Why You Need a Privacy Policy – Part 1

A privacy policy is a key legal document in this new era of Big/Data/Breaches.  When distilled to its essence, a privacy policy is simply “say what you do, and do what you say” with others’ personal information.  A growing number of companies have them, either because the law requires it, or because they recognize it as a good business practice.  The increasing demands for transparency about personal information collection and security practices mean that privacy policies are here to stay.  And if they don’t accurately reflect a company’s actual privacy protection practices, they can create significant liability, especially in the wake of a data breach.

This is the first of a two-part series on privacy policies in the United States.  In Part 1, we  discuss some privacy policy basics.  In Part 2, we will address three commonly-found problems with privacy policies, and the potential legal consequences that can result.

What is a Privacy Policy?

Basically, a privacy policy is a public notice that accurately discloses:

  • What personal information a company collects from customers and other members of the public;
  • How it collects such personal information;
  • How it stores and protects the information;
  • How it uses the information;
  • How it may distribute such information; and
  • How its customers may access the information collected about them and what choices they have to review, edit/correct, and perhaps delete such information.

By far the most important aspect of a privacy policy is that it must reflect the company’s actual practices.  Thus, if a company’s information collection, usage, security, etc., practices change over time, so must the privacy policy.

Companies that collect, store and share personally identifiable information, particularly on-line, but yet don’t have a privacy policy should strongly consider creating one, and should consult with experienced counsel in doing so.

Regrettably, there is no off-the-shelf privacy policy that universally works for every company. Instead, developing a good privacy policy requires input from various stakeholders, so that it accurately reflects the company’s actual data collection, use and security practices.  The process of creating (or even updating) a good privacy policy can add significant value to the company (beyond the policy itself), given the input from and communications between those stakeholders.

A poorly-written privacy policy that is inaccurate, incomplete or hard to understand can expose a company to potential liability and decades of government monitoring.  Moreover, if a company suffers a data breach, its privacy policy will be one of the first things investigators will focus on, to determine whether the breached company followed its own policy.  Consequently, given the significance of the privacy policy, companies should consider engaging legal counsel to assist with their creation and updates.

In practice, privacy policies are typically published on company websites, usually via a hyper-link at the bottom of the webpage.  However, although they may be posted “on-line”, privacy policies can also disclose practices regarding personal information that is collected “off-line”, such as through hard-copy documents or audio and video records.

What is Personally Identifiable Information?

Personal information is often referred to as “Personally Identifiable Information”, or PII.   According to a 2010 report from the U.S. Department of Commerce’ National Institute of Standards and Technology, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”  The NIST report also notes that facial photographs, telephone numbers, e-mail addresses, Internet Protocol (IP) or Media Access Control (MAC) addresses or other static identifiers that consistently link to a particular person or small, well-defined group of people are also considered to be PII.

How to Know What to Say and What to Do?  

There are a few federal and state laws that require privacy policies, and those are limited to companies in certain industries or the collection of certain kinds of information. There is no over-arching law, regulation, or standard that universally defines exactly what every privacy policy must say.  Developing a policy requires input from various stakeholders, so that it accurately reflects the company’s actual data collection, use and security practices.

The process typically involves, at a minimum, legal counsel, IT and website managers (whether in-house or outside), human resources, sales and accounting, as well as C-suite input.  Determining what personal, financial, medical information is collected, how and where it is collected, how and where it is stored and secured, who has access to it, and how it is used typically requires contribution from a variety of knowledge sources.

The investment of resources to create a privacy policy often leads to unintended benefits, such as the elimination of large amounts of hard copy and electronic records that were found to be no longer necessary, improved information governance practices, enhanced cyber security (you can’t lose what you no longer keep), and better communication between the stakeholders who were involved in creating the policy.

Is it a DIY Project?

As noted above, a privacy policy is an important legal document, given the evolving statutory requirements and the potential liability it can lead to.  Consequently, a company thinking about creating or updating its privacy policy should consider engaging experienced legal counsel to assist.  A growing number of companies are legally required to publish one, and depending on the particular statute, are also required to disclose specific items in such policies.  For example, the following federal laws require certain companies to publish a privacy policy:  the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA).  In addition, both California and Connecticut require some companies to publish privacy policies with specific disclosure obligations.  Knowing what statutes may be involved, and what those statutes require for privacy policy content can help assure that the company remains compliant.

So Why Not Just Copy and Paste?

For many of the same reasons, a company should avoid creating a privacy policy for itself by simply copying one from another company’s web site.  While imitation may be the sincerest form of flattery, it can also lead to legal liability.  Setting aside the possible consequences for breaking copyright and unfair competition laws, copying another company’s privacy policy is a risky proposition.

Here’s an example:  Company C lacks a privacy policy.  It’s thinking about just copying one it found on Company W’s website.  First, how does Company C know that Company W’s privacy policy complies with laws that may apply to Company C?  Second, how does Company C know that Company W’s privacy policy is current?  Third (and most concerning), unless Company C’s information collection, usage, security,  and sharing practices are identical to those used and published on Company W’s privacy policy, then once it copies W’s privacy policy to its website, Company C could be viewed as engaging in a deceptive and/or unfair trade practice by not following “its” privacy policy.  And Company C’s potential liability could rise substantially if it later suffers a data breach, and an investigation reveals that it did not accurately disclose its information privacy practices in its privacy policy.

Consequently, when creating – or even updating – a privacy policy, companies should consider engaging legal counsel experienced in this area of the law.  The same considerations apply when creating or updating Terms and Conditions.

In Part 2, we will discuss three common problems with privacy policies:  (1) Failing to Provide a Privacy Policy When One is Required By Law; (2)  What Happens When You Fail to Follow Your Privacy Policy; and  (3) Why an Incomprehensible Privacy Policies is No Better than None at All.

Stay Tuned…

 

 

This entry was posted in Data Protection, Government Regulations, HIPAA, Privacy Policy.

Share this Article:

Leave a Reply

View Reply Form

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>