The Why and How of Privacy Policies

Why Privacy Policies

Whenever you’ve used a new website or piece of software, it’s likely that you’ve had to agree to terms and conditions. You’ve probably also been asked separately to agree to the privacy policies of companies. A privacy policy is a useful way to alert customers as to what they can expect with their personal information. With rising concerns about data privacy among everyday consumers, having a privacy policy can be an important way of keeping your consumers informed and happy with your business.

Furthermore, depending on the industry or state you are operating in, some laws require businesses to have posted privacy policies. There are laws that apply to particular industries and that may require your business to have a privacy policy, such as if you fall under HIPAA, deal significantly with financials, or collect children’s information online. More information regarding some laws that can apply can be found here. Some states also require privacy policies. For example, California law requires that commercial websites have privacy policies posted on their websites.

This article will walk you through things to consider when drafting a privacy policy, but it will also go over things to keep in mind going into the future to avoid liability.

Drafting a Privacy Policy

Privacy policies should help consumers identify what information you will be collecting from them; what you will do with the information, including handling and storage; and what laws might be applicable to the policy. Best practices would also include adding how you obtain data and your reasons for collecting data.

You should define what kind of information you will collect from your clients. The kinds of information you collect also inform what laws apply to you. More information on personally identifiable information and the applicable laws can be found here. You should include exactly what types of information will be collected, such as credit card information, names or other personal identifiers, and any other information such as preferences or trends.

Example: When you register for our service you provide us with your name, birth date, and address. If you make purchases through our website, you will also be providing us with your credit card information. We also keep track of what purchases you make through our website in order to improve the quality of the services we provide you.

You also want to be clear about what your business will or can do with the collected information. If you will delete records at some point, make that clear. If the information will be used solely for internal purposes for records or facilitation, you should mention that too. If the information collected could be shared, you should list with whom and under what circumstances that information could be shared.
Your privacy policy should also include how your business will respond to related requests from your consumers, such as requests to not be tracked, and also how it will handle data breaches. For data breaches, you need to adhere to state and federal requirements, but being clear on your exact policy for when, how, and who you will notify is important. For example, some states require that you notify only a state agency while others require consumer notification or both. You will want to determine any applicable requirements and incorporate them into your policy. You can find more information on data breach requirements here. Given the many differences in state law, you may wish to include specific sections in your privacy policy for certain states such as California.

Example: In the event of a data breach, we will investigate the extent of the breach. If our investigation identifies a likelihood that data that could be linked to consumers was compromised, then we will provide notification to the (insert relevant state agency) and to any users who are identified as being of risk.

Considerations to Keep in Mind

Once you’ve drafted and posted a privacy policy, you can’t just forget about your policy. You need to keep some things in mind if you want to best protect your interests and your consumers. Though consumers generally haven’t been able to successfully sue businesses based on their privacy policies, that doesn’t mean you are free to violate your own policy. The Federal Trade Commission (“FTC”) can and has acted against businesses that violated their own policy. As such, you should generally treat the policy as binding.
Additionally, if there is a major change in privacy law or you change your business model, you might think about amending your privacy policy. Generally, nothing prevents you from amending your privacy policy at will, assuming you comply with applicable law. However, if you change your policy, you need to give consumers notice of the change. You also should be careful about applying changes retroactively without proper notice and opportunity.

Changing privacy policies without notice can be an unfair or deceptive practice that can and does lead to action from the FTC, fines, and ameliorative action requirements. You should notify your customers in a way that makes sense for your business. Typically, at least an email will be warranted for users of your services. Providing time to look at changes and ask for consent, if only by lack of action, rather than automatically applying the policy provides a chance to object. Most consumers will likely pay little attention to changes, but by giving them this opportunity you can lessen the chance of action from the FTC. Including language reserving the right to change your policies at any time can also help prevent suit by putting customers on notice that the policies can change. Regardless, giving notice and getting consent from continual customers when changing your policies is important for avoiding liability.

Conclusion

Ultimately, a privacy policy is an important tool for establishing your data handling procedures, informing your clients, and complying with the law. Many free templates exist online, but it will be in most businesses’ best interest to seek legal advice on crafting a custom privacy policy.

Sources:

Daniel J. Solove & Paul M. Schwartz, Information Privacy Law (6th edition)

Elizabeth C. Rogers, Lexis Practice Advisor Journal, 15 Points to Remember when Drafting Privacy Policies, https://www.lexisnexis.com/lexis-practical-guidance/the-journal/b/pa/posts/drafting-privacy-policies

Sara P., Termsfeed, Privacy Policies are Mandatory by Law, https://www.termsfeed.com/blog/privacy-policy-mandatory-law/
Termsfeed, Sample Privacy Policy Template, https://www.termsfeed.com/blog/sample-privacy-policy-template/

PrivacyPolicies, Privacy Policies are Legally Required, https://www.privacypolicies.com/blog/privacy-policies-legally-required/

Maria P., PrivacyPolicies, Sample Privacy Policy Template, https://www.privacypolicies.com/blog/privacy-policy-template/

Patrick Fowler, S&W Cybersecurity and Data Privacy Law Blog, Why You Need a Privacy Policy – Part 2: Avoiding Three Common Fumbles, https://www.swlaw.com/blog/data-security/2015/03/12/why-you-need-a-privacy-policy-part-2-avoiding-three-common-fumbles/#:~:text=There%20is%20no%20general%20federal,that%20can%20lead%20to%20liability.

