On Creating a Privacy Policy

  1. In general:
    1. There is no one-size-fits-all solution in making a privacy policy.
    2. No single privacy policy should contain all or most of the model provisions.
    3. The model also may not contain provisions that relate to detailed practices of a specific company.
    4. All statements made in a privacy policy statement must be both accurate and not misleading.
    5. Is having a privacy policy important?
      1. A study done in 2015 by University of Chicago professors tested whether simplifying privacy disclosures affected the respondents. According to the professors the results indicated that None such simplification techniques they used helped either inform respondents, or to affect their behavior.
        1. Accordingly, professors questioned whether it made sense to concentrate a great deal of regulatory effort on improving disclosures.
  2. Considerations before drafting:
    1. What is a privacy policy?
      1. It is a statement of how the enterprise will treat personal information with which it comes into contact. The enterprise’s policy or policies should cover all such information.
    2. Is a privacy policy required by law? Are there certain statements that must be made in the privacy policy?
      1. In general, there is no requirement in United States that a business enterprise (or other collector of personal information) have a privacy policy.
      2. Some people disagree, however. Federal trade commission Commissioner Thomas Rosch believes that proclaiming a privacy policy is required by law, because failure to do so “ would be deceptive in that it would entail a failure to disclose material facts” in violation of section 5 of the FTC Act, 15 USC Sec. 45.
        1. In the past two years, the Federal Trade Commission (FTC) has flexed its enforcement muscles, taking on Internet behemoths like Google, Facebook, Twitter and MySpace. The FTC will continue to focus much of its enforcement efforts on individuals and companies that violate consumers’ data privacy rights. That’s not a prediction—it’s a certainty.
        2. The FTC’s primary enforcement tool is Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC often brings cases on a “deception” theory, based on a business’s failure to live up to representations in its own privacy statements or policies, or its failure to disclose material facts about its privacy- related practices. We’ll use the term “privacy statement” to cover all name-variations including privacy policy or privacy notice.
        3. For example, according to the MySpace complaint, in contrast to averments in its privacy statement, the company shared information with third parties without notice to, or permission from, users; enabled advertisers to individually identify users; shared member web-browsing information with advertisers, and violated principles of the U.S.-EU Safe Harbor framework.
        4. For engaging in these allegedly deceptive practices, MySpace was ordered to implement a comprehensive privacy program, conduct periodic privacy audits, and provide biennial privacy assessment reports to the government for a 20-year period, and retain certain materials for a five-year period.
      3. However, a legal obligation to have and disclose a privacy policy does arise in some situations, including:
        1. California Online Privacy Act of 2003. Which requires operators of commercial websites and other online commercial efforts to post privacy policies and conform to them.
        2. Section 503 of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6803. When a financial institution establishes the relationship and annually thereafter, the law requires them to give the customer a clear disclosure of institutions policies and practices regarding disclosure to affiliates in non-affiliates of non-public personal information (nppi), as well as disclosure of nppi of former customers, and is protection of consumer nppi.
        3. The Safe Harbor principles, a regime as established by the US Department of Commerce and the European commission, under which personal information lawfully may be exported from the European Union to a certified enterprise United States.
        4. The Children’s Online Privacy Protection act (COPPA) directed the FTC to promulgate regulations that require the operator of any website or online service that (1) is directed to children and collects personal information from children or (2) has actual knowledge that it is collecting personal information from a child.
        5. Health Insurance Portability and Accountability Act of 1996 (HIPPA)’s privacy rule, which provides individual certain rights regarding the protected health information (PHI).
    3. If a privacy policy is not required by law, is there any reason to have a privacy policy?
      1. There are many benefits, especially for companies who deal with consumers, to having privacy policies.
        1. Competitive advantage.
          1. Seller may distinguish itself from competitors by offering privacy assurances to prospective customers.
            1. Consumers in numerous surveys have expressed concern over what happens to the personal information they provide to vendors.
        2. Good corporate citizenship.
          1. Privacy statements are often viewed as indicating good corporate citizens that respect privacy.
        3. State law.
          1. Although federal law does not generally mandate public statements regarding data practices, certain state laws do.
        4. Business facilitating.
          1. Most businesses – and virtually all large ones – dealing in consumer information require publicized privacy insurances as a prerequisite to engaging in a business relationship with them.
        5. Legal Protection.
          1. Privacy statements serve to rebut allegations that a business did not give notice of its consumer data usage, so as to limit liability for entities conduct.
    4. Before addressing a policy, you must determine what all of your actual privacy practices are.
      1. This includes collection, use, storage, disclosure, and disposal of personal information.
      2. For large companies or enterprises, many are doing privacy audits. For an increasing number of data exporters, a large part of the solution to the dilemma lies in something called the data protection audit.
        1. In a data protection audit, an individual with knowledge in the law of the pertinent jurisdictions makes a detailed investigation of a company’s data protection policies and practices.
        2. The audit analyzes each of the company’s policies, or, if the company has none, will promulgate a policy.
        3. It will also identify and analyze in some detail the procedures used by the company in collecting and processing data, and it will suggest modifications to those procedures.
        4. The work product of the audit is a set of suggested revisions to the data protection policies and procedures, with the goal of bringing them into conformity with the laws and with each other.
