What should be covered by Privacy Policies?
The Fair Information Principles, published by the Federal Trade Commission, provides a set of non-binding governing principles for the commercial use of personal information. These principles offer guidance to draft policies that encompass existing privacy concerns. The four critical issues identified in Fair Information Principles are: (1) notice, meaning that information practices must be disclosed before personal information is collected; (2) choice, meaning that consumers must be given options as to how collected personal information can be used beyond the purpose for which it was provided; (3) access, meaning consumers should be able to check the accuracy and completeness of personal information collected; and (4) security, meaning that reasonable steps must be taken to assure consumers that the personal information collected is secure from unauthorized use.
What do Privacy Laws Require?
While there is not a single comprehensive body of law that is generally applicable to privacy policies, there are some federal laws that govern Privacy Policies under specific circumstances. The most notable of these are explained below.
The Gramm-Leach-Bliley Act requires institutions significantly engaged in financial activities to provide clear, conspicuous, and accurate statements of their information-sharing practices. The Act also restricts the use and disclosure of financial information to unauthorized third parties.
The Health Insurance Portability and Accountability Act (HIPAA) requires notice in writing of the privacy practices of health care services. HIPPA protect how an individual’s health information is used by organizations and disclosed to others. All health care providers, insurance companies, employer-sponsored health plans and HMOs are the covered entities, which must comply with this privacy rule’s guidelines. The covered entities of HIPAA are one of the most extensively regulated niches, regarding information privacy.
U.S. companies should also be particularly cautious with e-commerce, because the European Union (EU) has far stricter privacy regulations, which can affect U.S. companies. The EU Data Privacy Directive prohibits EU organizations from transferring personal data to countries where privacy protection is not deemed adequate. To prevent the interruption of data transfers from the EU to the U.S., the EU approved “Safe Harbor Principles.” The Safe Harbor Principles permit U.S. companies that voluntarily abide by the Safe Harbor Principles to continue data transfers with the EU member states. U.S. companies within the safe harbor are presumed to provide adequate privacy protection.
What else do I need to know about Privacy Policies?