Businesses are often faced with the challenge of collecting information about their clients in order to tailor and improve their products and services, while respecting their customers’ privacy and protecting their personal information. But outside of a narrow set of specific state requirements mandating minimum content requirements for privacy policies (see, for example, this discussion of California’s Online Privacy Protection Act (CalOPPA)), and other than the Federal Trade Commission (FTC) Act, which prohibits deceptive or unfair commercial practices, there are no federal laws or regulations that explicitly say what should be included in a privacy policy. Nonetheless, the statements a company makes in its privacy policy regarding use and disclosure of personal information are enforceable by consumer protection agencies under regulations such as the FTC Act and state laws that prohibit deceptive commercial activity.
For this reason, a comprehensive and transparent privacy policy bridges these competing concerns by telling users what information your website collects from users and how that information or data is used.
When drafting your policy, the following considerations will help guide the terms of disclosure and help determine what information and data collection methods should be disclosed to users:
1.) What type of information will you collect from visitors to your website?
Clarify early in the privacy policy if the information collected is personal or anonymous. If you collect personally identifiable information such as names, emails or IP addresses, or phone numbers, disclose that information to the user upfront in a clear and concise way. These disclosures enable consumers to make informed choices about whether to use your website or services and how much information to provide. Additionally, these disclosures ensure compliance with the FTC’s principles of providing notice and choice to consumers.
2.) How is the information being collected?
Information can be collected automatically when a user visits a website, or it can be collected when submitted by the user. Many companies use automatic collection tools such as cookies, web-beacons, or anonymous identifiers that track users as they visit webpages. Use of automatic data collection software should be disclosed to users. Companies that have failed to disclose their use of web-tracking software that collected personal information have been the subject of FTC enforcement actions. Therefore, a proactive disclosure of the tools you use to collect users’ information can prevent claims of unfair or deceptive trade practices and build a good faith relationship with your clients.
Additionally, users may not be familiar with certain data collection terms or devices, so a link explaining particular terms or practices can further ensure that users are informed about use your data collection practices. A list of key terms can be found here.
3.) What is the collected information used for and who will have access to it?
This is often the most sensitive section of a privacy policy, and for good reason. The information you collect from your users should be relevant to the services or transactions provided to users. A privacy policy should disclose the purpose of collecting users’ information and whether the collected information is shared with other users, third parties, business affiliates, or advertising partners. In certain events such as bankruptcies, the FTC has used provisions of other regulations (e.g. the Bankruptcy Code or FTC Act) to require companies to inform users about the sale of their personal information and give users a chance to request removal of identifying information, destroy the personal data themselves, or authorize a court to appoint a privacy ombudsman to ensure consumers’ interests are protected.
4.) How will users be informed that the privacy policy has changed?
Your privacy policy should reflect your actual practices and should change as your practices change. Often, companies put this burden on the user to check back and read the privacy policy. But a proactive approach is to conduct periodic reviews of the policy in order to incorporate any changes in the law or industry practices, and notify users of these changes. Third party validation from companies like Truste or Entrust can enhance your credibility with users and offer a comprehensive review to identify gaps in required disclosures. Finally, when your privacy policy changes, users can be notified through a message on the website’s homepage, or with an email notification to users’ accounts.
5.) How is user information protected?
Privacy policies can and should state that there are always inherent risks in sharing information online, and that no security measures are perfect or impenetrable. Federal consumer protection regulations spell out requirements for businesses that collect medical or financial information, which may be governed by other federal regulations with specific data protection requirements. Any steps that you take to secure or encrypt user information should be disclosed, although the technical details behind security measures do not usually need to be disclosed.
The FTC has recently stepped up its efforts to police businesses that fail to properly protect sensitive consumer information. As a result, it is imperative for businesses to implement and support data security mechanisms that are not only defined in the privacy policy, but closely followed, reviewed, and updated.
6.) Is the website or are the services targeted towards children?
Websites that direct their services to children under the age of 13 must comply with the Children’s Online Privacy Protection Act (COPPA). If your website is not intended to be used by children under the age of 13, then a statement clearly stating that must be included in the policy.
7.) What control does a user have over their information?
Users need a way to contact your business and control their personal data, whether it’s changing a password on their account, taking their name off of a mailing list, or bringing complaints or problems to the business’s attention. A phone number or email address should be provided in the privacy policy to which such questions or concerns can be directed.
Add Comment