Like Phones, Privacy Policies Should be Easy to Use, with a Complex Infrastructure

Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.

Consider the telephone—an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a “necessary evil,” it’s just necessary.

Creative Commons is the legal equivalent of the telephone. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Surely the work of a lawyer who needed to justify his existence, right?

Not so fast. The full license covers a range of essential topics that people don’t usually take time to think about.  These include media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, limitation on author’s liability, and termination, just to name a few. Creative Commons is simple on the surface, but the elegance is supported by a complex legal framework. Saying that the legalese version of a Creative Commons License is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

Privacy Policies: Not a “Necessary Evil,” Just Necessary

Like telephony infrastructure and the Creative Commons licenses, Privacy Policies aren’t a “necessary evil,” they’re just a necessary part of running a business. If your business has customers or employees, then you need to safeguard and use personal information. Your business must develop privacy practices unique to your business. Laws mandate that you protect personal information, but they do not usually establish privacy practices. That’s why you need a privacy policy.

Writing a privacy policy is a tall order because it must address the broad range of activities in which your company engages, and be as simple to use as a telephone.

Privacy policies should cover online as well as offline uses of personal information, because each use carries unique challenges.  As you establish Privacy Practices and your Privacy Policy, consider the following activities:

  • Goods and Services Activities: Does your privacy policy cover the information collected at point-of-sale, your iPhone app, online store, and through PayPal? Does your software periodically send licensing, version, or other information to your centralized servers? Do you collect or share purchase history, preferences, and demographic information with employees, other people, users, or other companies?
  • Employer Activities: Does your company have employees? How do you protect health, financial, employment, and personnel information? What contractual and technical protections do you offer employees?  Where is the information stored, and do you have physical and legal control over the servers?
  • Customer Feedback Activities: Does your company conduct surveys, or invite customers to “Contact Us?” What might you do with that information?
  • Financial Activities: Do you accept online payments? Do your retail outlets comply with all industry standards? Do you store credit card information?
  • Education Activities: Does your company sell education material, or conduct certifications?
  • Social Networking Activities: Does your company have a corporate blog that accepts user comments? Do you post to Twitter and YouTube? Does your company have a Facebook page? Do you gather aggregate usage information?  What information about your users, fans, commenters and online guests might you collect, and what inferences do you draw from the information?
  • Network Provider Activities: Do you offer internet access to employees? Do you monitor your network activity or restrict access to certain sites?  Do your employees understand what they should consider private and what is accessible to the company?
  • Government Activities: Companies which accept government contracts may be required to comply with a wide range of requirements, including background checks and increased security. What impact to these regulations have on your consumer and employee privacy policies?
  • Healthcare Activities: Whether your company creates medical technology or devices, or merely provides healthcare insurance for employees, consider what types of information pass through your systems, and how it is protected?
  • Non-Networked Activites: Even if your company is a locally owned Mom-and-Pop restaurant, a mechanic, or corner grocery store with no internet connectivity, what customer information do you collect and use? How do you store and safeguard your paper records? Do you properly shred or destroy old records?

You should cover each of these topics in a customer-facing Privacy Policy or an employee-facing Privacy Policy in your employee handbook.

Beyond the Basics

Once you’ve brainstormed the possible uses of personal information, you must be aware of some little-known US and EU regulations which can affect your privacy practices and policies.

Privacy in the Cloud. Cloud computing gives small companies instant access to Fortune-500 quality infrastructure at a fraction of the cost. Just like any sort of out-sourcing, Cloud computing may simplify your business model, but unless you’re careful, it may also seriously complicate your handle on intellectual property and personal information. You should determine what, if any, contractual obligations downstream service providers have to you. Also consider that the service providers may be located in a jurisdiction which has additional privacy regulations.

State Laws. A few state laws give specific guidance on what you should include in your privacy policy. For example, California law requires any company which collects personally identifying information over the Internet to conspicuously post a privacy policy. The privacy policy must identify the categories of personal information collected, how consumers will be notified of changes, and how to update personal information. Texas has similar requirements for any company which requires the disclosure of a social security number. Massachusetts requires encryption of personal information in certain circumstances.

Federal Law. The Children’s Online Privacy Protection Act (COPPA) puts stringent burdens on companies which knowingly collect personal information about children under 13. In order to avoid COPPA liability, companies must take active steps to avoid collecting personal information from kids. This means, for example, that if you ask for your users’ date of birth, you must deny access to those who indicate that they are under 13 years old. Your company should have procedures for preventing users from signing up using a different birth year, if the company finds out they are under 13.

European Union. Unlike the United States, which has adopted narrow privacy regulations aimed at mitigating specific threats, the European Union regulates privacy on a much broader basis. If your company transfers information from the EU to the United States, you must either comply with EU law or the EU “safe harbor” principles. The U.S. Commerce Department promulgates guidance on what to include in your privacy policy, to comply with the EU safe harbor provisions.

Copyright Law. Believe it or not, even copyright law can have an impact on privacy. The Digital Millennium Copyright Act (DMCA) includes a takedown procedure which can require site owners and service providers to report information about infringers to copyright holders, under certain circumstances. Even though the DMCA does not require companies to disclose their DMCA practices, it’s a good idea nonetheless.

This is by no means an exhaustive list of privacy statutes or regulations, but it should remind you that a privacy policy is more than just a formality.

7 Reasons

So to summarize, here are the 7 reasons you need a privacy policy:

  1. If you have customers or employees, you need to safeguard personal information.
  2. Laws do not usually establish Privacy Practices.  Privacy Policies create Privacy Practices.
  3. Privacy Policies are often required by law or regulation.
  4. Your business faces privacy challenges which nobody else faces.
  5. Cloud Computing, Social Media, Goods and Services, Employer, and other activities pose unique challenges to handling personal information.
  6. You must comply with specific regulations if you have customers or employees in specific states or the EU, or if your servers (or the servers of a subcontractor) reside in the EU.
  7. Your company has affirmative privacy obligations with respect to minors under 13 years old.

Take Charge

As an executive, do these three things:

  1. Read Your Privacy Policy.
  2. Brainstorm. Using the list above, brainstorm all the activities, types of personal information your company collects (whether personally identifiable or not), and identify which jurisdictions through which the information may flow.
  3. Evaluate and Update. Evaluate your privacy policy and employee manual to make sure that they cover the range of possible privacy implications.
About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.