The Why and How of Privacy Policies

Why Privacy Policies

Whenever you’ve used a new website or piece of software, it’s likely that you’ve had to agree to terms and conditions. You’ve probably also been asked separately to agree to the privacy policies of companies. A privacy policy is a useful way to alert customers as to what they can expect with their personal information. With rising concerns about data privacy among everyday consumers, having a privacy policy can be an important way of keeping your consumers informed and happy with your business.

Furthermore, depending on the industry or state you are operating in, some laws require businesses to have posted privacy policies. There are laws that apply to particular industries and that may require your business to have a privacy policy, such as if you fall under HIPAA, deal significantly with financials, or collect children’s information online. More information regarding some laws that can apply can be found here. Some states also require privacy policies. For example, California law requires that commercial websites have privacy policies posted on their websites.

This article will walk you through things to consider when drafting a privacy policy, but it will also go over things to keep in mind going into the future to avoid liability.

Drafting a Privacy Policy

Privacy policies should help consumers identify what information you will be collecting from them; what you will do with the information, including handling and storage; and what laws might be applicable to the policy. Best practices would also include adding how you obtain data and your reasons for collecting data.

You should define what kind of information you will collect from your clients. The kinds of information you collect also inform what laws apply to you. More information on personally identifiable information and the applicable laws can be found here. You should include exactly what types of information will be collected, such as credit card information, names or other personal identifiers, and any other information such as preferences or trends.

Example: When you register for our service you provide us with your name, birth date, and address. If you make purchases through our website, you will also be providing us with your credit card information. We also keep track of what purchases you make through our website in order to improve the quality of the services we provide you.

You also want to be clear about what your business will or can do with the collected information. If you will delete records at some point, make that clear. If the information will be used solely for internal purposes for records or facilitation, you should mention that too. If the information collected could be shared, you should list with whom and under what circumstances that information could be shared.
Your privacy policy should also include how your business will respond to related requests from your consumers, such as requests to not be tracked, and also how it will handle data breaches. For data breaches, you need to adhere to state and federal requirements, but being clear on your exact policy for when, how, and who you will notify is important. For example, some states require that you notify only a state agency while others require consumer notification or both. You will want to determine any applicable requirements and incorporate them into your policy. You can find more information on data breach requirements here. Given the many differences in state law, you may wish to include specific sections in your privacy policy for certain states such as California.

Example: In the event of a data breach, we will investigate the extent of the breach. If our investigation identifies a likelihood that data that could be linked to consumers was compromised, then we will provide notification to the (insert relevant state agency) and to any users who are identified as being of risk.

Considerations to Keep in Mind

Once you’ve drafted and posted a privacy policy, you can’t just forget about your policy. You need to keep some things in mind if you want to best protect your interests and your consumers. Though consumers generally haven’t been able to successfully sue businesses based on their privacy policies, that doesn’t mean you are free to violate your own policy. The Federal Trade Commission (“FTC”) can and has acted against businesses that violated their own policy. As such, you should generally treat the policy as binding.
Additionally, if there is a major change in privacy law or you change your business model, you might think about amending your privacy policy. Generally, nothing prevents you from amending your privacy policy at will, assuming you comply with applicable law. However, if you change your policy, you need to give consumers notice of the change. You also should be careful about applying changes retroactively without proper notice and opportunity.

Changing privacy policies without notice can be an unfair or deceptive practice that can and does lead to action from the FTC, fines, and ameliorative action requirements. You should notify your customers in a way that makes sense for your business. Typically, at least an email will be warranted for users of your services. Providing time to look at changes and ask for consent, if only by lack of action, rather than automatically applying the policy provides a chance to object. Most consumers will likely pay little attention to changes, but by giving them this opportunity you can lessen the chance of action from the FTC. Including language reserving the right to change your policies at any time can also help prevent suit by putting customers on notice that the policies can change. Regardless, giving notice and getting consent from continual customers when changing your policies is important for avoiding liability.

Conclusion

Ultimately, a privacy policy is an important tool for establishing your data handling procedures, informing your clients, and complying with the law. Many free templates exist online, but it will be in most businesses’ best interest to seek legal advice on crafting a custom privacy policy.

Sources:

Daniel J. Solove & Paul M. Schwartz, Information Privacy Law (6th edition)

Elizabeth C. Rogers, Lexis Practice Advisor Journal, 15 Points to Remember when Drafting Privacy Policies, https://www.lexisnexis.com/lexis-practical-guidance/the-journal/b/pa/posts/drafting-privacy-policies

Sara P., Termsfeed, Privacy Policies are Mandatory by Law, https://www.termsfeed.com/blog/privacy-policy-mandatory-law/
Termsfeed, Sample Privacy Policy Template, https://www.termsfeed.com/blog/sample-privacy-policy-template/

PrivacyPolicies, Privacy Policies are Legally Required, https://www.privacypolicies.com/blog/privacy-policies-legally-required/

Maria P., PrivacyPolicies, Sample Privacy Policy Template, https://www.privacypolicies.com/blog/privacy-policy-template/

Patrick Fowler, S&W Cybersecurity and Data Privacy Law Blog, Why You Need a Privacy Policy – Part 2: Avoiding Three Common Fumbles, https://www.swlaw.com/blog/data-security/2015/03/12/why-you-need-a-privacy-policy-part-2-avoiding-three-common-fumbles/#:~:text=There%20is%20no%20general%20federal,that%20can%20lead%20to%20liability.

Image Sources:

https://www.picpedia.org/highway-signs/images/privacy.jpg

https://live.staticflickr.com/8116/29723649810_8cb4a06489_b.jpg

https://cdn.pixabay.com/photo/2012/04/16/13/54/federal-trade-commission-seal-36081_1280.png