Advertising Law Blog

As part of our ongoing discussion about the best practices and risks involving privacy and use of customer and employee information, here are 10 resolutions for businesses and organizations that want to be responsible about privacy:

1. Prioritize privacy. Even if your organization is not in a field covered by explicit privacy laws (at least here in the US), such as health care (HIPAA) or financial services (Gramm-Leach-Bliley), being responsible with customer and employee information should matter to you. It certainly does to regulators and the people whose information you have. Just ask Universal Music Group ($400,000 fine in 2004 for violating Children's Online Privacy Protection Act with Web sites including Lilromeo.com) or Tower Records (FTC settlement in 2004 for violating its own privacy policy).

2. Make it someone's responsibility. Appoint a Chief Privacy Officer or at least add oversight of privacy issues to the duties of someone within your organization. Make sure the person given that duty also has the time, training and resources to do the job right.

3. Draw yourself a map. Do an organization-wide survey to identify each way that personally-identifiable information comes in, is moved within and may move out again, and what information you are actually collecting. Consider not only your Web site but e-mail, snail mail, faxes, 3rd party databases and research, telephone calls, business partners, service providers, etc. Be expansive in your investigation. Repeat every few weeks or months as your business processes may change.

4. Fact-check your privacy policy (if you have one). Saying "we won't share your information with third parties" may be comforting to customers, but it's generally incorrect. Everyone from your Web host to UPS and FedEx may get customer information from you in the ordinary course, which isn't necessarily bad, except that it could violate your own public statements on privacy. That's where you can get into trouble.

5. Don't trust your own data about how you use others' data. Ask a privacy professional or knowledgeable attorney to do a privacy audit of your organization. An outsider, particularly an experienced one, will likely find something you miss.

6. See the world. Remember that, in the Internet age, most organizations are international even without intending to be. Read up on privacy laws of other nations (if you're in the U.S., pay particular attention to the EU Data Protection Directive and the related Safe Harbor). Consider how you or your employees might be held liable in some other country for something you do (or don't do) where you are (see the recent eBay India employee case for a parallel example).

7. Lock the doors. Make sure that you have both physical and electronic security in place for any collections of customer or employee information. Make sure that your hosting company or other offsite storage providers do likewise (e.g. encrypt stored credit card records). Remember little things like open wireless nodes that may offer malicious hackers access into your network (such as Lowe's Hardware suffered beginning in 2003).

8. If problems arise, deal with them openly and quickly. Customers and law enforcement officials alike expect that, if the worst happens and private information is accessed without permission, the company will take quick action in terms of notification and closing the open holes. California expressly requires this ().

9. Create a privacy-friendly culture. Make sure every employee understands the need to protect personal information, and the risks to the organization of failing to do so. Hopefully, this will help you avoid situations like the August 2004 conviction of a hospital employee convicted of HIPAA violation for stealing a cancer patient's identity.

10. Don't ask for more than you need. If you want a numeric identifier for customers, don't ask for a Social Security number unless you truly need it for its intended use. Don't have your cashiers ask for home phone numbers merely to have the info., since many customers will balk and the cashiers will punch in random numbers, invalidating the collection anyway.