Most companies with an online presence post a “privacy policy” on their websites that describes how the company obtains, manages, uses and discloses information regarding their customers (or users of the website), as well as describing any rights that customers have with respect to the company’s use of that information. When drafting privacy policies, companies typically seek to provide complete and detailed disclosures while rendering those disclosures in concise language to avoid the risk of customer confusion.
Drafting a privacy policy in language that customers can understand has become more essential as customers are increasingly interested in privacy-related issues. A 2012 survey by TRUSTe, a privacy management solutions provider, found that 94 percent of respondents thought privacy was an important issue, 60 percent of respondents were more concerned about online privacy than a year before and 35 percent of respondents stated that they have stopped doing business with a company over privacy concerns. Moreover, 85 percent of respondents who owned a smartphone say they wouldn’t download mobile applications that they don’t trust. Given this trend of increasing privacy-related concerns, many companies recognize that their online privacy policy can provide a means of building trust and goodwill with their customers.
Consistent with the growing public awareness of online privacy issues, the Federal Trade Commission (FTC), the Better Business Bureau and the Mobile Marketing Association have issued guidelines for companies that are drafting privacy policies. Collectively, these guidelines suggest that privacy policies be written in easy-to-understand English (not “legalese”) and address, at a minimum, these five topics:
- What information does the company collect and how does it do so?
- How does the company protect the information it collects?
- How does the company use the information it collects?
- Does the company share the information it collects with others, and if so, what is shared and with whom is the information shared?
- Do customers have control over their personal data, and if so, what control do they have?
Although these guidelines can assist companies in drafting a consumer-friendly privacy policy, for some companies the contents of a privacy policy are mandated by law. Both federal and state laws regulate what must be disclosed in a privacy policy by companies that collect, use and share customer information in a variety of circumstances. For instance, the Children’s Online Privacy Protection Act governs websites or online services that collect personal information and are directed toward children under the age of 13 or that knowingly collect information from children under the age of 13. In addition, the Gramm-Leach-Bliley Act regulates the use and sharing of financial information by financial institutions, and the Health Insurance Portability and Accountability Act and related regulations govern privacy related to health-care services.
Many states have enacted privacy laws, but one such law that has received significant press recently due to enforcement activities by the California attorney general is the California Online Privacy Protection Act (CalOPPA). CalOPPA governs “any commercial web sites or online services,” including mobile applications, “that collect personal information on California residents through a web site” and explicitly mandates the posting of a privacy policy that describes what personally identifiable information about customers is being collected and what will be done with that information. Although the scope of this article is limited to compliance with domestic laws, companies operating outside the U.S. also need to be aware of laws governing privacy policies enacted by other countries.
Beyond the issue of whether a privacy policy complies with legal requirements, companies should also be aware that making explicit representations in a privacy policy regarding how customer data will be used or maintained can create litigation and regulatory enforcement risks. Indeed, the FTC has launched investigations and filed complaints against companies that allegedly failed to abide by their own privacy policies.
Even companies that are taking steps to protect customer information are potentially subject to claims arising from employee mistakes or intrusions by hackers. For example, in Resnick v. AvMed, Inc., the class action complaint alleged that the plaintiffs had provided private information to AvMed, a health-care services provider that had promised in its service contract “to ensure the confidentiality of information about members’ medical health condition being maintained by the Plan and the right to approve or refuse the release of member specific information including medical records, by AvMed, except when the release is required by law.” The plaintiffs further alleged that, despite AvMed’s assurances of confidentiality, unsecured laptop computers containing unencrypted, sensitive information of approximately 1.2 million current and former AvMed members were stolen from an AvMed office—thereby subjecting the class to a risk of identity theft, and allegedly resulting in unauthorized financial accounts being opened in both of the plaintiffs’ names, among other alleged wrongdoing. The 11th Circuit reversed the district court’s dismissal of the action, holding that the plaintiffs’ allegations were sufficient to state a claim for breach of contract, among other claims.
For companies that offer products and services to their customers through the Internet, ultimately there is no one-size-fits-all approach to drafting a privacy policy. The appropriate substance and form of a privacy policy depends on the nature of the company’s online presence, what information it collects about its customers and what it does with the information. And given the frequent developments in statutory, regulatory and case law in this area, companies should have counsel review their privacy policies regularly.
