{"id":336,"date":"2020-04-06T09:35:36","date_gmt":"2020-04-06T13:35:36","guid":{"rendered":"https:\/\/pbacyber.com\/?p=336"},"modified":"2020-04-06T09:40:43","modified_gmt":"2020-04-06T13:40:43","slug":"5-concepts-to-consider-when-drafting-a-privacy-policy","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2020\/04\/06\/5-concepts-to-consider-when-drafting-a-privacy-policy\/","title":{"rendered":"5 Concepts to Consider When Drafting a Privacy Policy"},"content":{"rendered":"

By Mark L. Farina, Klineburger & Nussey<\/a><\/p>\n

 <\/p>\n

Privacy policies, we have all seen them.\u00a0 Whether large booklets of small type, pop-up messages requiring an affirmative “click,” or long scrolling lists of dense text, their universal intent is to inform users about the collection and interaction of data they provide.\u00a0 For this article, “users” refers to those persons who access a website or make an inquiry while “consumer” refers to someone who seeks to purchase a good or service.<\/p>\n

 <\/p>\n

Controlling Laws <\/strong><\/p>\n

Although most users may not give privacy policies a second thought, the Federal Trade Commission<\/a> (FTC) stands ready to ensure businesses practice what they preach in those privacy statements.\u00a0 It is, therefore, paramount to understand how to avoid implementing a poorly conceived privacy policy.<\/p>\n

 <\/p>\n

Under the FTC enforcement guidelines<\/a>, the primary purpose of a privacy policy is to inform users what personal information is collected and how such information will be used and kept safe.\u00a0 To make sure businesses follow-through on these promises, the FTC has the authority to bring enforcement actions.<\/p>\n

 <\/p>\n

If a business fails to fulfill its promise, the FTC may consider that breach of promise to be a “deceptive” practice under Section 5 of the FTC Act<\/a>.\u00a0 In this context, \u201cdeceptive\u201d will involve a material statement or omission likely to mislead consumers who are acting reasonably under the circumstances<\/a>. \u00a0These include false promises, misrepresentations, and failure to comply with representations made in privacy policies<\/a>.<\/p>\n

 <\/p>\n

Beyond deception, the FTC may also bring actions under “unfair” practices.\u00a0 Unfair practice claims exist when injuries to consumers are substantial, lacking in offsetting benefits, and could not be reasonably avoided<\/a>.<\/p>\n

 <\/p>\n

Although no overarching federal law requires privacy notices, certain sector-specific statutes such as Children’s Online Privacy Protection Act<\/a> (COPPA), Gramm-Leach-Bliley<\/a>, and Health Insurance Portability and Accountability Act<\/a> (HIPAA) apply under particular circumstances.<\/p>\n

 <\/p>\n

Bare Necessities <\/strong><\/p>\n

As of this writing, three states, Delaware<\/a>, Nevada<\/a>, and California<\/a>, have taken the initiative in enacting independent privacy policy requirements, with nine other states holding drafts still in committee<\/a>.\u00a0 While each applicable state’s requirements should always be reviewed in detail and implemented fully, there are some generally applicable principles.<\/p>\n

 <\/p>\n

Privacy policies should be conspicuously posted and contain statements regarding: a) the scope of the policy; b) the user information collected; c) the method by which a user may modify collected information; d) the method by which privacy policy changes are transmitted; e) any disclosures to a third party and how a user may opt-in or opt-out of such disclosures; and f) an effective date for the policy.<\/p>\n

 <\/p>\n

Extra care should be taken when a minor’s information is collected, as this will require compliance with COPPA<\/a> and any non-preempted state requirements, such as parental consent.<\/p>\n

 <\/p>\n

With that in mind, here are 5 concepts<\/a> to consider in every privacy policy:<\/p>\n

 <\/p>\n

Knowing is Half the Battle<\/strong><\/p>\n

Businesses must understand what consumer information they hold, and which stakeholders legitimately need access.\u00a0 In gaining an understanding, businesses should be able to answer the following series of questions.<\/p>\n

 <\/p>\n

A. Types of Information<\/strong><\/p>\n

Can the information be used to identify the person providing it?\u00a0 Does it include Social Security numbers, financial information, health information, or driver\u2019s license information?\u00a0 Is the information likely to be publicly available?<\/p>\n

 <\/p>\n

While there is no singularly correct answer, businesses should aim for reduction at every stage.\u00a0 Collecting only vital information is a good starting point.\u00a0 Beyond reduction, information that is collected should be correct and updated regularly.<\/p>\n

 <\/p>\n

B. Time of Collection<\/strong><\/p>\n

At what point in the consumer interaction is information collected?\u00a0 During registration or account setup?\u00a0 Is the consumer required to review and update their information at some interval?\u00a0 Are updates optional?\u00a0 Are updates encouraged through reminders?<\/p>\n

 <\/p>\n

C. Storage of the Information<\/strong><\/p>\n

Once collected, how is consumer information stored?\u00a0 Onsite, offsite, or in a cloud?\u00a0 Does the business handle storage, or is that outsourced?\u00a0 If outsourced, what liability does the third-party have?\u00a0 What control of the third-party does the business hold?<\/p>\n

