Tragic (Legal) Mistake 5: Your Privacy Policy is Not Private
Tragic (Legal) Mistake 5: Your Privacy Policy is Not Private
By Chip Cooper, Esq.
In fact, it can be enforced against you by the Federal Trade Commission.
The Rules that Affect Your Privacy Policy – And Your Business
Maybe you’re an online entrepreneur or an internet market. It doesn’t matter whether you are a beginner or an experienced professional, whether you work from a home office or a brick and mortar office. What matters most is your email marketing list. It is the holy grail of online marketing. It is as important to your bottom line as a patent is for many engineering and manufacturing firms and secret recipes to restaurants.
When you have a responsive email list, you can market additional products and services to an eager audience. When you have an engaged customer base, you could make additional money by sending recommendations and referrals about business partners.
As an internet marketer, you’ve known that growing your online business requires growing the email marketing list. This is why a landing page and capturing visitors’ contact information was one of your first and highest priorities.
What many business owners do not know is that their greatest asset – their email list or contact database – is also their greatest source of legal liability. The liability is so great that it could shut down your business overnight.
Warning: You must put as much care into protecting clients’ privacy as you do maintaining the mailing list. Today’s privacy regulations require it.
How Privacy Regulations Came Into Being
The Federal Trade Commission considers some information so private that its protection is almost sacred.
Modern privacy regulations were born in California in 2004 with the California Online Privacy Protection Act or COPPA. COPPA went into effect July 1, 2004.
What does COPPA Say?
All websites that collect personally identifiable information or PII of California residents must post a privacy policy. Since few websites want to exclude on the largest states in the nation and many were hosted in California in the 2000s, virtually all websites had to comply.
COPPA defines personally identifiable information as:
- First name and last name of a customer
- Their street address
- Their email address
- Phone number
- Social Security Number
In some states, this list also includes a customer’s driver’s license number.
Privacy protection is mandatory if the customer’s data is linked to other personal information such as:
- the customer’s height
- their weight
- their occupation
- birth date
The privacy protections mandated by COPPA are only a start, with additional restrictions involved if the website is collecting information on minors under the age of 13, processes financial information like bank account numbers or hosts medical records.
After COPPA went into effect, websites started posting privacy polices that were compliant with the regulation. Some of them did this because they didn’t want to lose out on California’s population. Others did so because they didn’t think they could screen out Californians with enough certainty that they could avoid violating the law. It was thus better to become compliant with California’s law than risk a lawsuit in California’s courts.
The end result of COPPA is that it became the de facto national standard of privacy policies.
What other national statutes and regulations on privacy should you know about?
- The Health Insurance Portability and Accountability Act of 1996 or HIPAA relates to patient health records. This standard applies if you ask users to post health information or let them share personal medical information.
- The Gramm-Leach-Bliley Act or GLBA applies to financial information. It primarily affects banks, securities companies and insurance companies.
- COPPA or the Children’s Online Privacy Protection Act addresses the privacy of children under the age of 13. Websites can only avoid this regulation if they refuse to accept information reported by minors and clearly state that the site should not be used by those under 13.
-
- The Fair Credit Reporting Act or FCRA covers the collection of information by consumer reporting agencies. This act applies to your business if customers take out loans with your business or if you may report an unpaid debt by a customer to the credit bureaus.
- Section 5 of the Federal Trade Commission Act outlines how the FTC regulates privacy.
Social Media and Privacy Protected Information
Privacy protection is far more than ensuring that you don’t carbon copy everyone else on the marketing list so that they all see each other’s email or accidentally publicly post the names and phone numbers of all your contacts.
Privacy protection is an ongoing battle, in part because of the rise of professional hackers and the government’s endless alterations of privacy regulations. For example, location based services now allow marketers to determine where someone is and tailor advertisements to them. In 2011, the FTC added physical location data to the list of private information. You can still send ads to those in your vicinity based on their search results, but you cannot share the consumer’s location with other groups. The FTC also told Google that its BUZZ service couldn’t share screen names and consumer contact lists.
Mobile Apps and Privacy
Apps are an amazing way to stay connected with your customer base. Instead of waiting for them to check their email or look for mobile coupons, you can regularly reach out to them via your apps.
Unfortunately, apps have been found to erode overall privacy. For example, one social networking app was discovered to have uploaded the user’s mobile phone contact list without his permission. Twitter admitted to doing the same. Due to these concerns, in February, 2012, California’s Attorney General announced that COPPA applied to information collected through apps as well as through websites. The FTC jumped on the bandwagon in August, 2012.
What does this mean for mobile marketers? It means that the data collected through apps must be protected the same way personal information collected through websites must be protected. It also means that you can’t use an app to harvest all of the contacts on a consumer’s smart phone, monitor their mobile web surfing or save their location history, no matter what the NSA may be doing.
The FTC formalized its privacy protections required for mobile apps in the document “Marketing Your Mobile App: Get It Right from the Start”. In this document, it stipulates that:
- mobile app publishers must get express and affirmative consent before they can collect location, medical or financial data
- parental consent must be obtained and verified before they can collect personal information of children under 13
Failure to comply with these privacy regulations can result in fines from the FTC and California’s state equivalent, as well as leave vendors open to lawsuits.
