By: Jonathan B. Wilson , TAYLOR ENGLISH DUMA LLP AND FINCEN REPORT COMPANY This article discusses the New York LLC Transparency Act (New York Act), and provides guidance on which entities must file reports...
By: Christopher Campbell and Antonious Sadek , DLA PIPER This checklist provides guidance for protecting attorney-client privilege and work product in the environment of generative artificial intelligence...
LexisNexis Southeast Asia managing director Gaythri Raman discussed her unit’s initiatives leveraging AI-powered legal innovations to transform the legal business while supporting the advancement...
New secondary materials released between November 2023 through January 2024 are featured in this listing. Top Selections California Evidence Advocacy in the Age of Statutes (Lexis+ / Lexis) and in...
By: Laurie E. Leader , EDITOR-IN-CHIEF, BENDER’S LABOR AND EMPLOYMENT BULLETIN The U.S. Department of Labor (DOL) has published its Final Rule for determining employee or independent contractor...
Copyright © 2024 LexisNexis and/or its Licensors.
By: Elizabeth C. Rogers, Greenberg Traurig, LLP.
While there is no universal legal requirement that every company have a published privacy policy, consumers have become increasingly sensitized to the data collection practices of companies with which they do business.
OFTEN, CONSUMERS EXPECT TO BE ABLE TO EXAMINE A company’s privacy policy to learn how their data will be handled, which could impact their decision to do business with that company. Consequently, if your client collects consumer data via the Internet or otherwise (e.g., by accepting credit card payments, operating a website, or having an online marketing presence), it should create a privacy policy that it can maintain and that contains universally recognized privacy principles.
This article discusses the key issues that a practitioner should consider when drafting or reviewing a client’s privacy policy, including:
A privacy policy is an external-facing statement that specifies a company’s practices regarding the collection, use, and sharing of customer or consumer data. In most cases, such companies own or operate websites, mobile applications, social media platforms, or the like, though any company may have a privacy policy. A privacy policy is distinct from a company’s overall enterprise-wide program for processing personally identifiable information (PII) or any other information regulated by law.
A privacy policy should be viewed as a binding, enforceable agreement. While breach of contract claims based on privacy policy violations have been largely unsuccessful (either because the policies were not contractual in nature or the plaintiffs failed to adequately allege the requisite harm), the Federal Trade Commission (FTC) regularly brings enforcement actions against companies that misrepresent their privacy practices (in privacy policies or otherwise). Additional information about FTC enforcement is included later in this article.
It is therefore crucial to not only have a well-crafted policy that addresses any legal or regulatory requirements, but to also ensure that the organization adheres to the policy in practice.
Because privacy policies need to be tailored to an organization’s industry and business processes, as a first step in drafting or reviewing a privacy policy, you must identify the kinds of personal information that your client is, or will be, collecting from customers or consumers. Such information is commonly referred to as personally identifiable information (PII).
While there is no universal definition of PII, it is generally considered “any information that can be used to distinguish or trace an individual’s identity” or “any other information that is linked or linkable to an individual.” See National Institute of Standards and Technology, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST Special Publication 800-122 (2010).
For instance, the following types of PII may be obtained in a commercial transaction:
Derivative data may also be collected or generated from commercial transactions, such as purchase history, customer preferences, and geo-locational data.
Companies in the health care or life sciences industries (e.g., health care providers, pharmacies, medical device manufacturers) and their downstream contractors and service providers may capture medical information related to age, health, prescription medication, or insurance or medical claim-related data. Such information is commonly referred to as personal health information (PHI) and is a type of PII.
Other types of PII may include educational or employment information, personal identification numbers (e.g., Social Security numbers or driver’s license numbers), date and place of birth, and biometric records (e.g., photographs, fingerprints, x-rays).
An appropriate privacy policy must not only address the kinds of data that are being processed, but also should consider the legal and regulatory requirements concerning the collection and use of that data.
Unlike in other nations, there is no comprehensive, uniform dataprivacy law in the United States. Instead, various federal and/or state laws regulate data privacy, generally by industry sector. Thus, the requirements of a privacy policy are often dictated by the laws governing the dominant industry to which a company belongs, as well as the state(s) where the company does business and where relevant consumers reside.
Notable Federal Privacy Laws
Notable federal privacy laws (by industry sector) include the following:
In addition, regardless of the industry, websites and online services that target children must comply with the Children’s Online Privacy Protection Act (COPPA). COPPA applies to “an operator of a website or online service directed to children” and to “any operator that has actual knowledge that it is collecting personal information from a child.”1 A child is any person under the age of 13.
Privacy policies for websites or online services covered by COPPA must be posted online and must include the following:
Notable State Privacy Laws
You should also be familiar with the privacy laws of the states in which your client does business and where relevant consumers reside, both for privacy notice and for data-breach remediation purposes. For a more detailed discussion on data breaches, see Planning for & Managing a Data Breach, Preparing a Breach Notification Letter, and State Statutory Laws Regarding DataBreaches.
