RISKVUE ARCHIVE | RISK BITES

To Post Or Not To Post: Should You Have A Privacy Policy?

By Tracy Silver, Esq.

Every business with an online presence should consider whether to have a privacy policy. If your business operates a web site and, more specifically, if your business collects customer information it receives via the internet, you’d better consider this issue.

Internet privacy has come to the forefront as an issue not only among intellectuals and advocates debating the moral implications of a “Big Brother-like” society, but among average consumers and users of the World Wide Web. Surveys are consistently reporting individuals’ heightened sensitivity with respect to online privacy. Of course, no business can afford to disregard consumer concern. If privacy and personal data mining is of prime concern to members of the public, the necessary consequence is that privacy and privacy laws are a priority for all businesses intending to utilize the internet. Remarkably, that means nearly ALL businesses!

Personal information may be collected via the internet in several ways. Information can be procured when individuals knowingly volunteer to provide it, through, for example, a registration process. Information may also be obtained passively, through the collection and analysis of “clickstream data.” Clickstream data may be collected and compiled from a computer or browser, through the tracking of “cookies,” “web bugs” and/or internet protocol addresses. Information may also be retrieved through tracking software. Furthermore, some companies are profiting from mining clickstream data and organizing it into usable (and valuable) profile information. In short, while the World Wide Web provides businesses with numerous opportunities to learn about customers and potential customers, it also provides individuals with good reason to be paranoid.

Today, due in part to mounting consumer interest, companies’ data collection and disclosure practices are the subject of an overwhelming amount of attention and scrutiny. Recently, with a keen sense of internet privacy issues, Congress enacted pertinent legislation, namely, the Gramm-Leach Bliley Act (GLB Act), the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA). Each of these statutes requires that certain types of entities (including financial institutions, healthcare entities and web site operators) take affirmative action to protect individuals’ personal information and privacy. Additionally, the European Union has developed an adequacy standard, which companies must meet in order to legally receive personal information from the European Union. Nonetheless, the fact remains that there are only a handful of tailored state and federal laws which limit the collection, use or dissemination of personal information; and no state or federal laws currently exist which require ALL businesses with a web site to post a privacy policy. Furthermore, most (if not all) recent privacy litigation in this area has arisen from companies’ misfeasance or nonfeasance with respect to stated privacy policies; not from any failure to state a policy. This, of course, begs the question: Why, in the absence of an affirmative legal duty, would a business choose to have a privacy policy?

There are four primary reasons to carefully consider designing, posting and implementing a privacy policy:

1) A growing number of consumers expect privacy policies. Individuals may likely feel defenseless buying products, or providing personal information of any kind, without the reassurance of a company’s stated intention with respect to private data. Thus, without a privacy policy, a company could experience a considerable negative business consequence.

2) A large chunk of the trading world has adopted directives which make privacy policies mandatory. Since an impressive benefit of the internet is its world-wide reach, it follows that world-wide privacy standards should exist. If our European and Canadian counterparts are resolved to establish stringent consumer protection, then American businesses will thwart lawsuits and confusion by adhering to a similar common standard.

3) As discussed earlier, our nation now has several laws firmly in place requiring companies to have and comply with strict privacy policies. While COPPA may be tailored to web sites that cater to children, HIPAA and the GLB Act are broad in scope. Certainly, a good way to ensure the avoidance of liability under these regulations is to voluntarily comply with the basic intention of these measures.

4) With government attention focused on this issue, and many privacy bills in circulation at the state and federal levels, it may be just a matter of time before the “option” of a privacy policy is abolished.

In conclusion, though a published privacy policy may not yet be obligatory, businesses operating online will be well served by implementing one.

Fortunately, the Federal Trade Commission has clearly delineated the basic elements of privacy policies, and there is little mystery to their formulation. If you decide to publish a privacy policy on your web site (or if you already have one posted), you should be certain that it is (or was) prepared correctly. Privacy policies are likely to vary significantly, depending on factors including: company activities, the nature of information a company collects, and how it intends to use that information. A company may be tempted to adopt a privacy policy it copies from another web site — maybe even a privacy sensitive web site. We strongly caution our clients to resist such temptation. Such an approach may, at best, generate a policy incapable of addressing the nature and specificity of a given business, and, at worst, subject that business to liability. Although published privacy guidelines are useful, a keen examination of legal issues and potential compliance challenges are necessary steps in the process of implementing an effective privacy policy, and keeping a well-intentioned business out of trouble. 

ABOUT THE AUTHOR

Tracy Silver, an associate in the Business and Tax department of Silver & Freedman, APLC, in Los Angeles, represents and counsels clients in all areas of business law. While her focus is on technology and entertainment matters, her practice is much broader, and includes mergers and acquisitions, corporate law, and intellectual property. She can be reached at 310-556-2356 or by e-mail at tsilver@silfre.com.

riskVue | The webzine for risk management professionals
September 2003