9 Ways To Bulletproof Your Privacy Policy
9 Ways To Bulletproof Your Privacy Policy
Is your privacy policy rock solid, or could it use some work? Mistakes can mean lawsuits, regulatory fines, and damage to corporate reputations. Here's how to protect your company.
Any company that collects, stores, and uses personal information should have a privacy policy. However, not all privacy policies are created equal.
Although many privacy policies may look the same, the riskiest ones fail to reflect what the company actually does. These can expose the organization to potential regulatory audits, fines, lawsuits, and reputational harm. To reduce the risks associated with such disconnects, businesses should spend more time thinking about — and operationalizing — their protection of sensitive data.
However, many organizations don't take their privacy policies seriously enough, as evidenced by the growing number of data breaches and the increasing amount of regulatory oversight.
Toothless privacy policies are common. In June 2015, the Online Trust Alliance (OTA) audited the security, privacy, and consumer protection practices of approximately 1,000 companies, all of which are the leading organizations in their respective industries. They included the top Internet retailers, banks, US federal government sites, social networking and sharing sites, news and media companies, Internet of Things providers, and OTA members. Forty-five percent failed to protect consumers and their data from harm and online threats. Forty-four percent made OTA's “Honor Roll” because they achieved a weighted score of 80 or better on a scale of 1–100, based on 50 different data points. When the OTA audited the top 23 presidential candidates in September 2015, it found that 74% failed because of their privacy policies.
“The FTC has been very aggressively prosecuting companies that don't really do what they say or say what they do,” said Jim Adler, in an interview. “Where companies go sideways is not so much what they say, but whether they can live up to what they're saying.” Adler is chief security officer at big data analytics company Metanautix and member of The Department of Homeland Security Data Privacy and Integrity Advisory Committee.
To minimize your own company's risks, consider these nine pointers.
Don't Cut And Paste
“Using another company's privacy policy creates serious legal risks because that policy can be used against you,” said Tatiana Melnik, attorney at law, in an interview. “If the FTC looks at what you're doing and it doesn't match your privacy policy, it will be used against you as being woefully negligent. And the courts will assume that you put something out there that you didn't read.”
Involve The Right Players
Aligning a privacy policy with a company's technology and business practices is challenging because it requires the involvement of the many stakeholders who are responsible for the data. Without that, there are knowledge gaps and security gaps that can expose the company to a number of unanticipated and unwanted outcomes.
Keep It Simple
There's a move to simplify privacy policies because they're too difficult for the average person to read and comprehend. Attention spans are short and privacy policies are long. Few people will take the time to read a document written in legalese and presented in a six-point type font. Because transparency is becoming a brand issue, some organizations are adopting a layered short notice, which presents privacy policy information in varying levels of detail: very short form; highlights; and the traditional full-blown document. Icons may also be used to simplify the communication of important points.
Avoid Overly Broad Language
How data can be used changes over time. One way of handling the uncertainty is to use overly broad language.
“Companies are drafting overly expansive privacy policies that say they can do anything and everything with user's' data,” said Omer Tene, VP of research and education at the International Association of Privacy Professionals (IAPP), in an interview. “The FTC has increasingly looked critically at these practices, and might actually view them as being unfair trade practices, which is a basis for enforcement actions.”
Privacy policies are about notice and consent. An overly broad policy can fail to provide adequate notice of the data that's being collected, stored, used, and shared, and for what purposes. On the flip side, consumers may claim they did not know what they were consenting to because the language was vague.
Avoid Overly Narrow Language
Knowing that broad language can fuel disputes, some companies opt to write privacy policies that are so specific, they backfire.
“Drafting an overly restrictive policy might initially be seen as a good practice because you're constrained in your ability to use individuals' data,” said Omer Tene, VP of Research and Education at the International Association of Privacy Professionals (IAPP). “The FTC has been filing claims against companies that are not doing what they said in their privacy policies.” If you make your policy too narrow and end up going outside it, you could be punished, he said.
