5 Concepts to Consider When Drafting a Privacy Policy

By Mark L. Farina, Klineburger & Nussey

 

Privacy policies, we have all seen them.  Whether large booklets of small type, pop-up messages requiring an affirmative “click,” or long scrolling lists of dense text, their universal intent is to inform users about the collection and interaction of data they provide.  For this article, “users” refers to those persons who access a website or make an inquiry while “consumer” refers to someone who seeks to purchase a good or service.

 

Controlling Laws

Although most users may not give privacy policies a second thought, the Federal Trade Commission (FTC) stands ready to ensure businesses practice what they preach in those privacy statements.  It is, therefore, paramount to understand how to avoid implementing a poorly conceived privacy policy.

 

Under the FTC enforcement guidelines, the primary purpose of a privacy policy is to inform users what personal information is collected and how such information will be used and kept safe.  To make sure businesses follow-through on these promises, the FTC has the authority to bring enforcement actions.

 

If a business fails to fulfill its promise, the FTC may consider that breach of promise to be a “deceptive” practice under Section 5 of the FTC Act.  In this context, “deceptive” will involve a material statement or omission likely to mislead consumers who are acting reasonably under the circumstances.  These include false promises, misrepresentations, and failure to comply with representations made in privacy policies.

 

Beyond deception, the FTC may also bring actions under “unfair” practices.  Unfair practice claims exist when injuries to consumers are substantial, lacking in offsetting benefits, and could not be reasonably avoided.

 

Although no overarching federal law requires privacy notices, certain sector-specific statutes such as Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley, and Health Insurance Portability and Accountability Act (HIPAA) apply under particular circumstances.

 

Bare Necessities

As of this writing, three states, Delaware, Nevada, and California, have taken the initiative in enacting independent privacy policy requirements, with nine other states holding drafts still in committee.  While each applicable state’s requirements should always be reviewed in detail and implemented fully, there are some generally applicable principles.

 

Privacy policies should be conspicuously posted and contain statements regarding: a) the scope of the policy; b) the user information collected; c) the method by which a user may modify collected information; d) the method by which privacy policy changes are transmitted; e) any disclosures to a third party and how a user may opt-in or opt-out of such disclosures; and f) an effective date for the policy.

 

Extra care should be taken when a minor’s information is collected, as this will require compliance with COPPA and any non-preempted state requirements, such as parental consent.

 

With that in mind, here are 5 concepts to consider in every privacy policy:

 

Knowing is Half the Battle

Businesses must understand what consumer information they hold, and which stakeholders legitimately need access.  In gaining an understanding, businesses should be able to answer the following series of questions.

 

A. Types of Information

Can the information be used to identify the person providing it?  Does it include Social Security numbers, financial information, health information, or driver’s license information?  Is the information likely to be publicly available?

 

While there is no singularly correct answer, businesses should aim for reduction at every stage.  Collecting only vital information is a good starting point.  Beyond reduction, information that is collected should be correct and updated regularly.

 

B. Time of Collection

At what point in the consumer interaction is information collected?  During registration or account setup?  Is the consumer required to review and update their information at some interval?  Are updates optional?  Are updates encouraged through reminders?

 

C. Storage of the Information

Once collected, how is consumer information stored?  Onsite, offsite, or in a cloud?  Does the business handle storage, or is that outsourced?  If outsourced, what liability does the third-party have?  What control of the third-party does the business hold?

 

After collection, secure storage is a must.  Engaging a third-party for information storage is both acceptable and widely unitized.  However, such engagement must include a written contract containing explicit language regarding the third-party’s methods and liability.  Verifiable practices and procedures of third-parties are always preferable.

 

D. Access to the Information

During collection or storage, who has access to consumer information?  Is access tracked and recorded?  Is access limited to only those roles?

 

Only employees with legitimate business purposes should have access to personally identifiable consumer information.  Limiting access also limits legal exposure.

 

Advice should be sought from a privacy professional if a legitimate business purpose necessitates collecting Social Security numbers, financial information, health information, or driver’s license information, as compliance with one of the various privacy regulations may be required.

 

Under certain circumstances, including but not limited to the European Union’s General Data Protection Regulation (GDPR), the CCPA, and HIPAA, providers of data must also have access to that same data.  Such access may also include the right to have that same data amended and or deleted.

 

Kept it Short and Sweet

Businesses should limit the information they collect and maintain to what is required for their legitimate business purposes.  A possible future need, as tempting as it may be, brings present exposure to legal ramifications.  Furthermore, customers equate the collection of seemingly erroneous information as “big brother,” “creepy,” and undesirable.

 

Security as a Way of Life

Through risk assessment and implementation of procedures for electronic security (computer hard-drivers, cloud storage, etc.), physical security (access to buildings, devices, paper records, etc.), employee training, and vendor management, businesses can protect the information they hold.

 

An essential part of security is access control.  As mentioned above, limit employee or third-party access as much as possible.  Legitimate business interests should be the measuring device.

 

For those who do have access, strong passwords, and authentication that disallows bypass, is a must.  Although employees may bristle against this, or productivity may slow slightly, the gains in security are more valuable.

 

Finish as You Started

Businesses should securely dispose of information they no longer need.  Such disposal is both a best practice and required under certain laws, such as CCPA or Delaware’s privacy laws.

 

Secure disposal generally includes digital techniques such as erasing, wiping, or overwriting, and physical techniques such as burning, melting, pulverizing, and de-magnetizing that render the information unreadable.  Although retention of personal information may be necessary, once the legitimate business purpose is complete, it may be imprudent to retain it.

 

Contingencies Are a Must

In the current global climate, exposure to a hacking attempt is inevitable.  Therefore, businesses should have a plan in place to respond to security incidents when they occur.  A proper plan could reduce or eliminate liability when that inevitable incident occurs.

 

The first stage of any plan should be verification that a breach in personal information actually occurred.  Breaches may take many forms, including unintended disclosures, hacking or malware, payment card fraud, insider disclosures, or physical losses.  Look to the applicable privacy regulation for definitions qualifying when a breach has occurred.

 

The second stage is to contain and analyze the breach.

 

The third stage is the notification of the consumers affected.  Such notification requirements (including when notification is required; how long before notification provided; who must be notified; the method of notification; and the amount of information shared in notifications) vary state-by-state.  Businesses must be aware of all applicable rules.

 

The final stage is internal self-assessment, third-party audits, and additional training.

 

Ultimately, regardless of the language utilized in a privacy policy, it must be adhered to, or the business risks an enforcement action from the FTC or the cornucopia of other federal agencies, European Union member states, or state attorneys general.


Mark L. Farina, Esq. is an associate with Klineburger & Nussey.

 

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.


Leave a Reply

Your email address will not be published. Required fields are marked *