The Anatomy of Privacy Policy
by Tracy Silver

If your company has an online presence, it should, or may be required by law to, maintain and post a privacy policy. Although it is possible to create a privacy policy with a simple cut-and-paste approach, an effective and legally compliant privacy policy requires a serious examination of company goals, strategies, and limitations, with a careful eye on associated legal issues and potential compliance challenges.

The creation and implementation of a privacy policy is a strategic business decision, that should be taken as seriously as any other important endeavor an organization may undertake.

Certain companies are required by law to post and maintain a privacy policy. Specifically, Congress has enacted pertinent legislation related to certain types of entities’ information collection practices. Web sites with customers or business operations in the European Union’s Data Protection Directive, and Web sites that collect personal information from children are subject to the Children’s On Line Privacy Protection Act of 1998 (COPPA). Web sites that collect financial information from consumers are subject to the Gramm-Leach Bliley Act (GLB Act). Furthermore, the Health Insurance Portability and Accountability Act (HIPAA) is recently in effect and restricts the collection, use and dissemination of individuals’ personal health information. Each of these regulations firmly requires the posting of privacy policies in certain circumstances. While COPPA may be tailored to Web sites that cater to children, HIPAA and the GLB Act are broad in scope. One good way to ensure the avoidance of liability under these regulations is to voluntarily comply with the basic intention of these measures. Nonetheless, a published privacy policy is not yet legally mandatory for everyone.

A growing number of consumers expect privacy policies and a large chunk of the trading world has adopted directives which make privacy policies mandatory. Because an impressive benefit of the Internet is its world-wide reach, it follows that world-wide privacy standards should exist. Additionally, as discussed above, the U.S. has regulations firmly in place requiring certain companies to have and comply with strict privacy policies. Finally, with government attention focused on this issue, and many privacy bills in circulation at the state and federal levels, it may be just a matter of time before the "option" of a privacy policy is abolished. Certainly companies' data collection and disclosure practices are the subject of an overwhelming amount of attention and scrutiny and having a privacy policy is a good business practice and a prophylactic against future liability.

Avoid Shortcuts
If your company is thinking developing a privacy policy, don’t be fooled by the array of “easy tools” readily available in the marketplace. Unlike “ready to wear” clothes, a privacy policy is a unique document which must specifically fit to a company’s needs and practices. Although drafting a privacy policy may seem easy, extreme caution must be exercised. Since the Federal Trade Commission has clearly delineated the basic elements of a privacy policy, many businesses are mistakenly confident that simply publishing a privacy policy which meets FTC guidelines satisfies any applicable laws and consumer interest. A company may be tempted to adopt a privacy policy it copies from another Web site.

Privacy sensitive Web sites such as TRUSTe and BBBo have developed and are in the business of marketing “wizards” that allow for the automatic generation of a portable privacy policy. Other companies and associations have created similar tools. Large Web sites have comprehensive privacy polices posted for public consumption, and some companies incorrectly assume they can fashion an acceptable policy by “cutting and pasting” provisions. No doubt, there are a broad range of options from which companies can select in attempting to design a privacy policy. Unfortunately, there is also no doubt that this kind of approach could expose an entity to liability. Instead of falling prey to these deceptive “short cuts,” a company should develop a privacy policy that is carefully tailored to its unique business.

Developing Policy
A rewarding aspect of preparing a privacy policy is that a business is forced to examine the value of data and information it collects and maintains. In the event the value of this information is great, a company has an opportunity to expand its reach and profitability by implementing measures that consumers appreciate, and/or that its customers will respond to. Furthermore, in exploring consumers’ needs and the customer information database, a company may find itself in a better position to evaluate its market position and make needed or desirable adjustments. This may result in the development and formation of new products or other strategic changes the company may not have otherwise anticipated.

