2011 Resolution – Review Your Website Privacy Policy Before It's Too Late

Typical New Year’s resolutions include improving physical fitness or taming the bulge. These are all worthwhile. However, if you operate a SaaS or ecommerce website, you’d better move a review of your privacy policy to the top of your list.

Recent legal developments regarding privacy and data security have added new requirements, and the failure to comply could result in substantial liability.

2 Cardinal Rules Regarding Privacy and Data Security

As you begin your review, it’s important not to overlook the forest for the sake of the trees, so to speak. There are two cardinal rules to always keep in mind.

Rule No. 1: The fundamental purpose of a privacy policy is to disclose clearly the categories of information you collect, how you use the information, and with whom you share the information (or provide the means to access it).

Rule No. 2: The Federal Trade Commission (FTC) views a privacy policy almost like a contract with your website’s visitors. If you promise certain activities or practices in your privacy policy, but fail to deliver on a promise, the FTC says you’re liable for damages.

Read through your current privacy policy with the cardinal rules in mind. As you read, consider all that your site does regarding the collection, use, and sharing of information, particularly regarding your marketing practices.

• Does your privacy policy disclose all of the categories of information collected?
• Does it describe all the ways you use the information?
• Does it describe with whom you share the information (or provide the means to access it)?
• Compare what you promise in your privacy policy with the marketing practices you actually follow.

Privacy Policy Checklist

Here’s a checklist of issues to consider as you review your online privacy policy.

• Collection of Anonymous, Passive Information. Disclose how you collect anonymous, passive information with technology such as cookies, Internet tags, log files, and server logs, etc.
• Cookies. Cookies require special disclosures. Distinguish between 1st party cookies that you serve and 3rd party cookies served by others such as by Google for its Google Analytics service. Given the recent controversy and litigation over Flash cookies, it’s recommended that you do not use them, but if you do, you should explain clearly what they are and their effect on data collection.
• Behavioral Ads. Disclose whether you reserve the right to serve 3rd party cookies for purposes of serving behavioral ads, such as participation in Google’s AdSense network. Behavioral ads are based on anonymous data collected on how a user’s computer browses the Internet, including websites visited, searches made, and content read.
• Categories of Personal Information. You should clearly disclose all of the categories of personal information collected on your site. Personal information includes any information that may be used to identify a person, such as an email address.
• Sharing of Personal Information. Make sure that you identify all of the ways you share personal information, particularly information that may be shared for purposes of direct marketing. Also, identify any types of parties that you reserve the right to share personal information with such as corporate affiliates, service providers, and any party that may acquire your website business in the future.
• Links to Other Sites. State that visitors should review the privacy policies on these sites and that you have no responsibility for the policies and practices of these sites.
• Data Security. Disclose your standards for data security. Even if you are silent regarding data security standards, the FTC requires that you initiate and maintain “reasonable and appropriate” data security procedures.
• Children’s Online Policy. If you do not knowingly collect information from, or sell to, children under the age of 13, you should state accordingly. However, if you knowingly deal with children under the age of 13, you should strictly comply with the Children’s Online Privacy Protection Act (COPPA).
• Updating Personal Information. Describe how a user who has an account with your site may update the user’s personal information.

Privacy and Security Practices Checklist

The FTC has made it clear that your privacy policy is only the tip of the iceberg. You have other obligations that fall into the category of privacy and security practices which are separate, but related to, your privacy policy.

The FTC is empowered to represent the interests of consumers in the area of “unfair and deceptive trade practices”. The FTC has filed over 30 “unfair and deceptive trade practices” lawsuits in the last few years for what the FTC believes are lax practices regarding privacy and data security.

Here’s a checklist of privacy and security practices to consider.

• Physical Data Security. As stated above, the FTC requires that you initiate and maintain “reasonable and appropriate” data security procedures. These procedures include physical security measures and logical data access protection with strict controls over internal and external access to data.
• Service Providers. The FTC has made it clear that any third party, such as your website developer, website maintenance service provider, or hosting service provider, who has access to personal information in your website’s server, should be bound contractually to maintain the privacy and security of personal information.
• Outsourcing Website Hosting. Web hosting service providers require special consideration. The key is to ensure that the service provider’s security practices equal or exceed your practices if hosting were not outsourced.
• Administrative Security. A recent FTC case highlighted the FTC’s requirements for “administrative controls” for data security, including requiring administrators to use hard-to-guess passwords that are changed frequently, suspense or disablement of administrative passwords after a reasonable number of unsuccessful login attempts, and restricted access to administrative controls.
• Red Flag Identity Theft Policy. If your site acts as a “creditor” by using consumer reports with credit transactions, furnishing information to a consumer reporting agency for a credit transaction, or advancing funds to or on behalf of a person based on a person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf, then you’re required to implement a policy by the Fair and Accurate Credit Transactions Act of 2003. The purpose of the policy is to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

Conclusion

A review – and possible update – of your privacy policy and related privacy and security practices should be a top priority as you move forward in 2011. The checklists provided in this article are not exhaustive, but they will get you pointed in the right direction.

New regulations are emerging and developing at a rapid pace. Failure to comply may result in substantial liability.