1. You Don’t Have One, But You Really Should
The Gramm-Leach-Bliley Act requires institutions “significantly engaged” in financial activities give “clear, conspicuous, and accurate statements” of their information-sharing practices. This includes describing “what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information.” The notice applies to the “nonpublic personal information” the company gathers and discloses about its consumers and customers.”
The Health Insurance Portability and Accountability Act (HIPAA) privacy rules requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic.
California: Calif. Bus. & Prof. Code §§ 22575-22578
Connecticut: Conn. Gen. Stat. § 42-471
Connecticut requires any person who collects Social Security numbers in the course of business to create a privacy protection policy. The policy must be “publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.
In the last few years, the Federal Trade Commission (FTC) and, more recently, the Federal Communications Commission (FCC) have brought enforcement actions that resulted in significant settlement terms, and in the case of the FCC, a multi-million dollar fine against companies that violated their own privacy policies.
If a company makes materially misleading statements or omissions about privacy or data security that are likely to mislead reasonable consumers, such statements or omissions are deceptive. The FTC has used this authority, for example, to challenge false and misleading claims about how companies use and share consumer data; whether they track consumers’ movements online; whether they are honoring consumers’ opt-outs; and whether they are delivering on promises to secure consumers’ financial and health data.
In the last several years the FTC has brought several Section 5 (deceptive and/or unfair trade practice) actions for various reasons including making allegedly misleading statements in privacy policies. This includes actions against Snapchat, GMR Transcription Services, Credit Karma and TRENDnet. To resolve these FTC actions, the offending company typically must sign a consent order which requires it to:
- Establish comprehensive security programs designed to address security risks during the development of their products, programs or applications,
- Undergo independent security assessments every other year for the next 20 years, and
- Make no additional misrepresentations about the level of privacy or security of their products and services.
Then, for the next 20 years, the company risks a contempt of court finding, or worse, if it fails to strictly comply with the terms of the consent order.
In their privacy policies, the two companies stated that they had in place ‘technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.’ Yet, from September 2012 through April 2013, the sensitive documents they collected from consumers were apparently stored in a format accessible via the Internet and readable by anyone.
Complaints about the readability of privacy policies are not new. In its December 2010 Preliminary Staff Report, “Protecting Consumer Privacy in an Era of Rapid Change,” the FTC found that most corporate privacy policies are “incomprehensible,” and that “consumers typically do not read, let alone understand” these privacy statements. The FTC noted that, in general, “privacy policies do a poor job of informing consumers about companies’ data practices or disclosing changes to their practices.” Even companies that have thorough privacy disclosures were criticized by the FTC as having policies that are “opaque” and “too long and too difficult to navigate.” The FTC issued the final version of that report in March 2012, and included a series of recommendations for businesses and policymakers.
A recently-published whitepaper,”Privacy Policies: How to Communicate Effectively with Consumers” addressed the reading comprehension level needed to understand the privacy policies of Fortune 500 corporations. The average U.S. adult reads at an 8th grade reading level. The clear majority of Fortune 500 privacy policies in the study require a reading comprehension level beyond that of the average U.S. adult. Remarkably, 82% of those privacy policies required a college-level reading ability.
In terms of length, the whitepaper noted another rather remarkable disconnect:
This is particularly true on mobile devices with their smaller screens and fonts. The California Attorney General’s office has suggestions for improving the readability of privacy policies in a May 2014 pamphlet, “Making Your Privacy Practices Public”.
What Are The Take-Aways?
- It should be written in clear and concise language that average consumers will understand.
- It should be regularly reviewed to make sure it complies with statutory and other requirements.