Privacy Policies: What Business Owners Need to Know

Whether you are an individual, a start-up, a small LLC or a large corporation, one thing is true for almost every business today – no matter what your good or service is, you have to have an online presence to succeed in today’s marketplace, whether that’s accomplished through an Internet website or a mobile application.

With the evolution of technology and the internet, and the increased use of data collection and targeted online behavioral advertising, consumers and the government have become more and more concerned with the idea of online privacy, and special interest lobby groups as well as state and federal governments have begun to intervene in order to establish a legal framework for protection of internet users’ personal information and enforcement against businesses who do not comply with it.

In the next series of articles, I will discuss and explain the applicable laws and regulations currently affecting online privacy and the businesses who utilize online platforms, as well as what businesses can do to ensure they are in compliance and are using “best practices” when it comes its Privacy Policy on their website and mobile apps.

PART I:  An Overview of Federal Regulation and Enforcement by the FTC 

As of now, there is no comprehensive Federal law that protects consumer privacy online. There are, however, specific statutes and other regulations that have been enacted that impact consumer privacy online.

DSC_1394-95
CATHERINE MCEVOY
Email: [email protected]
Phone: 310-551-0600
Practice Areas
Business Litigation
Corporate
Entertainment
Fashion and Apparel
Trademark andCopyright

Internet privacy is policed by the FTC, which can take action only if a privacy violation is deemed deceptive or unfair. A privacy policy must, foremost, reflect the company’s actual information collection practices. If the policy is inaccurate or if the company fails to follow it, not only can a company find itself in litigation or the subject of a regulatory enforcement action, but the public relations consequences can be extremely costly and devastating to your business.

Under §5 of the FTC Act, the FTC may only take action if a privacy policy is “unfair” and/or “deceptive”. A policy may be unfair or deceptive if it includes a false misrepresentation or if a material fact is omitted.

An act or practice is “unfair” if it causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable and is not outweighed by countervailing benefits to consumers.  15 U.S.C.A. §45(n).

An act or practice is “deceptive” if it is likely to materially mislead a reasonable consumer in similar circumstances. 15 U.S.C.A. §45(n).

 In 2012, the FTC published its recommendations to guide businesses in drafting their online privacy policies. The basic framework includes:

  • Privacy by Design – the FTC advises businesses to plan at every stage of its development for privacy concerns including: planning for reasonable security of data, limiting the collection and retention of data to that which is necessary or appropriate for the context of the website/online service, and reasonable protections to ensure the accuracy of the data collected.
  • Simplified Choice – the FTC recommends a “Do Not Track” or Opt Out option that allows consumers to decide what information is shared and with whom. Whether an Opt Out option is required turns on whether or not the collection of personal information is consistent with the context of business, product, or service. For example, information gathered for product fulfillment or fraud prevention will not necessarily require an Opt Out option.
  • Greater Transparency – the FTC recommends that businesses disclose conspicuously and in plain, clear language, the details of what and how personal information is collected and to provide consumers access to the data that is collected about them. In addition, consumers should be notified and their consent should be obtained if any changes are made to an existing policy.

What is Personally Identifiable Information (PII)? Personally Identifiable Information means information collected online about an individual consumer, such as: first and last name, a physical street address, an e-mail address, a telephone number, or any other identifier that permits the physical or online contacting of a specific individual. PII also includes information concerning a user that is collected online, such as birthday, weight, hair color, etc., and is maintained by an operator in personally identifiable form in combination with one of the above identifiers.

The circumstances under which the FTC has pursued businesses for violations can be used to help guide the drafting of a privacy policy and can be divided into two main areas: (1) Deception and (2) Unfairness.

Deception: Broken promises of privacy and security is the largest area of enforcement. Violations have been found through website operator’s: (i) Failure to honor the opt out choices of users; (ii) Failure to refrain from disclosing to 3rd parties that information has been shared, when policy explicitly states information will not be shared; (iii) Failure to collect only that data that is disclosed in the policy; (iv) Failure to notify users of a change made to the Privacy Policy and to obtain their consent to the changes; (v) Failure to provide adequate security for personal data.

In In Re Eli Lilly & Co., an email sent to 669 people unintentionally disclosed personal information of consumers. The FTC alleged that this disclosure was caused by Eli Lilly’s failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information and its failure to adequately train and supervise its employees regarding consumer privacy and information security.

Even vague promises of security can be the basis of an FTC action. If security measures are drafted too vaguely, then this opens the door for the FTC to apply a measurement of industry standards to determine if the promises made in the Privacy Policy as to the security of user’s data, compared to its actual practices, are unfair or deceptive. This allows the FTC to pull from the industry standards that are defined in other federal statutes such as the Safe Harbor provisions of COPPA and/or GLBA, or use evidence of other industry norms to evaluate the adequacy of the statement and/or security measures taken by the company. This can be a stringent standard to meet, hence the importance of achieving language that is neither too restrictive nor too broad. When language is too restrictive, it can be difficult to abide by.

As mentioned above, the FTC has come to rely on a detailed list of industry standards to identify what are adequate security practices (see In re Microsoft Corp).  Applicable examples from this list are: (i) Failure to contract with third-party for protection of information; (ii) Failure to have an adequate username/password protocol; (iii) Lack of encryption and failure to implement procedures to control access to information; (iv) Failure to manage third party access to data; (v) Failure to implement reasonable security measures to protect personal data.

Unfairness. Violations for “unfair” privacy policies have included: Retroactive policy changes. For example, in In re Gateway Learning Corp. the website operator changed its privacy policy to allow the renting of PII to third parties when previously it had promised that it would not do so. Gateway did not inform customers about the change. FTC explicitly took issue with Gateway’s application of new privacy practices to data collected under its older and different privacy policies. Unfair information security practices. For example, in U.S. v. Rental Research Services, Inc., the defendant made no promises at all to safeguard the data and the FTC deemed that their lack of adequate security measures, despite no broken promise, was an unfair practice.

To better ensure that an online privacy policy will be in compliance with FTC’s standards, the following should be disclosed conspicuously in a way that a reasonable consumer would understand: (i) The identity of the entity collecting the data; (ii) The nature of the data being collected; (iii) The uses to which the data will be put; (iv) The identity of potential third party recipients and a display of any applicable third party seals; (v)The means of data collection, if not obvious – i.e. is the data collected passively from the user or does the user actively supply the information? Does the site use cookies, Web bugs, spyware, or other devices to track/compile PII?; (vi) Whether the provision of the data is mandatory or voluntary and the consequences to the user of not providing the data; (vii) Any Do Not Track/ Opt Out options available to the user; (viii) The steps taken to provide security mechanisms including how data is to be stored, protected and for how long; (ix) The steps taken to ensure the integrity and quality of the data, including how consumers can update and correct their information; Enforcement and redress procedures; (x)Notice of how consumers will be informed of any changes made to the privacy policy.

The above checklist will be discussed in further detail in my next post, Part II – FTC Regulation and Enforcement – An In Depth Look at Guidelines and Best Practices. 

It is very important for every business to have a Privacy Policy on its website and/or mobile application. At Kramer Holcomb Sheik LLP, we understand what the laws and regulations require and we can assist you with drafting and implementing your Privacy Policy, no matter what the size or complexity of your business model is. For more information visit www.khslaw.com.