California, for instance, has been at the forefront of state privacy legislation. The California Online Privacy Protection Act (CalOPPA) applies to any business that collects PII about California residents through websites, mobile applications, or online services. As such, CalOPPA has a broad reach and extends to most companies that conduct business online or engage in other online activities.
CalOPPA requires an operator of a commercial website or online service (which includes mobile apps) to do the following:3
An operator violates CalOPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance, or if it otherwise fails to comply with CalOPPA or with the terms of its posted privacy policy either knowingly and willfully or negligently and materially.4 Failure to comply with CalOPPA may lead to an enforcement action by the California Attorney General (under the California Unfair Competition Law) and fines of up to $2,500 per violation.5
Other notable California data privacy laws include:
Other states may have similar laws to those in California (see, e.g., the Delaware Online Privacy and Protection Act (DOPPA), 6 Del. Code Ann. §§1201C–1206C) or laws that address other aspects of privacy, such as biometric data (see, e.g., Illinois’s Biometric Information Privacy Act, 740 ILCS 14/1–740 ILCS 14/99).
It is therefore critical to research the privacy laws of all states in which your client does business, as well as the federal laws and regulations that govern data privacy in your client’s industry sector, to ensure that the privacy policy complies with any applicable requirements. If your client does business in countries other than the United States, your client will also need to comply with those countries’ laws.
In drafting a privacy policy, you may need to balance the completeness of the information conveyed in the policy with conciseness so that the result is approachable and is more likely to be read and understood. Jargon and legalese should be kept to a minimum, and hyperlinks to definitions or terms of art (e.g., cookies or data controller) should be included.
The policy should contain at least the following information:
Other information may be required depending on the states or countries where your client does business, the laws and regulations governing your client’s industry sector, and whether your client’s website targets children under the age of 13.
The policy should be flexible enough so that it will not need frequent changes. To this end, you should consider how the organization collects and uses data, not only presently, but in the future. For example, a company may not currently share information with affiliates for marketing purposes but may decide to do so at some later time. To account for this possibility, the privacy policy should state that information that a customer provides in connection with completing a transaction may be shared for marketing purposes with affiliated entities and unrelated third parties. Other potentially foreseeable collection and use should also be stated in the policy, which will help keep the document flexible and relevant.
“Layered” Policies
For websites or mobile apps especially, you should consider recommending a “layered” privacy policy to your client. The first layer would be a short-form version of the policy that consumers may immediately and easily view (even on a smartphone screen) which highlights the most important and necessary privacy disclosures. The short version may, for instance, describe the kinds of data being captured; the permitted uses and disclosures of the data; the consumer’s rights and choices; contact information; and a link to the long-form, more comprehensive version of the policy (i.e., the second layer). You might also consider including FAQ sheets as part of the second or even third layer.
Disclosing the Policy
A privacy policy should be posted in a prominent location (such as the homepage of your client’s website). Any link to the policy should be clear and conspicuous. This may be achieved, for instance, by using larger text in the link than the surrounding text, by using contrasting symbols or colors, or by using the word “privacy” in the link.
In some situations, annual privacy notices must be mailed or handdelivered to consumers to comply with relevant laws such as the Gramm-Leach-Bliley Act (GLBA). See, e.g., Regulation P (12 C.F.R. § 1016.9), adopted by the Consumer Financial Protection Bureau (CFPB) pursuant to the GLBA.
Note, however, that a recent amendment to the GLBA8 provides an exception to the annual privacy notice requirement if a financial institution:
Reviewing and Updating the Policy
A business should review its privacy policy on a regular basis and promptly update or revise the policy to reflect any material changes in how it uses or shares PII (though, ideally, the policy would be flexible enough to encompass such changes, as discussed above). It might also consider having a process in place for notifying consumers of any material changes.
It is important to advise your client that once it decides to create and publish a privacy policy, it needs to comply with the policy in practice. The Federal Trade Commission Act (FTCA) prohibits unfair and deceptive trade practices, and the FTC has taken the position that the use or dissemination of personal information in a manner different from what is indicated in a posted privacy policy is a deceptive trade practice under the FTCA, 15 U.S.C. § 45.
The FTC has brought numerous enforcement actions relating to privacy policies (or other consumer-facing statements) that resulted in consent decrees, including the imposition of fines and audit obligations (which in some cases may last for 20 years). Common reasons for enforcement actions include:
Notable enforcement actions in these areas are discussed in further detail below.
Broken Promises
In In re Nomi Technologies, Inc.,9 respondent had used mobile device tracking technology to track consumers’ movements within retail stores. (Specifically, it sold the technology to retailers and, as such, had no direct contact with the consumers whose information was being tracked.) Respondent’s privacy policy stated that consumers could opt out of such tracking either online or in stores using the technology, and that consumers would be informed when the tracking was taking place. However, respondent did not require its retailer clients to notify consumers that they were being tracked.