 <\/p>\n

After collection, secure storage is a must.\u00a0 Engaging a third-party for information storage is both acceptable and widely unitized.\u00a0 However, such engagement must include a written contract containing explicit language regarding the third-party’s methods and liability.\u00a0 Verifiable practices and procedures of third-parties are always preferable.<\/p>\n

 <\/p>\n

D. Access to the Information<\/strong><\/p>\n

During collection or storage, who has access to consumer information? \u00a0Is access tracked and recorded?\u00a0 Is access limited to only those roles?<\/p>\n

 <\/p>\n

Only employees with legitimate business purposes should have access to personally identifiable consumer information.\u00a0 Limiting access also limits legal exposure.<\/p>\n

 <\/p>\n

Advice should be sought from a privacy professional if a legitimate business purpose necessitates collecting Social Security numbers, financial information, health information, or driver’s license information, as compliance with one of the various privacy regulations may be required.<\/p>\n

 <\/p>\n

Under certain circumstances, including but not limited to the European Union’s General Data Protection Regulation<\/a> (GDPR), the CCPA<\/a>, and HIPAA, providers of data must also have access to that same data.\u00a0 Such access may also include the right to have that same data amended and or deleted.<\/p>\n

 <\/p>\n

Kept it<\/strong> Short and Sweet<\/strong><\/p>\n

Businesses should limit the information they collect and maintain to what is required for their legitimate business purposes.\u00a0 A possible future need, as tempting as it may be, brings present exposure to legal ramifications.\u00a0 Furthermore, customers equate the collection of seemingly erroneous information as “big brother,” “creepy,” and undesirable.<\/p>\n

 <\/p>\n

Security as a Way of Life<\/strong><\/p>\n

Through risk assessment and implementation of procedures for electronic security (computer hard-drivers, cloud storage, etc.), physical security (access to buildings, devices, paper records, etc.), employee training, and vendor management, businesses can protect the information they hold.<\/p>\n

 <\/p>\n

An essential part of security is access control.\u00a0 As mentioned above, limit employee or third-party access as much as possible. \u00a0Legitimate business interests should be the measuring device.<\/p>\n

 <\/p>\n

For those who do have access, strong passwords, and authentication that disallows bypass, is a must.\u00a0 Although employees may bristle against this, or productivity may slow slightly, the gains in security are more valuable.<\/p>\n

 <\/p>\n

Finish as You Started<\/strong><\/p>\n

Businesses should securely dispose<\/a> of information they no longer need. \u00a0Such disposal is both a best practice and required under certain laws, such as CCPA<\/a> or Delaware’s<\/a> privacy laws.<\/p>\n

 <\/p>\n

Secure disposal generally includes digital techniques such as erasing, wiping, or overwriting, and physical techniques such as burning, melting, pulverizing, and de-magnetizing that render the information unreadable.\u00a0 Although retention of personal information may be necessary, once the legitimate business purpose is complete, it may be imprudent to retain it.<\/p>\n

 <\/p>\n

Contingencies Are a Must<\/strong><\/p>\n

In the current global climate, exposure to a hacking attempt is inevitable. \u00a0Therefore, businesses should have a plan in place to respond to security incidents when they occur.\u00a0 A proper plan could reduce or eliminate liability when that inevitable incident occurs.<\/p>\n

 <\/p>\n

The first stage<\/u> of any plan should be verification that a breach in personal information actually occurred.\u00a0 Breaches may take many forms, including unintended disclosures, hacking or malware, payment card fraud, insider disclosures, or physical losses. \u00a0Look to the applicable privacy regulation for definitions qualifying when a breach has occurred.<\/p>\n

 <\/p>\n

The second stage<\/u> is to contain and analyze the breach.<\/p>\n

 <\/p>\n

The third stage<\/u> is the notification of the consumers affected.\u00a0 Such notification requirements (including when notification is required; how long before notification provided; who must be notified; the method of notification; and the amount of information shared in notifications) vary state-by-state.\u00a0 Businesses must be aware of all applicable rules.<\/p>\n

 <\/p>\n

The final stage<\/u> is internal self-assessment, third-party audits, and additional training.<\/p>\n

 <\/p>\n

Ultimately, regardless of the language utilized in a privacy policy, it must be adhered to, or the business risks an enforcement action from the FTC or the cornucopia of other federal agencies, European Union member states, or state attorneys general.<\/p>\n

\n

Mark L. Farina, Esq. is an associate with Klineburger & Nussey.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

By Mark L. Farina, Klineburger & Nussey   Privacy policies, we have all seen them.\u00a0 Whether large booklets of small type, pop-up messages requiring an affirmative “click,” or long scrolling lists of dense text, their universal intent is to inform users about the collection and interaction of data they provide.\u00a0 For this article, “users” refers
Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,34],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/336"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=336"}],"version-history":[{"count":5,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/336\/revisions"}],"predecessor-version":[{"id":341,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/336\/revisions\/341"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}