8 Pertinent Privacy Policy Principles

8 Pertinent Privacy Policy Principles

Photo courtesy of Sean MacEntee on Flickr.

Rob Swystun, Pristine Advisers

Privacy policies are boring. In fact, I’m gonna go ahead and assume that you probably don’t even know the privacy policy of your own company. And you probably wouldn’t bother reading it unless you were suffering from insomnia.

Sara Hawkins, who blogs about legal matters as they pertain to business, has even said she’s seen situations where Business A has simply copy and pasted Business B’s privacy policy complete with references, URLs and information that pertains to Business B left in.

How does that even happen? It’s because some businesses, especially small ones, cannot be bothered to craft a privacy policy from scratch or read it once it’s done. So, really, there could just be one single privacy policy out there that every business has been copying and pasting since it was written. (Nobody would know, right?)

Although they’ve only really been in the public mindset since the internet popped up (mostly as joke fodder for how nobody reads them), privacy policies have been around much longer than the internet and companies have been in need of some kind of privacy policy for decades.

The Federal Trade Commission, which oversees privacy laws and policies as they pertain to consumers, has been protecting consumer privacy for over 40 years, meaning companies have always had to have privacy policies for their interactions with customers. Obviously, over the past several years more and more of those companies have moved online or are completely online.

Interestingly, except for a handful of the most regulated industries, there is no federal law in the USA that requires an online business to have a privacy policy and no companies have yet been sued for not having a privacy policy. For businesses in California, though, or that do business in California, which includes many online companies, the California Online Privacy Protection Act makes it mandatory to post a privacy policy.

Why it’s important

Although there is no federal law requiring a privacy policy, the FTC will look for one if there is any question about a company’s efforts to protect consumers’ private information (even though many consumers spew their private information all over the internet anyway).

If a company lacks a clear privacy policy, the risks to the company are much higher than if there is no privacy policy in place.

The FTC is diligent about responding to consumer complaints about privacy and has already gone after companies for illegally collecting information, like when it reached a settlement in February of this year with an app developer who was found to have collected children’s personal information without the consent of their parents. Despite new technologies coming out fast and furiously, the FTC is doing its best to keep up.

A privacy policy should be simple to read and easy to find on your website. It should also adhere to the following eight points:

1. Use easy to understand language. Ah, the point that you see over and over in regards to communicating with customers. And for good reason. Using accessible language keeps things simple and promotes the reading of documents that people should read but usually don’t (mostly because they’re hard to understand). If your target market is under 13, write the policy for the parent or guardian and if your target market’s primary language isn’t English, have your policy translated into any appropriate languages and post them.

2. Determine what information you want to collect. The excuse that your interface was collecting information that you didn’t know about won’t fly so make sure you know exactly what info you are collecting. This might mean bringing people in to look at the back end of your consumer interface and fill you in on what is being collected, which is fine. Ignorance won’t be a useful defense if your interface is collecting information that you are unaware of. And, to add to that, once you know what it’s capable of collecting, you either have to disclose what will be collected or give people a means to opt out of it. What level consumers are able engage with your platform (like video and image sharing, for example) will also help determine what information you collect and what will be required to be collected for legal reasons.

3. Explain how the information is to be collected. This is the area where things can get really technical, so it’s important to go over this section and make sure it’s not full of technobabble that will leave people scratching their heads. As in point number one, just use plain language so people can understand how their information is being collected.

4. Explain your obligations for cooperating with law enforcement. Make it clear that if you are compelled by law, the information your consumers provide might have to be shared with a third party.

5. If you plan to share information with third parties, make it clear what will be shared and with whom. If you plan on selling information to a third party, first off; shame on you and secondly; even if the information is aggregate and will not be personally identifiable, make sure you tell people in the policy. And if individually identifiable information is to be sold, make sure it’s especially clear.

6. Give your consumers a way to opt-out of having their information collected. And make it easy for them, even if it means they won’t be able to access your site. Make sure you also update your records so people who have opted out have their information purged from your system.

7. Give consumers the option to update and/or change their information. It’s a good idea to have a separate email or specific form for this purpose.

8. Keep your policy updated. Do this as needed and always include the date of the update. Updates to the privacy policy will need to be done if new platforms are added to your service, new website capabilities are added or any other major changes are done. Just keep in mind that it’s not a document to be written and then left. Also, as you make changes to it, let users and consumers know, whether the change is an addition or a subtraction, and allow them the opportunity to opt out if they want.

Having a legible and secure privacy policy is not just for the big fish. It’s for all companies. If you think you’re too small for a privacy policy, just remember that app developer up there. And really, why wouldn’t you have one? It just makes sense.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s