      3. The purpose of a policy is to inform customers of actual practices. This requires communicating with all pertinent areas of the enterprise (e.g., information technology department, sales department, marketing department, customer service department, and legal team) so as to learn what the actual practices are.
      4. Thus, you must be sure about things, e.g.,
        1. that the policy embraces practices directed to such activities as the capturing point of sale of information and other information generated through various electronics sales and payment systems.
        2. Handling of information arriving through the “Contact US” hyperlink.
        3. Processing employed by vendors of cloud computing.
      5. Unless the policy statement expressly limits itself to some particular form of vehicle (e.g., online activity, or collection through a particular website) the policy should cover information collected in all forms ( hard copy as well as electronic) and all vehicles.
    5. Identify all restrictions that third-party arrangements placed upon personal information used by your enterprise.
      1. If agreements with other enterprises impose restrictions on some data that you require, you do not want your policy, for data covered by those agreements, to be less restrictive than those provisions.
    6. Identify all disclosures of personal information that you should make and the restrictions that you place on personal information so disclosed. 
      1. These disclosures must be included expressly or explicitly in the policy, and you may wish to note in the policy the restrictions in place on the disclosed
    7. Do you need a separate policy for your employee personal information?
      1. In general, yes. The treatment afforded human resources data may differ from that afforded consumer data. Human resources data often contains information (e.g. medical information or Social Security numbers) deemed more sensitive than consumer information.
    8. Is your website or online service (1) directed to children under the age of 13, or (2) is it likely you will have actual knowledge that you are collecting or maintaining personal information collected from such child?
      1. If so, you must comply with Children’s Online Privacy Protection act (COPPA).
        1. A website or online service directed to children means (1) commercial website or online service that is targeted to children; or (2) that portion of a commercial website or online service that is targeted towards children. 15 U.S.C. Sec. 6501.
  3. While drafting:
    1. Draft a user-friendly
      1. There are important legal ramifications to the language chosen, and a skillful writer can convey the appropriate meeting without resorting to an abundance of “legalese”.
    2. Is this privacy intended to apply to all consumer data collected by your enterprise, or only some of it, e.g. consumer data collected through a particular website or webpage?
      1. Any privacy policy not meant to apply to all of the enterprises personal information should explicitly circumscribe its application, or it may be held to have a broader scope.
      2. The FTC took the position in December 2001 that, when a company announces a privacy policy on its website, and the activity does not clearly indicate that it is limited to the website, then it governs all the company’s activities, off-line as well as online.
        1. See “attorneys react to unexpected shift in FTC policy on off-line Collection, use of information,” Privacy L. Adviser 997 (Jan. 9, 2002).
    3. The policy should reflect your enterprise.
      1. Don’t take some other vendors privacy policy statement and engage in a copy and paste exercise. You don’t want to be bound by some other business’s promises, as they may not fit the realities of your own business. In particular, you don’t want to make promises you can’t keep.
    4. Beware of stating that you make no disclosures of personal information.
      1. At the very least, you will presumably disclose if presented with a legal requirement to do so. And the more thought you give to it, the more likely you are to think of other disclosures you will or may make (e.g. to service providers – even if you don’t have any now – or affiliates). The time to ferret these questions out is now, before you post your policy statement.
    5. IRL, try to get the enterprise to buy into the policy, especially the employees, rather than forcing them to begrudgingly acknowledge it.
    6. Don’t promise more than the law and or your commercial or enterprise’s interests require.
      1. You are less likely to be liable for breach under a less restrictive policy.
      2. Note that a policy will generally not bind your users, but it will likely be enforceable against you, and its breach will result in your liability.
      3. Accordingly, a less restrictive policy is likely to result in a lower probability of liability simply because under a more permissive policy there is less conduct that would constitute a breach.
      4. A less restrictive policy will enhance your ability to unilaterally modify the policy.
      5. After a privacy policy has been in place for a period of time, a vendor sometimes desires to change because the vendor discovers that the policy does not well suit the vendors original business because the business has changed.
    7. Try not to offer absolute guarantees.
  1. After drafting:
    1. Internally validate the draft policy statement.
      1. Before considering the policy in its final form, pass it by and seek feedback from the same individuals who contributed to its creation.
    2. Make sure the policy statement is readily available to users.
      1. On a website, placing a hyperlink “privacy policy” prominently at the bottom of every page seems to suffice as to personal information to be collected in the future.
    3. Review policy periodically.
      1. Your practices may change, and your understanding of them may suggest necessary or beneficial changes.
      2. The policy statement must be a living document that reflects current practices.
      3. IRL, make sure you put the policy in place that each of your pertinent employees is well-aware of the policy and of the obligations it places on him or her.
      4. Once you post the policy, make sure that from that time on, it is the exclusive policy that your website, papers, and other materials display for the sphere of activity that policy covers, in that it explicitly so states.
  2. The OECD Guidelines – Organization for Economic Cooperation and Development.
  3. There are other resources available for making privacy policies.
    1. http://www.freeprivacypolicy.com/free-privacy-policy-generator.php
    2. http://p3pwiz.com
  4. Above all, don’t forget common sense!