The FTC alleged that the privacy disclosures in respondent’s policy were deceptive and violated Section 5 of the FTC Act because respondent did not, in fact, provide in-store opt-out mechanisms or notify consumers of the tracking. The FTC noted that retailers that contracted with respondent were not obligated to post notices of the tracking program in their stores and that respondent’s website did not list all of the retailers using its technology. Thus, the fact that consumers could opt out via respondent’s website did not overcome the failure to provide in-store opt-out mechanisms.
Retroactive Privacy Policy Changes
In In re Gateway Learning Corp.,10 respondent’s online privacy policy stated that it would not sell, rent, or loan customer personal information to third parties without consent. However, respondent began renting personal information to third parties without informing customers or obtaining consent and subsequently revised its policy to state that it would provide customer information to “reputable companies” from time to time. Finding that the retroactive change to the privacy policy was material and constituted an unfair practice, the FTC barred respondent from making future retroactive material changes to its policy without first obtaining consumer consent.
Deceptive Data Collection or Use
In In re PaymentsMD, LLC,11 the FTC alleged that a medical billing provider and its former CEO used the sign-up process for an online billing portal—where consumers could view their billing history—to deceptively obtain consumers’ consent to collect highly detailed medical information from pharmacies, medical laboratories, and insurance companies. As part of the settlement, the FTC banned respondents from deceiving consumers about how they collect and use information, including how the information may be shared with or collected from a third party.
Inadequate Data Security
In In Re Oracle Corp.,12 respondent Oracle Corp. had acquired Java Standard Edition (Java SE) software from Sun Microsystems in 2010. Oracle was aware that older versions of Java SE were insecure and offered updates to consumers. Oracle warranted, as part of the update process, that both the updates and the consumer’s system would be “safe and secure” with the “latest . . . security updates.” However, the update only removed the most recent version of Java SE and not any of the earlier insecure versions. The FTC alleged that Oracle’s failure to disclose the limitations of the update process was deceptive in light of its statements regarding security.
Inadequate Disclosure of the Amount of Data Gathering
In In re Compete, Inc.,13 respondent, a web analytics company, collected data about consumers through two products: a Toolbar and a Consumer Input Panel. Respondent represented that its products would collect and transmit information about the websites consumers visited but failed to disclose the extent of personal information that was collected and transmitted. Such information included consumers’ Social Security numbers, credit card and bank account numbers, and security codes and expiration dates. The FTC alleged that respondent’s failure to disclose the extent of data gathering violated Section 5 of the FTC Act.
Elizabeth C. Rogers is a shareholder in Greenberg Traurig’s Cybersecurity, Privacy and Crisis Management practice group.
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Drafting Privacy Policies > Practice Notes > Drafting Privacy Policies
For a comprehensive discussion on preparing for and responding to a data breach, see
> PLANNING FOR & MANAGING A DATA BREACH
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach
For assistance in preparing a data breach notification letter, see
> PREPARING A BREACH NOTIFICATION LETTER
For a list of the individual data breach security statutes by state, see
> CHART – KEY REQUIREMENTS OF STATE DATA BREACH LAWS
For more information on the Controlling the Assault of NonSolicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), see
> COMPLYING WITH THE CAN-SPAM ACT
RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws
For a detailed discussion on the Gramm-Leach-Bliley Act (GLBA), see
> COMPLYING WITH THE PRIVACY REQUIREMENTS OF THE GRAMM-LEACH-BLILEY ACT (GLBA)
For an explanation of the requirements of the Children’s Online Privacy Protection Act and Rule (COPPA), see
> COMPLYING WITH THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)
1. Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6502(a)(1). 2. Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.4(d). 3. California Online Privacy Protection Act, Cal. Bus. & Prof. Code § 22575. 4. Cal. Bus. & Prof. Code §§ 22575(a), 22576. 5. Cal. Bus. & Prof. Code § 17206(a). 6. Cal. Bus. & Prof. Code §§ 22580–22582. 7. Cal. Bus. & Prof. Code §§ 22584–2285. 8. Section 75001 of the Fixing America’s Surface Transportation Act (the FAST Act), 114 P.L. 94 (effective Dec. 4, 2015). 9. In re Nomi Techs., Inc., 2015 FTC LEXIS 101 (F.T.C. Apr. 23, 2015). 10. In re Gateway Learning Corp., 138 F.T.C. 443 (F.T.C. 2004). 11. In re PaymentsMD, LLC, 2015 FTC LEXIS 24 (F.T.C. Jan. 27, 2015). 12. In re Oracle Corp., 2015 FTC LEXIS 292 (F.T.C. Dec. 21, 2015). 13. In re Compete, Inc., 2013 FTC LEXIS 14 (F.T.C. Feb. 20, 2013).