A privacy policy? Who needs a privacy policy? Privacy is a mess. You’re building an online business, and you figure you have to have a privacy policy. But why? Is “because everyone else has one” a good enough reason? Ever wonder what you really need to know about privacy law? I mean … what you have to comply with as a business operating in an online environment?
Here, then, the first of several Frequently Asked Questions about privacy policies. Or to be more precise, here now some practical answers on privacy practices:
FAQ #1: Can I simply post a privacy policy and forget about it? Short Answer: No. Longer Answer: No, because as between posted statements and actual compliance, actual compliance is what’s required. In that sense, posting a privacy policy matters only in that it commits you to honoring the commitments you make in your posted policy. Which is important and can cause grief down the road if you breach your own posted policy, often the bane of companies that post a “boilerplate” policy lifted verbatim from another website which they haven’t actually read.
But what really matters is actual compliance, meaning compliance with privacy laws. So … how do you know what laws to worry about, and which aspects of those laws? Is it really helpful to answer “all laws”? Yes, in the sense that you always have to comply with “all laws”. But not all laws apply equally in all cases, and the same is true with privacy practices.
FAQ #2: What laws govern privacy practices? This is a huge topic, so where to begin?
Industry-Specific Privacy Laws. You follow laws applicable to your particular type of industry. Examples:
- Financial Data, including the various federal laws covering privacy of financial data, such as the Gramm-Leach-Bliley Financial Modernization Act of 1999. Gramm Leach-Bliley is one of a number of laws that apply if your business deals with loans, financial or investment advice, insurance, or any type of financial product or service.
- Medical Information, particularly privacy laws like HIPAA, which deals with handling and security of patient medical and healthcare information. HIPAA itself is an enormous topic obviously applicable to physicians and medical practices, hospitals and insurance companies, but also to any number of service providers including software and systems providers to the healthcare and pharmaceutical industries.
- Children’s Privacy Laws. If your business has products or services targeted to an audience that will likely include children, the Children’s Online Privacy Protection Act (referred to as COPPA) kicks in. But again, like HIPAA, COPPA applies whether or not children are your intended audience. The reach and pervasiveness of the internet – and lack of real ability to guarantee age access restrictions – make COPPA applicable to a larger swath of online activities than you might otherwise think.
Advertising Privacy Laws. Advertising law itself is a large topic, but certain advertising laws specifically cover privacy practices. 2 in particular to note:
- Section 5 of the FTC Act. The FTC Act is certainly not a new law, but its general provisions against fraudulent business practices also regulate fraudulent privacy practices. The FTC Act is the general framework under which the government and consumers can seek redress for deceptive or misleading practices, commonly where a privacy policy’s disclosure is inconsistent, deceptive or misleading with respect to actual privacy practices.
- The Federal “SPY Act” (Securely Protect Yourself Against Cyber Trespass Act). Among other privacy matters, the SPY Act governs use of “information collection programs” that collect personally identifiable information and either send the information to anyone other than the user, or use the information to display advertising. The SPY Act requires not only disclosure of use of these types of programs, but also affirmative user consent to their use. Where does the Spy Act really kick in? The Act requires that disclosure – and consent – to use of the collection of personal information be “clear, conspicuous, written in plain language, and clearly distinguished from any surrounding text or information”. What is unclear is whether affirmative consent through clickthrough acceptance of privacy terms and terms of use would satisfy the acceptance requirements, although I have yet to see a website require anything further.
State Laws
It is certainly true that state laws apply in whatever business and whatever field you operate. This will definitely be true of the state of your business location, of course. A great place to start is The American Institute of CPAs (AICPA), which has a fine online resource of state privacy laws.
At a minimum, the AICPA’s resource will guide you on what’s applicable in your home state and the states in which you clearly operate.
Beyond that threshold issue, privacy is an area of particular state-law sensitivity for many reasons. Many states have privacy laws applicable to businesses operating in their jurisdictions, and some states have famously enacted aggressive privacy legislation. Many of those same states have taken quite liberal positions on the applicability of their laws to online activities.
A more generous view is that certain states are simply leading the country in privacy activities. Privacy practices – not just policies, but actual practices – that comply with the laws of these states will tend to be compliant with the laws of most states, making attention to them a useful exercise. These states include California, Massachusetts, North Carolina and New York. But they also include states like Vermont and Maine, two New England states that just recently found themselves defending state laws allowing physicians to opt out of publicly disclosing patient prescription drug information. Indeed, Vermont’s case will be argued in the US Supreme Court this spring, illustrating the national significance of seemingly narrowly-applicable state laws. These are important laws for business activities in these states, of course, but equally so because many other states are following their leads. And many states – Vermont and Maine included – are aggressively policing the activities of online businesses even remotely touching upon their jurisdictions.
FAQ #3: So … What Do Businesses Actually Do?
How do you “do your best” when you’re potentially exposed to a gazillion laws and regulations, many of which seem so much like “gotcha” laws aimed simply to trip you up? One answer is best practices. The Better Business Bureau and TrustE are two among many reputable organizations that develop and update privacy guidelines and “model” policies. Industry-specific groups publish best practices and guidelines for their industry members. The Direct Marketing Association has a good example on its website, www.the-dma.org.
These really are great resources because they tend to be sensitive to national and leading-state trends in privacy while encouraging implementation of policies that match actual privacy practices.
I will separately write more about this “do your best” topic as well as major points that privacy policies – and actual privacy practices – should reflect.
Add Comment