information;
  • Cookie Policy: Your practices regarding cookies, including any tracking cookies;
  • Do Not Track Policy: Many browsers have a “do not track” feature that lets users tell websites that they do not want to have online activities tracked. Make sure and state whether your website will respond to browser “do not track” signals.
  • Sharing/Selling Practices: Information about all parties, including third-parties, that you will share or sell information to;
  • Contact Information: Your contact information and the contact information of all third parties who receive the information from your website in case customers have a question or want to make a complaint.

Choice

Your Privacy Policy should explain what options the consumer has with respect to how/whether her data is collected and used by your website. For any choice, provide the customer with a way to opt-out of the information collection or use practice. For example, you may give customers the choice of not receiving any promotional materials, so you would provide them with an email or phone number by which they can opt-out of receiving this material.

Access

Your Privacy Policy should explain how a customer can see what data has been collected by your business about him/her and how the customer can change or correct the data if necessary. Provide a way that a consumer can contact you to make any changes and then be sure to honor any requested changes.

Security

Your Privacy Policy should state the security measures that you have implemented and how any data that is collected or stored is protected. Be accurate about your security practices and give an honest assessment. Far better to under promise and over deliver. Don’t say that your organization follows all applicable laws regarding data protection if you are uncertain about all legal requirements or that your business is actually following them. These promises can come back to haunt you if you have a data breach.

Redress

Your Privacy Policy should provide a way that a customer can contact you and seek redress if the Policy is being violated.  It should also include a limitation of liability for any damages that may be suffered by any breach of your Privacy Policy or for use of your website.

Updates

Your privacy Policy should inform users about how changes to the Privacy Policy will be communicated.  Document all changes to your Privacy Policy over the years and keep all versions of your Privacy Policy.  You never know when a regulator or individual will ask questions about a particular Privacy Policy version.

That’s it for this week.  Hope everyone is not getting buried in snow like me.  Please let me know if you have any questions or comments about Privacy Policies or anything else related to privacy.

Mobile Apps, Children’s Privacy and COPPA

Tags: , , , , , , Apps, COPPA, Preparation, Privacy 1 comment

It was recently reported that mobile apps are still collecting lots of personal information about children and still may not be complying with the Children’s Online Privacy Protection Act, 15 USC 91 §6501-6506 or the Federal Trade Commission’s (“FTC’s”) Final Amended COPPA Rule (collectively, “COPPA”).  See also FTC, “Complying with COPPA: Frequently Asked Questions”, July 16, 2014.  App developers need to make sure their apps comply with COPPA, as the FTC is actively cracking down and there is an increased risk of a class action lawsuit based on a COPPA violation.

COMPLIANCE WITH COPPA

The primary goal of COPPA is to place parents in control over what information is collected from kids under the age of 13 (“Children”) online, while accounting for the dynamic nature of the Internet.  To comply with COPPA, an app developer should follow these steps:   See FTC, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for your Business

1.  Determine if COPPA Applies to Your App or Website

COPPA only applies to the following:

• Operators of commercial websites or online services that are directed to Children and collect, use, or disclose Children’s’ personal information;

• Operators of general audience websites or online services with actual knowledge that they are collecting, using or disclosing personal information from Children.

• Operators of websites or online services with actual knowledge that they are collecting, using or disclosing personal information directly from users of another website or online service directed to Children.

Several key terms need a little more explanation to appreciate the scope of COPPA:

Website or Online service:  This term is defined broadly by COPPA. Aside from websites, the following are potentially within COPPA’s scope:

o Mobile apps that send or receive information online,

o Internet-enabled gaming platforms,

o Plug-ins,

o Advertising networks,

o Internet-enabled location-based services, and

o Voice-over internet protocol services

Personal Information: The definition of personal information under COPPA is shockingly broad and includes any one of the following categories of information (“Personal Information”):

o First and Last Name;

o A home or physical address including street name of a city or town;

o Online contact information;

o A screen or user name that functions as online contact information;

o A telephone number;

o A social security number;

o A persistent identifier that is used to recognize a user over time and across different websites or online services;

o A photograph, video, or audio file that contains a child’s image or voice;

o Geolocation information sufficient to identify the street name and city or town name; or

o Information concerning the child or child’s parents that the operator collects online and combines with an identifier above.

Directed at Children: The FTC looks at a variety of factors to determine if an app is directed at Children :

o the subject matter of the site or service,

o audio/visual content,

o the use of animated characters,

o child-oriented activities and incentives,

o the age of models,

o the presence of child celebrities,

o ads directed to children, and

o Other reliable evidence about the age of the actual or intended audience.

Collect: Under COPPA, an app collects Personal Information if it does one of the following:

o Requests, prompts, or encourages the submission of information, even if it’s optional;

o Lets Personal Information be made publicly available (such as in a public chat), unless you take reasonable efforts to delete virtually all Personal   Information before postings are made public AND delete all information from your records; or

o Passively tracks a child online.

