Crafting a Privacy Policy for Your Clients

October 2014
The Daily Report
Crafting a Privacy Policy for Your Clients                                                                                                      
Joshua P. Gunnemann, Daily Report
Threats from the proliferation of electronic data are frequently cited as top concerns by general counsel of virtually every type of company in nearly every industry. Much of the attention has centered on cyberbreach, but an equally problematic area is the effective oversight of a company's privacy policy.
 
Increasingly, companies are coming under public scrutiny—from consumers and regulators—for their use and protection of private information.
 
A company has much to lose if it fails to effectively manage private user information. In addition to fines and penalties, consumer litigation is becoming common and damages to a company's reputation from a privacy misstep can be devastating. Helping your client develop a carefully crafted privacy policy is the first step in significantly reducing exposure to these threats. This article examines these issues.
 
Defining a privacy policy
 
A privacy policy is a comprehensive description of online information practices—what a company does with the information it collects from users of its website, mobile application, or similar electronic service. A typical policy contains a description of how information is collected; how it is stored, protected, used or distributed; and how users can control their personal data.
 
Every company that gathers information from customers online—whether through a website or mobile application, by email or through any other electronic means—should adopt a carefully crafted policy that shapes its privacy relationship with the users of its services. A policy is necessary to comply with a variety of state laws and federal regulations, and a poorly drafted policy can expose your client to regulatory action or litigation.
 
Laws
 
No single set of statutes or regulations governs privacy policies. Rather, privacy policies are governed by a patchwork collection of state laws and industry-specific requirements that are rapidly evolving. This article addresses the primary laws affecting most companies, but care should be taken to ensure compliance with all applicable rules and regulations and to be diligent about the rapidly changing legal landscape.
 
Practically, most companies doing business online need to comply with California's Online Privacy Protection Act (OPPA). OPPA's reach is broad—purporting to reach online services that collect personally identifiable information from California residents, irrespective of where the online service is located. OPPA therefore effectively sets the standard for privacy policies nationally; unless your client excludes California residents from its online services, it should comply with OPPA.
 
OPPA requires privacy policies to be conspicuously displayed and to meet certain requirements, including identifying the categories of information collected by the online service, how that information may be shared with third parties, whether the online service has a process for users to review and request changes to any of the collected information, and how the online service notifies users of material changes to the privacy policy.
 
All companies also need to comply with the Children's Online Privacy Protection Act (COPPA), a federal law that applies to the online collection of personal information from children under 13. The law spells out what a company must include in a privacy policy, when and how to seek verifiable consent from a parent, and what responsibilities a company has to protect children's privacy and safety online.
 
Companies should also be aware of industry-specific, federal requirements that may govern privacy policies. For example, the Gramm-Leach-Bliley Act requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data.
 
And the Health Insurance Portability and Accountability Act (HIPAA), which provides federal protections for individually identifiable health information held by covered entities and their business associates, requires most covered entities to provide a notice of their privacy practices that describes the ways in which the covered entity may use and disclose protected health information.
 
Although no federal law mandates a company to adopt a privacy policy (with the exception of industry-specific laws like those just mentioned), companies should be aware of guidance from the Federal Trade Commission regarding the contents of a privacy policy. The FTC has repeatedly emphasized that privacy notices should be clear, short and transparent, and it has brought enforcement actions against companies whose practices it perceives to be at odds with their policies.
 
Consequences
 
An inadequate privacy policy can cause exposure to regulatory action. The Federal Trade Commission, for example, has broad legal authority under the Federal Trade Commission Act and other federal laws to stop companies from engaging in unfair or deceptive practices, which the FTC has interpreted to include enforcement of misleading or false statements in a company's privacy policy.
 
In the last few years, the FTC has brought enforcement actions against such well-known companies as Google, Facebook, Twitter, Microsoft and Snapchat, as well as lesser-known companies. State regulatory agencies are also increasingly bringing similar actions.
 
Laws that prohibit unfair or deceptive trade practices can also often be enforced by private consumers and shareholders, either individually or in class actions. The specific allegations in these complaints depend on individual circumstances, but plaintiffs' firms can be expected to become increasingly aggressive and inventive in their development of legal theories based on claimed privacy violations.
 
Recommendations
 
First, make sure your client's policy accurately and transparently reflects actual practices. A privacy policy is a public disclosure document—a communication with customers that must be and remain accurate.
 
Simply copying another website's policy is a mistake and can expose a company to liability if its own practices differ from the practices of the copied site. Instead, a policy should be carefully crafted to match actual practices for collecting and using private information. Outside technical and legal help may be necessary to craft a careful policy.
 
Second, confirm that actual practices match the policy. A company's failure to comply with its own policy is one of the quickest ways to get in legal trouble. Companies should take the time to educate their own staff to ensure that employees and agents are aware of their own responsibilities to comply with their policy.
 
Third, periodically assess policies and practices and any governing legal requirements. A policy needs to stay accurate. If information practices change, then a policy needs to change to reflect those changes. And if the governing law changes, a policy may need to change with that too.
 

Media Contact

Shelly P. Walters
Executive Director
Direct  404.420.4643
swalters@rh-law.com
vCard

Related Attorneys

Related Practices

Related Files

Related Links