E-Commerce

TECHNOLOGY LAW CORNER

Shore Up Your Privacy Policy Before Disaster Strikes

Last month, I discussed, from the website owner’s point of view, the critical importance of using Terms of Service (ToS) and Click Agreements suited to their business.

Now I will address the need for appropriate consideration of your website’s Privacy Policy.

What Type of Information Do Privacy Policies Protect?

Personally Identifiable Information (PII) may include many details such as name, address, email address, phone numbers, social security numbers, credit card numbers and the like. From a technology standpoint, every visitor to every website provides some PII about who they are and where they came from. When a visitor lands on a website, this is what the website owner can access:

  • the visitor’s unique IP (Internet Protocol) address;
  • PII about the last website the visitor accessed; and
  • information from cookies it left on the visitor’s hard drive from a previous visit to the site, perhaps including credit card information and passwords (usually encrypted).

In addition, website visitors provide PII voluntarily when they register as users on sites such as Facebook and LinkedIn or for services like Gmail. Also, visitors provide credit or debit card information to facilitate website purchases. The critical issue about this volume of information presented to the website from the visitor is how that information is protected and what privacy the visitor is afforded.

Website Privacy Regulation

In the U.S., the Federal Trade Commission (FTC) regulates Internet privacy. Currently, the FTC does not require that websites have a Privacy Policy. However, if a website does have a Privacy Policy, it must adhere to its own terms.

A typical Privacy Policy may state that the website will not use any PII without the user’s express permission. The FTC will enforce that obligation if it learns that PII is being used without permission, such as to commercialize it. But if the website’s Privacy Policy is silent about protecting PII, then the website may use the PII freely.

Outside the U.S., privacy rules are very different. In the EU, Canada and Japan, for instance, there are very specific laws to restrict the use of PII on any computer, whether connected to the Internet or not.

In Canada, the Personal Information Protection and Electronic Documents Act specifies the “…ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them.”

In Japan the Personal Information Protection Act was enacted after conducting public surveys regarding privacy protection for individuals.

The EU 1995 Data Directive (which started in 1989, in the pre-Internet era) regulates privacy for citizens and businesses that operate in the EU.

The U.S. Department of Commerce established Safe Harbor rules that allow U.S. businesses to operate in compliance with the EU laws, so if your website allows users to conduct business with it in the EU, it makes sense to be in compliance under the Safe Harbor rules.

TRUSTe (discussed in greater detail below) offers a specific service called EU Safe Harbor, which includes the following: TRUSTe can help you certify your compliance with the EU Directive on Data Protection. The Directive prohibits the transfer of European citizens’ personal data to non-European Union nations that do not meet the EU’s “adequacy” standard for privacy protection.Of course other companies offer similar EU services.

What Should Your Privacy Policy Contain?

Like ToS and Click Agreements, my informal surveys show that few individuals, at least in the U.S., take the time to review Privacy Policies. But that doesn’t mean you should not have one. You have to consider your visitors’ expectations, business issues and laws in countries where you operate.

One approach to create your company’s Privacy Policy is to find a website you think has similar issues to your own, and use that as a base for your company’s policy (but you should be careful to not violate copyright laws when doing so). This might work, but if you guess wrong about what the Privacy Policy should be, your business may be a risk.

Aggregate Data

Many Privacy Policies say that they will not use visitor PII, but the website may aggregate visitor information for resale. Such information may include the percentage of visitors to the website who came from Google or The New York Times. The largest company in the data aggregation business is DoubleClick, which was purchased by Google a few years ago.

Most website visitors do not feel that their privacy is violated by such aggregation since PII that is specifically identifiable is not being shared, but even where the law doesn’t require disclosure, you should consider — based on business reasons — whether your Privacy Policy should let website visitors know whether your website aggregates such information.

Consider Subscribing to Privacy Standards

A number organizations promulgate Privacy Standards. Website owners may subscribe, pay a fee, and agree to adhere to the Privacy Standards of that organization. You often see the logos for these Privacy Standards on the front page of websites and embedded in Privacy Policies.

You may be familiar with the TRUSTe logo. Since 1997, that company has offered a variety of online privacy services. This is what TRUSTe has to say about its services:The company offers a broad suite of privacy services to help businesses build trust and increase engagement across all of their online channels including websites, mobile applications, advertising, cloud services, business analytics and email marketing… Based upon the comprehensive privacy model of “Truth in Privacy,” which is laid on a foundation of transparency, choice and accountability regarding the collection and use of personal information, TRUSTe’s privacy seal is recognized and trusted by millions of consumers as a sign of responsible privacy practices.TRUSTe claims that more than 4,000 websites subscribe, including “…top companies like Apple, AT&T, Disney, eBay, Facebook, HP, Microsoft, Nationwide and Yelp.” Among many services, TRUSTe offers website solutions for website privacy, EU Sage Harbor, Children’s Privacy, Email Privacy, and downloads.

Of course there are other Privacy Standards like those of the Better Business Bureau, which claims that more than 142,000 websites use its Privacy Standards, and also the Online Privacy Alliance and the CPA WebTrust Program.

In Conclusion

Website owners should make sure their Privacy Policies satisfy applicable legal requirements and also address business concerns, so as to give the website visitors comfort that PII will not be used wrongfully.

Therefore, it is critical that each business review how it manages PII, and consider what it tells visitors to the website.

Peter S. Vogel

E-Commerce Times columnist Peter S. Vogel is a trial partner atGardere Wynne Sewell, where he is chair of the eDiscovery Team and Chair of the Technology Industry Team. Before practicing law, he was a systems programmer on mainframes, received a masters in computer science, and taught graduate courses in information systems and operations research. His blog covers contemporary technology topics.Vogel can be reached at [email protected].

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Peter S. Vogel
More in E-Commerce

E-Commerce Times Channels