Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumptionâ€”the meaning of a word, or silence on a particular issue. Thatâ€™s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.
Consider the telephoneâ€”an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a â€œnecessary evil,â€ it’s just necessary.
Creative Commons is the legal equivalent of the telephone. While the human-readable version of the â€œAttribution Non-Commercial Share Alikeâ€ creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Surely the work of a lawyer who needed to justify his existence, right?
Not so fast. The full license covers a range of essential topics that people donâ€™t usually take time to think about.Â These include media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, limitation on authorâ€™s liability, and termination, just to name a few. Creative Commons is simple on the surface, but the elegance is supported by a complex legal framework. Saying that the legalese version of a Creative Commons License is a â€œnecessary evilâ€ is incorrect and misses the point. Itâ€™s not evil at all; itâ€™s just necessary.
Privacy Policies: Not a “Necessary Evil,” Just Necessary
- Employer Activities: Does your company have employees? How do you protect health, financial, employment, and personnel information? What contractual and technical protections do you offer employees?Â Where is the information stored, and do you have physical and legal control over the servers?
- Customer Feedback Activities: Does your company conduct surveys, or invite customers to “Contact Us?” What might you do with that information?
- Financial Activities: Do you accept online payments? Do your retail outlets comply with all industry standards? Do you store credit card information?
- Education Activities: Does your company sell education material, or conduct certifications?
- Social Networking Activities: Does your company have a corporate blog that accepts user comments? Do you post to Twitter and YouTube? Does your company have a Facebook page? Do you gather aggregate usage information?Â What information about your users, fans, commenters and online guests might you collect, and what inferences do you draw from the information?
- Network Provider Activities: Do you offer internet access to employees? Do you monitor your network activity or restrict access to certain sites?Â Do your employees understand what they should consider private and what is accessible to the company?
- Government Activities: Companies which accept government contracts may be required to comply with a wide range of requirements, including background checks and increased security. What impact to these regulations have on your consumer and employee privacy policies?
- Healthcare Activities: Whether your company creates medical technology or devices, or merely provides healthcare insurance for employees, consider what types of information pass through your systems, and how it is protected?
- Non-Networked Activites: Even if your company is a locally owned Mom-and-Pop restaurant, a mechanic, or corner grocery store with no internet connectivity, what customer information do you collect and use? How do you store and safeguard your paper records? Do you properly shred or destroy old records?
Beyond the Basics
Once you’ve brainstormed the possible uses of personal information, you must be aware of some little-known US and EU regulations which can affect your privacy practices and policies.
Privacy in the Cloud. Cloud computing gives small companies instant access to Fortune-500 quality infrastructure at a fraction of the cost. Just like any sort of out-sourcing, Cloud computing may simplify your business model, but unless you’re careful, it may also seriously complicate your handle on intellectual property and personal information. You should determine what, if any, contractual obligations downstream service providers have to you. Also consider that the service providers may be located in a jurisdiction which has additional privacy regulations.
Federal Law. The Children’s Online Privacy Protection Act (COPPA) puts stringent burdens on companies which knowingly collect personal information about children under 13. In order to avoid COPPA liability, companies must take active steps to avoid collecting personal information from kids. This means, for example, that if you ask for your users’ date of birth, you must deny access to those who indicate that they are under 13 years old. Your company should have procedures for preventing users from signing up using a different birth year, if the company finds out they are under 13.
Copyright Law. Believe it or not, even copyright law can have an impact on privacy. The Digital Millennium Copyright Act (DMCA) includes a takedown procedure which can require site owners and service providers to report information about infringers to copyright holders, under certain circumstances. Even though the DMCA does not require companies to disclose their DMCA practices, it’s a good idea nonetheless.
- If you have customers or employees, you need to safeguard personal information.
- Laws do not usually establish Privacy Practices.Â Privacy Policies create Privacy Practices.
- Privacy Policies are often required by law or regulation.
- Your business faces privacy challenges which nobody else faces.
- Cloud Computing, Social Media, Goods and Services, Employer, and other activities pose unique challenges to handling personal information.
- You must comply with specific regulations if you have customers or employees in specific states or the EU, or if your servers (or the servers of a subcontractor) reside in the EU.
- Your company has affirmative privacy obligations with respect to minors under 13 years old.
As an executive, do these three things:
- Brainstorm. Using the list above, brainstorm all the activities, types of personal information your company collects (whether personally identifiable or not), and identify which jurisdictions through which the information may flow.