If your app or website is covered by COPPA , move on to step 2. Congratulations if you think it is not covered! But I suggest you talk with an attorney to confirm that COPPA does not apply your app. You do not want to be wrong here!

2.  Post a COPPA Compliant Privacy Policy

If covered by COPPA, your app must post a post a privacy policy that clearly and comprehensively describes how Personal Information is collected from Children and how it is handled. To complicate matters, the privacy policy must describe your policies AND the practices of any third parties collecting Personal Information on your service, such as plug-ins or ad networks.

To comply with COPPA, your privacy policy should be clear, easy to read, and include the following information:

A List of All Operators Collecting Personal Information:  Your policy should identify each operator that collects or maintains a child’s Personal Information through your app.  Include a name and contact information (address, telephone number, and email address) for each operator.  If more than one operator collects Personal Information, it is acceptable to only provide contact information for one operator, so long as the selected operator will respond to inquiries about your app’s practices with respect to the other operators.  The other operators still need to be identified in your privacy policy.

A Description of the Personal Information Collected and How It’s Used:  Your privacy policy must describe the following:

o Types of Personal Information collected from Children;

o Ways that the Personal Information is collected (direct or indirectly through cookies);

o How Personal Information will be used (i.e. marketing, notifying contest winners, incentives, or allowing children to post information);

o Whether app discloses Personal Information to third parties, such as ad networks, and how the third parties use the information.

Description of Parental Rights:  Your app’s privacy policy must tell parents that:

o Your app won’t require a child to disclose more Personal Information than reasonably necessary to participate in the app’s activity;

o They have the right to review the child’s Personal Information, can direct you to delete it, and refuse to allow any further collection or use of the child’s Personal Information;

o They can agree your app’s collection and use of their child’s Personal Information, but still forbid disclosure to third parties unless that’s part of the service (such as social networking); and

o The procedures that a parent must follow to exercise their rights.

Make sure that your privacy policies accurately describes your app’s practices and that you follow through on all promises made. Nothing will generate an FTC enforcement action quicker than a privacy policy that misrepresents the practices of the app.

3.  Notify Parents Directly Before Collecting Personal Information from Children

COPPA requires that your app provides parents with “direct notice” before collecting Personal Information their child. The notice should be clear, easy to read and should tell parents:

• Your app collected their online contact information for the purpose of getting their consent;

• Your app wants to collect Personal Information from their child;

• The parent’s consent is required for the collection, use, and disclosure of the child’s Personal Information;

• The specific Personal Information your app wants to collect and how it might be disclosed to others;

• A link to your online privacy policy;

• How the parent can give their consent; and

• If the parent does not consent within a reasonable time, you will delete the parent’s online contact information from your records and their child will not be able to use the app.

4.  Get Parent’s Verifiable Consent Before Collecting Information

Your app must also obtain parent’s verifiable consent before collecting Personal Information about the child.  COPPA does not specify how to obtain verifiable consent, but it is critical to use a method that is reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent.

Acceptable methods of obtaining verifiable consent include:

• Provide a consent form to be signed by the parent via U.S. mail, fax or electronically;

• Require the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;

• Have the parent call a toll-free number staffed by trained personnel, or have the parent connect to trained personnel via video-conference;

• Verify the parent’s identity by checking a form of government-issued identification (such as driver’s license or passport) against databases of such information. Make sure to delete the parent’s identification info after completing the verification;

• Use the “email plus” method if you are only going to use Children’s Personal Information for internal purposes and will not be disclosing to any third party;

• Use a common consent mechanism between multiple app developers who use the same system of obtaining verifiable consent;

• Rely on an app store to gain parental consent on you app’s behalf. Note that entry of parent’s app store account number or password is not sufficient. The account number and password needs to be used with other indicia of reliability to show that it is the parent giving the consent. Also, your app still needs to meet COPPA’s other requirements (such as the direct notice requirement);

• You can also apply to the FTC for pre-approval of a new method.  The FTC had already accepted some proposed new methods of verifiable consent and is regularly evaluating new ones.

There are certain circumstances under COPPA where your app can collect and use a narrow class of Personal Information without obtaining parental consent.  Check out the FTC’s website for a helpful chart of these limited exceptions.

5.  Respect Parents’ Ongoing Rights

Make sure to respect parent’s ongoing rights with respect to their child’s Personal Information.  If a parent asks, you must:

• Give the parent a way to review the Personal Information collected about the child;

• Give the parent a way to retract their consent and refuse the further use or collection of Personal Information about the child; and

• Delete the child’s Personal Information.

Note that you must walk a fine line before disclosing Personal Information about a child.  Take reasonable steps to ensure that you are dealing with a child’s parent and not some stranger. But do not make these steps so onerous that the real parent can’t find out what Personal Information your app is collecting about the child.

