Regulatory: Drafting and reviewing your privacy policy

In-house counsel must involve key company stakeholders in the policy creation process

This article is the last in a series of three to discuss the importance of, and recent developments affecting, privacy and data security, and the issues that corporate counsel need to consider in these areas. Read parts one and two.

The first two articles in this series focused on the need for companies to think about and incorporate privacy into their corporate culture. With almost daily news reports of data breaches, hacking intrusions and companies collecting and using information contrary to their stated policies, privacy has become a front-burner issue for C-suite executives, which means it becomes an issue for in-house counsel. Therefore, counsel are well-advised to review their company’s existing policy, or, if one does not exist, to develop one, as well as corporate data security practices. This applies to apps as much as websites.

The first step in developing or reviewing a policy is to understand what such a policy requires. Every week I receive calls from existing and prospective clients seeking a privacy policy ASAP. “Isn’t there an “off-the-shelf” policy that you can send me?” they often ask. Unfortunately, there is no such thing as a canned privacy policy that is appropriate for every company. Instead, developing a policy requires thought and input from various stakeholders, so that it accurately reflects the company’s actual data collection, use and security practices.

Although there is no federal law that dictates specifically what information a company must include in a policy, there are particular requirements for companies in industries that are governed by specific laws and regulations, such as healthcare providers and payers (the Health Insurance Portability and Accountability Act) and financial institutions (Gramm-Leach-Bliley Act). In addition, websites and online services (including apps) that are directed to or that are likely to be visited by children under the age of 13 must comply with the Children’s Online Privacy Protection Act. Also, as noted in my prior columns, some states have laws that require companies to post a privacy policy and maintain certain data security standards. These laws apply to apps as well as websites.

So, unless governed by any of these laws, companies are free to develop a policy in any way they deem appropriate. That said, at a minimum a policy should include certain standard information such as what data the website and app collects, how it is used and, if applicable, how it is shared. With regard to collection, the policy should describe what information is collected from users by their own action (such as name, contact information and account or demographic information, as applicable) and passively, such as through the use of cookies and other tracking mechanisms. The policy should also describe how the website or app operator uses and shares user information, if users have access to and the ability to review and change their information, and the ability to stop sharing.

The policy should also indicate any and what security measures the company uses to protect the data. On that point, a company should accurately describe, and not overstate, its data security policies and procedures. Unfortunately, unless the IT department or those responsible for hosting the website or app are involved, lawyers have virtually no idea how data is maintained and protected. Therefore, it is absolutely necessary to engage these groups in this process.

Once the above issues have been addressed, the policy should include provisions that may not be so obvious. It is incumbent upon counsel to anticipate events that may impact how the company may possibly use data in the future. For example, in the event the company is sold or goes into bankruptcy, the policy needs to make clear that data collected on the website or through the app is an asset of the company and, as such, will be subject to transfer in a sale to another entity.

The need for this provision arose about a decade ago when an e-commerce company tried to sell its customer database in a bankruptcy proceeding. In that case, the Federal Trade Commission (FTC) sought to block the sale of a customer database developed by online toy seller Toysmart, citing the company’s privacy policy, which promised consumers that it would not sell or share customer information with any other party. The sale, the FTC argued, would violate Toysmart’s privacy policy and thus amount to an unfair and deceptive trade practice in violation of the FTC Act.

Two lessons came out of the Toysmart case. First, be careful not to make a promise in a policy that may limit your ability to use and share user information in the future. While you and your business clients may feel compelled to promise consumers that their information will not be used or shared for any purpose other than for the specific purpose for which the information may have been collected, your ability to change that position in the future will be severely, if not absolutely, hampered, and any such change will apply only to information collected going forward.

Second, be sure to include a provision that specifically identifies user data (both volunteered by consumers and passively collected about them) as a corporate asset, which may be subject to transfer in the event of a sale or liquidation. Without such a provision, your or your successor’s ability to transfer a customer database may be challenged and, if so, the value of the assets intended to be transferred may be significantly impacted.

The “Toysmart” provision is but one example of a unique privacy issue that arose from a company’s initial good intentions, but which later stymied its ability to enter into a business transaction. Many similar situations have occurred since then that have given rise to other provisions that are now commonplace in today’s privacy policies. It is therefore incumbent upon in-house counsel to closely follow privacy developments in order to competently advise clients in this area.

Last, and most importantly, once you develop a privacy policy, you must live by it. With the exception of a few privacy laws, such as the ones discussed above that set forth particular statutory requirements, virtually all cases brought by regulators and consumers have involved a company collecting or using customer data in a manner contrary to its publicly stated privacy policy. In-house counsel must work with internal clients to ensure that all stakeholders understand the importance of developing a policy that everyone can live up to, and do it. If not, the legal and reputational consequences that may result from such actions can be extremely damaging, and perhaps irreversible.

Contributing Author

author image

Marc Roth

Marc Roth is a partner in the Advertising, Marketing and Media division of Manatt, Phelps & Phillips, LLP, in New York, where he advises clients...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.