Privacy Policies 101

Whether e-commerce is your entire business or you simply have an online presence, a carefully constructed privacy policy is important. Privacy policies help businesses comply with the Federal Trade Commission’s ban on deceptive practices and show customers a commitment to transparency. Further, they are often necessary for businesses to comply with specific state laws: California requires businesses that collect personal information online to “conspicuously post a privacy policy;” in Illinois businesses must provide a “rigorous disclosure of methods, intentions and guarantees” when they collect biometric data (such as facial scans of photos).

It might be tempting to post a simple policy and call it a day, especially if your business collects minimal user data for standard operational purposes. Unfortunately, there are less-than-obvious policy considerations in even these relatively simple situations, and an overly simple or inaccurate privacy policy can lead to a host of problems, including lawsuits. If your policy promises users you will not sell their information, what happens if you sell your business? If you have guaranteed user privacy, what happens if your website it hacked? And what happens if you need to change your policy?

Companies ranging from local businesses to Facebook and Google face lawsuits over these and other privacy policy issues all the time. Smart TV manufacturer Vizio was recently fined over two million dollars for selling viewing data collected from its TVs even though the data did not include personally identifiable information; on the other hand, video game retailer GameStop recently beat a lawsuit alleging that data it shared with Facebook violated its policy of not sharing personal information. The difference? A clear, well formulated privacy policy.

While privacy policies will vary depending on the business, they generally include the following:

• How the business and/or other entities like advertisers collect information about the user.
• Why said parties collect the information–what the information is used for.
• Who the information in shared with.
• When does the policy apply and when does it not (e.g. when the user clicks on a link that leads to another site or uses a third-party payment system like Paypal).
• Security: what steps the business takes to keep the information safe and private.
• Access: how the user can view and, if desired, delete the information.
• Contact: how to contact the business about the policy.
• Changes: what happens if the business wants to change the policy.
• Opting Out: for mailing lists, the CAN-SPAM Act of 2003 requires an opt-out feature.

While having an inadequate policy (or none at all) can leave you open to legal trouble, a thorough, well constructed policy protects your interests and provides peace of mind for you and your customers. With consumer protection groups increasingly focused on internet privacy protection and new FTC rulings constantly shifting the legal landscape, however, even the most conscientious businesses can have a hard time formulating an adequate policy. Fortunately, Saper Law attorneys are experts in internet law and stay up-to-date on the latest privacy policy cases. Whether you are crafting an initial policy, evaluating an existing one, or defending against allegations of breach, Saper Law can help.

Click here to schedule a consultation, or explore our other business or social media legal services.