6.  Implement Reasonable Safeguards for Children’s’ Personal Information

COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of Children’s Personal Information.  The first step is to limit the Personal Information collected and only collect what is absolutely necessary for your app’s services.  Then take reasonable steps to only release Children’s Personal Information to third parties capable of maintaining its confidentiality, security and integrity.  Obtain contractual assurances that the third parties will live up to those responsibilities.  Finally, only retain the Children’s Personal Information as long as reasonably necessary, and securely dispose of as soon as you no longer have a legitimate reason for retaining it.

7. Investigate Participating in a COPPA Safe Harbor Program

As an app developer, one alternative worth investigating are FTC approved COPPA Safe Harbor Programs.  COPPA Safe Harbor programs are self-regulatory guidelines developed by various industry groups that have been approved by the FTC for complying with COPPA.

You can obtain two benefits by participating in one of these programs.  First, your app will be deemed compliant with COPPA so long as it follows the program’s guidelines.  Second, your app will be subject to the review and disciplinary procedures outlined in the program’s guidelines instead of a formal FTC investigation and enforcement.  Both are worthwhile, so you should consider participating in one of these programs.

ENFORCEMENT OF COPPA

COPPA is usually enforced by the FTC, although some state attorney generals have brought COPPA enforcement actions in the past. New Jersey, in particular, has brought and settled at least two COPPA enforcement actions against app developers.

The FTC has recently warned that mobile apps will be an enforcement priority under COPPA, and has already announced two settlements with mobile app developers:

1. Yelp:  Yelp, the online review website and app, paid $450,000 to settle charges that it violated COPPA by collecting Children’s Personal Information without sufficient parental notice or consent.  Yelp allegedly employed an age-screening mechanism that required a birth-date in order to register for its app, but thousands of Children were allowed to register, without notice or parental consent, after providing birth-dates that showed they were under 13.

2. TinyCo:  TinyCo, the developer of Tiny Pet and other apps, paid $300,000 to settle charges that it violated COPPA by collecting Children’s email addresses without sufficient notice and parental consent.   The email addresses were allegedly collected in exchange for free in-app currency.

In light of the FTC’s warnings, more enforcement actions against app developers are likely and the costs can be significant. In addition to the investigatory costs and the hit to your reputation, violators of COPPA can be penalized up to $16,000 per violation. That’s not chump change!

There is also a heightened risk of a class action lawsuit suit for failure to comply with COPPA.  Usually, COPPA violations are considered unlikely contenders for class action lawsuits because COPPA does not provide a private cause of action.  Without a cause of action, an individual or class cannot allege a COPPA violation as the basis for a complaint a damages.  This calculation may have changed in light of a recent Connecticut Supreme Court case:  Byrne v. Avery Center for Obstetrics and Gynecology, No. 18904, (Conn. Nov. 11, 2014).

In Byrne, the Court found that the Health Insurance and Portability and Accountability Act of 1996 (“HIPAA”) and the regulations of the Department of Health and Human Services (“HHS”) can “inform” the standard of care for a common law negligence action.  In this case, Emily Byrne received medical care from the Avery Center (“Center”), while in a personal relationship with Andro Mendoza. Mendoza filed a paternity suit and the court issued a subpoena to the Center to appear with Byrne’s medical records.  Byrne did not want the Center to release her medical records.  But, the Center mailed a copy of the medical forms to the court.  Byrne claimed that the disclosure of the medical forms was not done in accordance with HIPPA and that she should have been notified of the subpoena.

As a result of the disclosure, Byrne filed suit for breach of contract, negligently releasing her medical file without authorization, negligent misrepresentation of the Center’s privacy policy, and negligent infliction of emotional distress.  After a motion for summary judgment, the trial court dismissed part of Byrne’s complaint and found that Byrne’s common law negligence and infliction of emotional distress claims were preempted by HIPAA, which does not provide a private cause of action.  The Connecticut Supreme Court reversed and concluded that “to the extent it has become the common practice for . . . follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

This decision is significant in several respects.  For app developers, the most important consequence is that it provides a road map for a potential plaintiff about how to sue for a violation of COPPA.  The plaintiff would need to plead a common law negligence claim related to the violation and argue that COPPA and the FTC regulations inform the duty of care applicable to these actions.  Alternatively, the plaintiff could argue that the COPPA violation is an unfair and deceptive trade practice under the state’s consumer protection.

It is still unclear whether these strategies will work or whether these strategies are preempted by COPPA.  I will postpone this discussion for another blog post.  But if app developers continue to ignore COPPA, plaintiffs and their attorneys may start actively pursuing these cases.  There is too much money potentially at stake.  Stay tuned for further developments.

Thanks for reading.