United States: Practical Pointers: Do’s and Don’ts for Online Privacy Policies

Existing laws may require that you post an online privacy policy explaining your information collection practices and your use and disclosure of the information you collect. Any company with an online presence should thus consider whether it is necessary or appropriate to post an online privacy policy and, if so, take steps to avoid the common pitfalls associated with such policies.

• Determine whether you need an online privacy policy. Do you collect information online? Are you required by law (such as the California Online Privacy Protection Act (http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 ) or Children's Online Privacy Protection Act (http://www.ftc.gov/privacy/ privacyinitiatives/childrens.html) to have an online privacy policy? Additionally, consider whether the failure to disclose your information collection and use practices—or the manner in which you disclose such practices—could be considered unfair or deceptive. If so, the FTC could bring an enforcement action under Section 5 of the FTC Act. (http://www.law.cornell.edu/uscode/15/usc_sec_15_00000045----000-.html )
• DO NOT copy your privacy policy from someone else. Study your company's information collection practices, and make sure you fully understand how your company will use, disclose and maintain such information, before you write your privacy policy. This may require involvement of many different people, including your marketing department and IT personnel. A privacy policy copied from another website will describe another company's practices—not yours. If it does not describe your practices, it could result in liability and a public relations nightmare.
• Accurately and simply describe and disclose all of your privacy practices. Before drafting your policy, consider all of the different reasons you will collect information and what you will do with it. Accurately describe those practices in your privacy policy— as simply as possible. Don't bury your practices in legalese or a policy that is longer than necessary, and make sure your marketing materials are consistent with your stated privacy policy and your practices. Otherwise, your disclosure may not be adequate.
  For example, in FTC v. Sears Holdings Management Corp. (http://www.ftc.gov/os/caselist/0823099/index.shtm ), the FTC alleged that Sears did not adequately disclose information about software it placed on consumers' computers. Sears represented that the software tracked online browsing, but only described the full extent of its software (which also tracked secure online sessions and certain activities unrelated to the Internet) in a lengthy license agreement at the end of a multistep registration process. As a result, the FTC initiated an enforcement action against Sears.
• Only make promises that you can and will keep. If you EVER may sell or disclose information to third parties, your privacy policy should say so. If you tell consumers that you will never share their information, you should NEVER do so. If you tell consumers that you will protect their information, take reasonable steps to do so.
  The FTC often initiates enforcement actions against companies that break these types of promises. In FTC v. Twitter (http://www.ftc.gov/os/caselist/0923093/index.shtm ), for example, the FTC alleged that Twitter falsely represented that it used at least reasonable safeguards to protect user information by stating that it uses "administrative, physical, and electronic measures designed to protect ... information from unauthorized access." Despite such statements, hackers using password-guessing software were able to gain control of Twitter and access nonpublic user information. As a result of the enforcement action, Twitter entered a consent judgment and was required to, among other things, establish a new information security program.
• Stay abreast of technical issues. New methods of obtaining data and tracking Internet users lead to new privacy concerns. Most recently, Flash cookies have come under scrutiny, and consumers have filed class action lawsuits alleging that companies have used Flash cookies in ways inconsistent with their privacy policy promises (for example, see Valdez v. Quantcast Corp. (http://dockets.justia.com/docket/california/cacdce/2:2010cv05484/478381 ). When adopting new technology, consider its privacy implications. And keep reexamining your current disclosures and practices in light of new research, such as the research on Flash cookies.
• Work with your service providers to ensure that they comply with your privacy policy. Sometimes advertisers or service providers place cookies on the computers of people that visit your website. If so, this should be disclosed in your privacy policy. Also, you may use third parties to process payments or other information provided through your website. Investigate and disclose how those companies use or protect such information.
• Do not make changes retroactive (without consent). Consumers decide whether to provide information to you based on your privacy policy. If you change your policy to better protect consumer information, or if your new privacy policy only applies to information collected after it is posted, that's fine. Generally, you should not make a new privacy policy retroactive if it expands the purposes for which you may use the information collected, unless you get the consumers' consent.
  New legislation may, if passed, impose additional requirements on website operators and dramatically affect the collection, use and disclosure of information offline as well. For example, the Boucher-Stearns Discussion Draft (www.boucher.house.gov/images/stories/Privacy_Draft_5-10.pdf ) and Bobby Rush's BEST PRACTICES Act (http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.5777 ) would require businesses to adopt privacy policies and disclose their privacy practices whenever collecting personal information (except for information collected and used solely as part of a particular business transaction), give individuals the ability to prevent a business from transferring information about them to an unrelated company unless they affirmatively agree to such disclosure, and impose very stringent requirements on collection and use of particular kinds of data (such as medical, financial and geolocation data).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.