What You Should Do about the Collection and Use of Protected Information
Create a privacy policy for your website and any apps you’ve developed. Clearly state when the privacy policy goes into effect, the type of information collected, and how users can change their private information.
Your privacy policy must state how consumers will be notified of changes to the privacy policy, even if the privacy policy says they should simply check the privacy policy page for changes.
Your privacy policy is treated like an advertisement when it comes to the FTC. For example, the privacy policy cannot be “deceptive”.
If your privacy policy says you will not share it with third parties, you run afoul of state and federal laws if you turn around and share your mailing lists with a third party. You cannot share private information with subsidiaries or vendors with related products and services unless your privacy policy clearly states that it may be shared with third parties.
If your privacy policy says that it won’t be shared and then it is changed, you must give your customers a chance to opt out or ask to be removed from the mailing list.
The deceptive practices definition and privacy polices leads to a Cardinal Rule. If you say you won’t do something, don’t do it or the FTC can sue you for deceptive practices. If you say you will do something and don’t do it, you are as liable to an FTC claim as you would for lying about the performance of a product.
Does the FTC actually punish those who violate the Cardinal Rule? Let’s look at some recent FTC cases.
- The FTC says that Google violated its privacy policy because it says customers have to sign up for a particular service and that your information won’t be used for a different purpose than for which it was collected. Google moved Gmail users to BUZZ without their permission, and the FTC sued them.
- The FTC settled with Chitka when it passed cookies onto consumers. Chitka’s privacy policy said they could opt out of cookies passed on to their browsers, but the actual opt out only lasted ten days.
- Twitter had to reach a settlement with the FTC because of data security lapses that gave hackers access to user accounts, because Twitter’s privacy policy said they took significant efforts to protect user data. In reality, Twitter used weak passwords, causing the data breach and opening the door to an FTC suit.
If the FTC is willing to go after giants like Twitter and Google, you know they’ll go after your business if you violate your own privacy policy.
Recommendations
Maintaining antivirus and malicious software protection on your server so that the credit card numbers of your customers and affiliates is an under-appreciated but critical form of privacy protection. However, you need to be careful not to state that you adhere to the highest industry standards for data security. Unless you are a large defense firm with intrusion detection software, active monitoring of your network and good hackers working on your behalf, you cannot meet the highest industry standards for data security. Simply state that you will provide reasonable and adequate security of personal information.
If your website says we will never sell or rent your personal information, you’ve painted yourself into a corner. Now you can never do this without opening yourself up to some sort of liability. If you change the privacy policy to state that you may share consumer information in the future, you must make sure all customers know this and have months if not years to opt out of your mailing lists.
If you say someone must give their consent before you share their information, you must follow your own guideline. Given the seriousness and significant restrictions on collecting information on minors, include clear procedures in your privacy statement on how a parent can remove a minor’s contact information from your database as well as your right to delete the accounts of anyone who is suspected of being a minor.
Clearly state that consumers should not post personally identifiable information on your website such as in user forums or testimonials. Include a statement on your privacy policy that you can shut down the accounts of those who share too much personal information or post the personal information of others.
Be careful about using boilerplate privacy policies. They may make statements that don’t apply to you, while they may also neglect to address the sharing of information many internet marketers want to utilize. You should work with an attorney to craft a privacy policy that meets your specific needs and intended marketing practices.
Conclusion
Privacy policies are not a privacy matter; they are public record and subject to state and national regulations. Privacy regulations affect the value of your email marketing list and the survival of your business. Mishandle your privacy policy, and the FTC’s deceptive advertising claim against your firm could be the next thing the public reads about your firm.
The most important thing you can do after crafting a privacy policy is follow it. Don’t do what you said you wouldn’t, and do what you said you would.
Here’s How To Make Sure You, Your Business & Website Is FTC Compliant
By now it should be clear how important it is for you to be FTC compliant. But how can you do that without spending $7,500-$8,000 or more on Internet Attorneys?
Smart business owners around the world are doing it with the help of FTC Guardian.
FTC Guardian is a service that is 100% focused on helping to keep you get and stay FTC compliant and fully protected. And right now, we are offering a free training to give you the knowledge, information, and guidance that you need to stay out of trouble with the Federal Trade Commission.
Free Compliance Workshop: Join Chip Cooper, Esq., the #1 FTC Compliance trainer in the World, for a one-of-kind, completely free online compliance workshop. Workshops fill up quickly, so register now.
Here are some of the things you’ll discover on the training:
- Real-Life Examples of People Who Didn’t Think They Were At Risk, But Who Got Nailed By The FTC, And Why It Could Happen To You, Too
- The 3 Enormous Powers The FTC Has That Can Change Your Life – And Your Family’s Life – Forever!
- How to Avoid FTC Claims When Collecting Leads With Optin Forms
- 3 Privacy Policy Mistakes Every Digital Marketer Is Making, And Why You’re In The FTC Crosshairs.
- And Much More…
Remember: legal protection is a massively important part of your business, and it’s one you cannot afford to ignore any longer.
Go here to register for our next FREE training and make your business is FTC compliant today!
Disclaimer: This article is provided for informational purposes only. It’s not legal advice, and no attorney-client relationship is created. Neither the author nor FTC Guardian, Inc. is endorsed by the Federal Trade Commission.