In addition to pouring over lofty objectives, the process of preparing to draft a privacy policy is also an opportunity for various company executives to brainstorm about actual company practices. For example, the creation of a privacy policy may allow a company’s engineering, customer service, marketing and legal department to discuss their various interests and arrive at acceptable guidelines that may then be implemented on a company-wide basis, without confusion. Furthermore, each of the aforementioned departments will all have relevant practices and needs which will need to be considered and reflected. For example, before deciding that “all personal information collected from visitors will not be sold to third parties”, a business should consult with its marketing executives, who may have plans (or even an obligation) to deliver customer lists. In short, unless a business undertakes this kind of comprehensive analysis, a privacy policy is likely to be incomplete, inadequate, or, much worse, inaccurate.

Ask Questions
Once a general plan has been formulated, a business might use the following list of questions to confirm it has answered the full spectrum of broad questions.

• What does the company desire to achieve by posting this policy?
• What are the company’s business needs related to the policy?
• What, if any, are the company’s practical limitations in designing or implementing the policy?
• What are the company’s long-term plans to protect consumer privacy?
• What are the company’s long-term plans to use consumer information?
• Does the company expect to change the way it uses information?
• Does the company expect to change the information that it collects?
• If the company does not expect change, how certain is the company’s business model?
• What is the value of the data or information the company collects?

After engaging in the recommended first step of “objective and practice analysis”, a business may then set out to answer a more specific series of questions designed to help tailor the content of the privacy policy.

• What personal information is collected?
• Are “Cookies” used and for what purpose?
• Who actually collects this information?
• How long is this information archived or maintained?
• What is the information used in connection with?
• Is this information sold or shared with others?
• Does the company want to retain the ability to transfer the information upon sale?
• Can the provider of information opt out of the Company’s information collection practices?
• Are there negative consequences associated with opting out?
• How will the Privacy policy actually be displayed on the company’s Web site?
• What security measures does the company currently engage in to protect data or information collected via the company’s Web site?
• What steps can practicably be implemented to further protect consumer information?
• Does the company fall under the umbrella of any federal or state privacy regulations?
• Does the company do extensive business in Europe?
• Will it be difficult or impossible to change or amend a contemplated policy to account for new business plans if the policy has been posted and/or distributed?

Legal Compliance
A privacy policy must comply with the Federal Trade Commission (“FTC”) guidelines. Pursuant to these guidelines, a policy must include adequate notice of the company’s privacy policies, a description of the company’s actual use of personal information (which the company must strictly adhere to), and an explanation of procedures related to a consumer’s ability to access and/or change his or her personal information.

Perhaps the most important aspect to consider in creating a privacy policy, is the implementation of that policy, and any associated practical implications. It is impossible to overemphasize the importance of a company’s ability to adhere to its stated privacy policy. In the event that a business’ practices do not conform to its stated policies, that entity may be found to be in violation of the Federal Trade Commission Act. The FTC is empowered under that Act to take action against entities whose acts or practices are deceptive or unfair. In several sensational cases in recent history, the FTC has been successful in prosecuting companies who have failed to adhere to their own stated policies. Thus in developing a privacy policy which adequately and accurately reflects a company’s actual practices and capabilities, a company can avoid exposure to liability and prosecution. Remember also that a company must take measures to ensure that its employees understand the new policy and are complying with it.

Lastly, in thinking about a privacy policy, a business should consider joining a “seal based” program. Seal based programs guarantee that a business adheres to its privacy principles and complies with the organization’s oversight and dispute resolution process. Membership with a seal-granting organization may ensure that an entity satisfies “Safe Harbor” requirements.

Conclusion
Every business with an online presence should consider having a privacy policy. Although only a handful of tailored state and federal laws exist which limit the collection, use or dissemination of consumer’s personal information; and no state or federal laws requiring all businesses to post and maintain a privacy policy, all companies would be well served by formulating and implementing a good privacy policy.

The creation of an acceptable privacy policy requires very careful consideration of company goals, strategies and limitations. In addition to applicable legal issues, the current practices, plans and needs of a business must be evaluated in the creation process. Implementation of an effective privacy policy will yield an opportunity for positive publicity and may inspire consumer confidence. However, an entity’s failure to carefully assess its practices and capabilities may result in chaos or liability. Effective risk analysis demands a thorough examination of legal issues and potential compliance challenges. Consult a lawyer to help you properly navigate this important process snare of rules and considerations.