Overview of Privacy Policies
Privacy policies started in the financial industry (such as credit reporting) and existed long before the internet became what it is today. Privacy policies are now widespread on websites and mobile apps to explain the collection, usage and sharing of an individual’s information.
Privacy Policies in the United States
Privacy policies are standard on websites even though Congress has not established a law explicitly governing the topic yet.
Some states, like California, require the creation and posting of a privacy notice for consumers.
Federal laws also explicitly require the posting of a privacy policy in certain circumstances, such as to comply with the Children’s Online Privacy Protection Act (COPPA) if a website is directed to children under 13 or has actual knowledge it is collecting children’s data.
Other websites do so to ensure compliance with Section 5 of the FTC Act, which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” The majority of the Federal Trade Commission’s privacy enforcement falls under the rubric of the prohibition on deceptive practices.
Many smaller websites have privacy policies because they are required by their larger commercial partners. Google, for example, requires users of Google AdWords to have a privacy policy on their website in order to run advertising under its program.
The EU GDPR
Transparency is one of the core principles of the EU General Data Protection Regulation (GDPR).
Article 5 requires all processing of personal data to occur in a transparent manner.
Article 7 requires requests for consent to be presented in an intelligible manner with clear, plain language.
Article 12 requires other information, including communications about the data subject access rights, to be presented in a concise, transparent, intelligible and easily accessible form using clear plain language.
In short, the GDPR transparency requirement means information about data privacy practices must be communicated in a form that is understandable by by ordinary people, including children in particular where the communication addresses them.
Implications of the Facebook Privacy Scandal on Privacy Notices
The days of a single page disclosure of privacy practices in the United States written by lawyers in legalese are over. Organizations now need readable privacy policies. Facebook has been regularly criticized since the news broke about Cambridge Analytica that it has not done enough to inform users about its data sharing practices. Senator Kennedy of Louisiana went so far as to say that it “sucks”. The bar for what is required in a privacy notice is moving higher.
At the same time, Facebook CEO Mark Zuckerberg regularly defended the Facebook privacy policy in the hearing by noting that if they provided more information in it, users would not read it. Instead, Facebook uses a <a href="http://layered privacy policy approach which offers controls about who should receive the information at the point when it is shared by the user. Despite Facebook going to greater lengths than many large companies, it still received a large amount of criticism from legislators in the U.S. House and Senate during the congressional hearings for its privacy notices.
In addition to the existing system of privacy policies, it seems likely that businesses will need to do more to communicate the privacy implications of their data collection and sharing to the consumers using their products. Depending on the sensitivity of the personal data, businesses may need to explain the implications at the point of collection and get the user’s express opt-in consent for its usage and sharing.
The Proposed BROWSER Act and CONSENT Act on Privacy Policies
Congress is currently considering legislation to enhance user privacy across the internet by requiring websites and mobile apps to provide additional transparency about their privacy practices.
The Senate’s CONSENT Act requires edge providers, defined in a way to include most commercial websites and apps, to notify people about the collection, use and sharing of sensitive customer proprietary information, including financial information, health information, Social Security numbers, contents of communications, web browsing history and other enumerated information. The precise manner for notification with this information is not specificed, though it could be further clarified by FTC regulations following the passage of the legislation.
The House’s BROWSER Act goes further than the broad notification requirement of the CONSENT Act. It requires the posting of a clear and conspicuous privacy policy that is persistently available. The policy must also be provided at the point of sale, subscription, or account establishment, or before the user begins using the service if the website or mobile app does not have such a point.
What is Included in Privacy Policies
The information provided by companies will differ based on organizational choices, the sensitivity of the data, the geographical scope of the company, and many other factors. The following examples are only a handful of what might be found in a privacy policy:
– The collection, storage, use and dissemination of personally identifying information or information that could be associated with a particular consumer or device;
– How information is handled under HIPAA, if applicable
– The collection and disclosure of geolocation data;;
– The use of cookies to store and collect information;
– Data sharing with third-parties;
– User access to their own data and the ability to export, correct or delete that data;
– Security precautions used; and/or
– Data storage and retention
Note: It is important to contact a lawyer regarding the unique privacy challenges of your particular business. This checklist is not a substitute for legal counsel on the subject.
How Businesses Get in Trouble
A privacy policy has to reflect the company’s actual privacy practices. The chapter on Data Privacy in Ian C. Balloon’s E-Commerce & Internet Law: Treatise with Forms, 2D (2014) says, “[T]he easiest and quickest way for a business to get into trouble is when its actual practices diverge from its stated practices ….”
Privacy policies also need to be periodically reviewed because business, technology and marketing practices are constantly evolving and may render a privacy disclosure out of date. Changes in technology alone could create an ambiguous privacy policy as concepts and terminology evolve in newer practices.
There are also usually gaps in privacy policies from discrepancies between what marketing is actually doing and what is described to the lawyers drafting the privacy disclosure.
Material changes in the privacy policy to permit broader collection and usage of data can also create risks for the use of data collected before the change in the privacy disclosure based on more restrictive assumptions.
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.