Advertising Law Blog

One of the biggest concerns among visitors to Web sites is how their personal information is going to be used. This isn't a new development; back in March of 2000, BusinessWeek did a cover story on Internet privacy, including a survey showing that the vast majority of users were either very or somewhat concerned about how their information would be used. The same cover story discussed how best to inform and reassure users. 

Unfortunately, while the number of businesses with Web sites has continued to expand, as has the sites' sophistication, the level of disclosure of data practices has not significantly improved. True, most Web sites (especially business ones) have posted "privacy policies," but too many simply copy language they've found on other Web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy, and when it comes to privacy policies, inaccuracy can be expensive.

Keep in mind that a privacy policy is a disclosure document, whose purpose is to inform (and therefore protect) consumers. When it comes to consumer protection, the FTC and state attorneys general have jurisdiction, and even absent any other applicable laws about privacy (such as the Children's Online Privacy Protection Act or COPPA, which will be discussed in an upcoming blog), the enforcers can and do sue and fine sites whose privacy policies are well-meaning but wrong. 

How do well-meaning companies get themselves into trouble with their privacy policies? Among the biggest problems is a statement such as, "We will not share your information with any third party." Very reassuring; almost certainly false. When it comes to the Web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site's hosting company, the user's own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the banks clearing credit card payments, etc. Another problematic statement: "We collect your information through the form you complete on the site." This may be true, but the siteowner will likely also be collecting personal information about the user from text messages, e-mails, faxes, telephone calls, postal mail or other communications with the user, as well as from outside sources (credit card processors, database vendors), etc. Further, though there is not (yet) a federal law requiring all Web sites to have privacy policies, states such as California have rules about policies and what needs to be included in them. (California's Civil Code Section 1798.83, which mandates certain language and procedures for privacy policies.)

Given that copying another site's language is a bad way to create a privacy policy, what's the right approach? An attorney familiar with the laws and rules about data can guide you through the process of learning exactly how your organization collects data, how it uses the data and how it shares them with others, so the policy can be accurate as well as flexible enough for future uses. For the best results, this process should include IT, sales, marketing, and any other group within the company that touches the site's information. (Don't forget that data may also be collected through offline operations; if the information is shared between Web and offline in the company, the offline part needs to be included in the policy.) There are also organizations like TRUSTe and P3PWiz that offer templates and consulting to help with policies. You may find some good information from the International Association of Privacy Professionals (IAPP). Finally, if your site collects information from children, includes health or financial data or you have operations in other countries, there may be additional laws with which you must comply. For those, asking a competent lawyer is definitely a good idea.

Don't forget that your privacy policy has to remain accurate over time. If your information practices change and they're no longer what's described in your policy, the policy should change. Be careful, though, that if you are making major changes in your data use, you don't use information collected under the earlier policy without getting permission from those users. Amazon.com got into trouble with consumers and got the attention of the FTC in 2001 when it made a change in its policy; the FTC said that were Amazon to make a "material change," it would actually have to get permission from each of its previous customers before using their information in the new ways, which would be a major and probably unsuccessful effort.

Beyond helping you craft an accurate and flexible privacy policy, having a complete picture of how your organization collects, uses and shares information has one other major benefit: it can show you how you're underutilizing the data you already have. With that knowledge, you can find new ways of understanding, communicating and serving your customers, while providing them with the comfort that comes with full disclosure.