You care about your customer's privacy but you also want to get rich. This can be a dissonance.
The Federal Trade Commission Act and its state statutory analogues (which govern unfair or deceptive business practices) govern issues related to consumer privacy for commercial web sites (the FTC was given jurisdiction over online privacy and information security in 1999).FN1Federal regulators and state attorneys general are fairly active in investigating companies who misuse customer data. The take-away from such investigations is not that you can't capitalize on the value of such data; however, there are some points to consider:
1 - Doing What You Say. The scrutiny of an online privacy practice begins by identifying how the web site collects and uses customer data (including non-identifable data such as IP addresses). The reality is that unless the customers/users are uniquely protected (see FN1) there are few business limitations on what you can do with customer data once they knowingly give it to you. The most troublesome (to the company) violations of consumer privacy almost always occur in the following scenario: there is a discrepancy between how customers think a company will use/distribute their data and how that data is actually used and distributed.FN2
2 - (!!!) CONSPICUOUS (!!!) Display. The privacy policy, however finely articulated, can't be buried deep within the site. Best practice (as well as California statutory requirement) is to link to it from the home page.FN3
3 - What You Say. The privacy policy should identify a) what customer data is being collected (this includes ostensibly transactional data like IP address, user names, passwords, etc.), b) how it's being collected, c) how it's being used and why (for security purposes, diagnostics, improving the user experience, etc.), and d) whether it's being distributed to any third parties. Occasionally, you hear an argument that disclosure should be vague so as to avoid accusations of deception later, but that's 1) a bit nefarious and 2) you probably won't get away with it.
With respect to distribution, identify the third parties that will be given the data, and how those third parties will use it. Additionally, even if the data is not being distributed as part of business relationship, disclose that the data may be subject to (i) disclosure via a subpoena or some other governmental request (given enough process the government will always, always, be able to obtain the data (don't act like you're not impressed)) and (ii) an unlawful security breach.
4 - Retention. The policy should also address the issue of how long the company intends to retain the data, which should probably include whether the customer's data may be sold in event of a merger or bankruptcy (and thereby subject to the privacy practices of the acquiring third party).
5 - Appropriate Security Procedures. This is as much a business and technical issue as a legal issue but the history of FTC actions suggests that even well intentioned web sites may run afoul of FTC regulations if their security practices are not reasonable and appropriate to the nature of the data.
6 - Consumer Choice and Changes. Provide methods for users to correct inaccuracies or otherwise review and change personally identifiable information and describe how changes to the privacy policy will be communicated (California statutory requirements).
FN1. Until recently, no law made it a generalized requirement that a web sites have a privacy policy - it was primarily used as a business strategy (to appear trustworthy). The California Online Privacy Protection Act (enacted 2004), because it mandates privacy policies to any California consumer, changed that. In addition, if a web site operates in a) the financial services industry, b) the health care industry or c) can anticipate users under the age of 13, special and additional compliance measures must be heeded. The specific governing laws here are beyond the scope of this post but in brief they include the following: a) Gramm Bliley Leach Act (which requires that special disclosure and opt out provisions (in certain cases) be provided where the web site is collecting financial information), b) Child Online Privacy Protection Act - not to be confused with the Child Online Protection Act - (which applies to the online collection of personal information from children under 13), and c) Health Insurance Portability and Accountability Act (which establishes regulations for the use and disclosure of protected health information).
FN2. Recent studies indicate that there is a widespread disconnect between how privacy policies are articulated at the highest level of management and how privacy practices operate on the ground. In addition, from a business perspective, it might make sense to know the privacy policies of your competitors.
FN3. Google, for example, got heat for failing to put a privacy policy disclaimer on their famously sparse home page (they argued that it appeared on search pages and users could use the search box to find it). After some negotiation, they caved and placed it center bottom.
No comments:
Post a Comment