SE-KB.10 -Web Site Privacy Policy

Privacy concerns arise in any situation where personal information is collected and stored.  In fact, any website that collects personally identifying information is required to post a Privacy Policy disclosing the ways that the party gathers, uses, discloses, and manages personally identifying information. While there is no single definition for what constitutes personally identifying information, with respect to Privacy Policies it is prudent for companies to assume a definition that covers any information that could possibly identify a person or information about them.


What is a Privacy Policy?

A Privacy Policy is a written statement posted on a company’s web site that informed users how the company will use their data and information.  The purpose of a Privacy Policy is two-fold:  first, to comply with an array of government regulations; and second, to explain to users how their data will be used to inform (or perhaps reassure) them how comfortable they should be using the site and sharing information.


What should be covered by Privacy Policies? 

The Fair Information Principles, published by the Federal Trade Commission, provides a set of non-binding governing principles for the commercial use of personal information.  These principles offer guidance to draft policies that encompass existing privacy concerns.  The four critical issues identified in Fair Information Principles are: (1) notice, meaning that information practices must be disclosed before personal information is collected; (2) choice, meaning that consumers must be given options as to how collected personal information can be used beyond the purpose for which it was provided; (3) access, meaning consumers should be able to check the accuracy and completeness of personal information collected; and (4) security, meaning that reasonable steps must be taken to assure consumers that the personal information collected is secure from unauthorized use.

In order to conform with the Fair Information Principles, a Privacy Policy generally includes statements regarding the following: (1) the sources from which personal information is collected; (2) specifically how the collected personal information is used; (3) with whom the collected personal information is shared; (4) an option allowing consumers to opt out of the disclosure of personal information to third parties; and (5) the steps taken to protect the collected personal information.



What do Privacy Laws Require?

While there is not a single comprehensive body of law that is generally applicable to privacy policies, there are some federal laws that govern Privacy Policies under specific circumstances.  The most notable of these are explained below.

The Children’s Online Privacy Protection Act (COPPA) mandates that commercial websites, which direct online services to children under 13, or that knowingly collect information from them, inform parents of their information practices, and obtain verifiable parental consent before collecting, using, or disclosing personal information from children. In addition to posting a privacy policy, these websites must also adhere to enumerated information-sharing restrictions.

The Gramm-Leach-Bliley Act requires institutions significantly engaged in financial activities to provide clear, conspicuous, and accurate statements of their information-sharing practices. The Act also restricts the use and disclosure of financial information to unauthorized third parties.

The Health Insurance Portability and Accountability Act (HIPAA) requires notice in writing of the privacy practices of health care services.  HIPPA protect how an individual’s health information is used by organizations and disclosed to others. All health care providers, insurance companies, employer-sponsored health plans and HMOs are the covered entities, which must comply with this privacy rule’s guidelines. The covered entities of HIPAA are one of the most extensively regulated niches, regarding information privacy.

Some states have implemented more stringent regulations for Privacy Policies. For example, Texas requires that “persons who require disclosure of a social security number adopt, make available, and strictly follow a Privacy Policy.” California requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a Privacy Policy on the site.”  Additionally, both Nebraska and Pennsylvania have laws treating misleading statements in Privacy Policies published on Web sites as deceptive or fraudulent business practices

U.S. companies should also be particularly cautious with e-commerce, because the European Union (EU) has far stricter privacy regulations, which can affect U.S. companies. The EU Data Privacy Directive prohibits EU organizations from transferring personal data to countries where privacy protection is not deemed adequate. To prevent the interruption of data transfers from the EU to the U.S., the EU approved “Safe Harbor Principles.” The Safe Harbor Principles permit U.S. companies that voluntarily abide by the Safe Harbor Principles to continue data transfers with the EU member states. U.S. companies within the safe harbor are presumed to provide adequate privacy protection.


What else do I need to know about Privacy Policies?

It is important for companies to draft Privacy Policies that accurately reflect it’s actual practices. This is commonly where companies run into problems and open themselves up to liability. When a company fails to strictly follow its posted Privacy Policy in its day-to-day operations, its actions may be seen as unfair or deceptive trade practices leading to enforcement actions. Thus, it is important to avoid simply borrowing language from another’s Privacy Policy or a standard template. Rather, a company should disclose their actual collection and maintenance practices in a clear and concise manner.