Image Sources:

https://www.picpedia.org/highway-signs/images/privacy.jpg

https://live.staticflickr.com/8116/29723649810_8cb4a06489_b.jpg

https://cdn.pixabay.com/photo/2012/04/16/13/54/federal-trade-commission-seal-36081_1280.png

PRIVACY LAWS AND WHETHER YOUR BUSINESS IS GATHERING PERSONALLY IDENTIFYING INFORMATION

In the modern age, it can be daunting for a new business to understand data privacy requirements. Beyond even client concerns with their privacy, the government regulates client information through many complex laws. These laws do not apply to all information that a business has on its clients. Instead, they apply to personally identifiable information (“PII”) (or an analogous term). These laws vary not just in industry (like HIPAA to medical care) but also in what personal information triggers them. Like it or not each law has its own definition of what personal information is. As such, an important first step is understanding what data qualifies as PII that needs to be protected.

To start, it is necessary to understand what laws are relevant to your business. There are a number of federal laws that apply to specific businesses. However, many information privacy laws are state law. It will be necessary to know the specific definitions in the laws of your state, but general trends can help you understand your state’s specific laws. Given the complexity of some of this, it is best to discuss these laws with your lawyer in order to better understand what is required of you.

FEDERAL PRIVACY

Some important federal laws that can affect some businesses are HIPAA, COPPA, and the Gramm-Leach-Bliley act. You may have heard of HIPPA from signing forms at the hospital. HIPAA mostly applies to hospitals and places that take or use health insurance. HIPAA also extends to some businesses that contract with those entities and handle patient information. If your business is involved in health care, then you need to look into whether HIPAA will apply to you. HIPAA’s definitions cover basically any information a covered entity has related to someone’s physical or mental health, treatment, or payment for treatment. However, to be covered by HIPAA, the information must identify or allow someone to reasonably identify the person.

COPPA is a law that protects children’s privacy online. It will apply to you if your business operates online, receives data on clients, and targets or could include children. COPPA requires you to know that children’s data is being taken. As such, it will only apply if your business has a reason to know that they have children’s data. COPPA defines PII based on a list of things that combined with a name count as PII and thus subject to COPPA regulation. A name alone is not PII under COPPA, but almost any other identifying information including addresses or phone numbers that are also received will trigger COPPA. As such, if there is any chance children could be involved and contribute their information online then you need to be aware of COPPA’s requirements. There is more on how COPPA works at this link.

The Gramm-Leach-Bliley Act applies to financial institutions. It only applies to financial information held by financial institutions such as banks and insurers. Additionally, it applies only to information that is not in the public domain. You will only need to be concerned with this act if you are operating a financial institution of some kind.

STATE PRIVACY


At the state level, many states have their own consumer data protection laws. Some of these laws, such as California’s, specifically cover data taken in combination with credit card information. If you will be accepting credit card payments, you should be aware of these laws in your state. There are also other state privacy laws that could apply to your business. Many laws will not apply unless your business is of a certain size. You will want to check on these requirements to see if your local laws affect your business.
Additionally, they typically define PII in different ways but there are some typical methods that are used. Some laws define PII broadly as simply information that can be used to identify a person. With broad definitions like this that don’t offer much guidance, you would want to look in-depth into how the law has been enforced or hedge your bets and assume almost anything identifying could trigger the law. This can include almost anything from obvious items like name, address, social security number, or birthday, to more inconspicuous things like a client’s gender, nationality, or age.

Other laws define PII in terms of being non-public information or in terms of a defined list of items. These approaches give some more guidance but can still surprise the unaware. For example, there can and has been litigation over whether an individual part of an address, like a zip code, counts as an “address.” Some laws also require more than a single piece of information in order to qualify as PII. As such, it is important to err on the side of caution and to be aware of the specifics of your area’s laws.

INTERNATIONAL PRIVACY

An important note is the international side of information privacy. If your business is looking to work with international clients, it can be important to know international laws for handling client data. For example, the EU’s privacy law, the GDPR, has much tighter regulations of data than typically exists in the US. You can get further information about the GDPR here.

CONCLUSION

It is important to know what privacy laws your business might deal with. You will want to look into the specific laws of your area and any places you expand into. Understanding PII is only one step to cover both yourself and your clients. Once you understand whether you are triggering regulations you will then need to look into what those regulations require and take further steps. Simply taking personally identifiable information from a client by itself isn’t necessarily a problem. Your business just needs to be cognizant of the accompanying legal requirements and risks that go along with that information.

Sources:
Solove, Daniel J. & Schwartz, Paul M., Information Privacy Law (6th Ed. 2018).
Andy Green, Complete Guide to Privacy Laws in the United States, Varonis.com, https://www.varonis.com/blog/us-privacy-laws/#:~:text=EU%20vs.-,US%20Privacy%20Laws,alone%20a%20data%20security%20law.&text=In%20brief%2C%20both%20the%20CCPA,of%20processing%20at%20any%20time. (updated March 29, 2020)
Logan Kline, Protecting Personally Identifiable Information in the United States, U. Cinc. L. Rev., https://uclawreview.org/2020/09/09/protecting-personally-identifiable-information-in-the-united-states/ (Sept. 9, 2020)
Pineda v. Williams-Sonoma Stores, 246 P.3d 162 (Cal. 2011).
15 U.S.C. §§ 6501–02 (1998).
15 U.S.C. 6809 (1999).
42 U.S.C. § 1320(d) (1996).
Cal. Civil Code § 1747.08 (West 2011).
Photo Source:
https://www.thebluediamondgallery.com/legal/privacy-law.html from Alpha Stock Images
https://www.quoteinspector.com/images/credit/too-many-credit-cards/ from quoteinspector.com