Consider Information Flow
Consumers are often asked whether they consent to information sharing with a company, the company and its partners, or other third parties. Despite what companies say, what they do may differ significantly.
It's important to consider the entire flow of information and the potential parties that might touch the data, in order for you to ensure that privacy policies and practices are in sync. Issues can arise in mergers and acquisitions. In the Radio Shack bankruptcy case, the sale of its 117 million customer records was a highly contentious issue involving several state attorneys general and corporations including Apple.
Tie It To Security
Effective privacy protection cannot be achieved in the absence of effective data security. Many security policies are penned with compliance in mind, rather than the protection of information assets, said Edward McNicholas, co-leader of the privacy, data security and information law practice at the law firm Sidley Austin, in an interview. “Security is only as robust as the people who are involved in it, so you have to have appropriate education and training. If your employees are putting their passwords on sticky notes attached to their computer, it doesn’t matter how sophisticated those passwords are.”
Update The Policy
A privacy policy shouldn't be a static document. Laws, statutes, regulations, technology, and cultural norms are changing all the time. Yet, a lot of privacy policies are out-of-date because they haven't been revisited often enough. If a discrepancy between privacy policies has been identified by a lawyer, a consultant, or the OTA, a common response is, “That's not what we do.” Craig Spiezle, president and executive director of the OTA recommends revisiting the privacy policy with the business groups once a quarter.
Take It Seriously
Privacy policies would have a better chance of being effective if protecting sensitive data was deemed to be everyone's job in the company — an expected type of behavior.
The problem generally is a lack of consequences. Even though hacks, lawsuits, fines, and public outcries are growing in number, they still represent only a small percentage of all privacy policy breaches. In the absence of lawsuits, fines, public outcries, or other consequences, such as being reprimanded or fired, business as usual tends to chug along.
“Privacy policies say all kinds of nice things like, ‘We will not leak our user data.' They don't say we will ensure that our on-site and off-site backups are encrypted at all times and not left on a disk drive next to the coffee machine. A great question to ask yourself is, ‘Or else what?'” said Walter O'Brien. “All these policies don't have any teeth because they don't have an ‘Or else what?' and if there's ‘No else what,' it doesn't matter.”
***Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include big data, mobility, enterprise software, the cloud, software development, and emerging cultural issues affecting the C-suite.
http://www.informationweek.com/author-bio.asp?author_id=2250
Here’s How To Make Sure You,
Your Business & Website Is FTC Compliant
By now it should be clear how important it is for you to be FTC compliant. But how can you do that without spending $7,500-$8,000 or more on Internet Attorneys?
Smart business owners around the world are doing it with the help of FTC Guardian.
FTC Guardian is a service that is 100% focused on helping to keep you get and stay FTC compliant and fully protected. And right now, we are offering a free training to give you the knowledge, information, and guidance that you need to stay out of trouble with the Federal Trade Commission.
The training is titled: 3 Tragic (Legal) Privacy Policy List Building Mistakes That Can Get You In Hot Water With The FTC Today – Resulting In Your Business Being Shut Down… And How To Solve It!
Here are some of the things you’ll discover on the training:
- Real-Life Examples of People Who Didn’t Think They Were At Risk, But Who Got Nailed By The FTC, And Why It Could Happen To You, Too
- Why 2014 Was a Significant Year For Online Businesses, And Why You Should Be Worried!
- The 3 Enormous Powers The FTC Has That Can Change Your Life – And Your Family’s Life – Forever!
- How to Avoid FTC Claims When Collecting Leads With Optin Forms
- 3 Privacy Policy Mistakes Every Digital Marketer Is Making, And Why You're In The FTC Crosshairs.
- And Much More…
Remember: legal protection is a massively important part of your business, and it’s one you cannot afford to ignore any longer.
Go here to register for our next FREE training and make your business is FTC compliant today!
Disclaimer: This article is provided for informational purposes only. It’s not legal advice, and no attorney-client relationship is created. Neither the author nor FTC Guardian, Inc. is endorsed by the Federal Trade Commission.
