Drafting Privacy Policies
 

Drafting Privacy Policies

Posted on 11-08-2016

 

By: Elizabeth C. Rogers, Greenberg Traurig, LLP.                

While there is no universal legal requirement that every company have a published privacy policy, consumers have become increasingly sensitized to the data collection practices of companies with which they do business.

OFTEN, CONSUMERS EXPECT TO BE ABLE TO EXAMINE A company’s privacy policy to learn how their data will be handled, which could impact their decision to do business with that company. Consequently, if your client collects consumer data via the Internet or otherwise (e.g., by accepting credit card payments, operating a website, or having an online marketing presence), it should create a privacy policy that it can maintain and that contains universally recognized privacy principles.

This article discusses the key issues that a practitioner should consider when drafting or reviewing a client’s privacy policy, including:

  • The types of personal information collected by the client
  • Relevant legal and regulatory requirements
  • What information to include in the policy
  • The importance of adhering to the policy in practice

Privacy Policy Basics

A privacy policy is an external-facing statement that specifies a company’s practices regarding the collection, use, and sharing of customer or consumer data. In most cases, such companies own or operate websites, mobile applications, social media platforms, or the like, though any company may have a privacy policy. A privacy policy is distinct from a company’s overall enterprise-wide program for processing personally identifiable information (PII) or any other information regulated by law.

A privacy policy should be viewed as a binding, enforceable agreement. While breach of contract claims based on privacy policy violations have been largely unsuccessful (either because the policies were not contractual in nature or the plaintiffs failed to adequately allege the requisite harm), the Federal Trade Commission (FTC) regularly brings enforcement actions against companies that misrepresent their privacy practices (in privacy policies or otherwise). Additional information about FTC enforcement is included later in this article.

It is therefore crucial to not only have a well-crafted policy that addresses any legal or regulatory requirements, but to also ensure that the organization adheres to the policy in practice.

What Personal Information Is Collected?

Because privacy policies need to be tailored to an organization’s industry and business processes, as a first step in drafting or reviewing a privacy policy, you must identify the kinds of personal information that your client is, or will be, collecting from customers or consumers. Such information is commonly referred to as personally identifiable information (PII).

While there is no universal definition of PII, it is generally considered “any information that can be used to distinguish or trace an individual’s identity” or “any other information that is linked or linkable to an individual.” See National Institute of Standards and Technology, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST Special Publication 800-122 (2010).

For instance, the following types of PII may be obtained in a commercial transaction:

  • Name
  • Address
  • Telephone number
  • E-mail address
  • Credit card information
  • Banking account information

Derivative data may also be collected or generated from commercial transactions, such as purchase history, customer preferences, and geo-locational data.

Companies in the health care or life sciences industries (e.g., health care providers, pharmacies, medical device manufacturers) and their downstream contractors and service providers may capture medical information related to age, health, prescription medication, or insurance or medical claim-related data. Such information is commonly referred to as personal health information (PHI) and is a type of PII.

Other types of PII may include educational or employment information, personal identification numbers (e.g., Social Security numbers or driver’s license numbers), date and place of birth, and biometric records (e.g., photographs, fingerprints, x-rays).

Legal & Regulatory Considerations

An appropriate privacy policy must not only address the kinds of data that are being processed, but also should consider the legal and regulatory requirements concerning the collection and use of that data.

Unlike in other nations, there is no comprehensive, uniform dataprivacy law in the United States. Instead, various federal and/or state laws regulate data privacy, generally by industry sector. Thus, the requirements of a privacy policy are often dictated by the laws governing the dominant industry to which a company belongs, as well as the state(s) where the company does business and where relevant consumers reside.

Notable Federal Privacy Laws

Notable federal privacy laws (by industry sector) include the following:

  • Health sector. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
  • Financial sector. The Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).
  • Educational sector. The Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).
  • Telecommunications and marketing sector. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), the Telecommunications Act of 1996, the Cable Communications Policy Act of 1984, and the Video Privacy Protection Act of 1988 (VPPA).

In addition, regardless of the industry, websites and online services that target children must comply with the Children’s Online Privacy Protection Act (COPPA). COPPA applies to “an operator of a website or online service directed to children” and to “any operator that has actual knowledge that it is collecting personal information from a child.”1 A child is any person under the age of 13.

Privacy policies for websites or online services covered by COPPA must be posted online and must include the following:

  • The information that is collected from children (including whether the website or online service enables children to make personal information publicly available), how the operator uses such information, and the operator’s disclosure practices for such information
  • The names, addresses, telephone numbers, and e-mail addresses of all operators who collect or maintain children’s personal information through the website or online service
  • A statement that a parent can review or have deleted a child’s personal information and refuse to permit further collection or use of such information, along with the procedures for doing so2

Notable State Privacy Laws

You should also be familiar with the privacy laws of the states in which your client does business and where relevant consumers reside, both for privacy notice and for data-breach remediation purposes. For a more detailed discussion on data breaches, see Planning for & Managing a Data Breach, Preparing a Breach Notification Letter, and State Statutory Laws Regarding DataBreaches.

California, for instance, has been at the forefront of state privacy legislation. The California Online Privacy Protection Act (CalOPPA) applies to any business that collects PII about California residents through websites, mobile applications, or online services. As such, CalOPPA has a broad reach and extends to most companies that conduct business online or engage in other online activities.

CalOPPA requires an operator of a commercial website or online service (which includes mobile apps) to do the following:3

  • Conspicuously post a privacy policy on its website (or in the case of an online service, make the policy available)
  • Include various disclosures in the policy (such as what information is collected and with whom it is shared, how the business responds to web browser “Do Not Track” signals, and whether any third parties may collect PII on the business’s website or online service)
  • Adhere to the policy

An operator violates CalOPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance, or if it otherwise fails to comply with CalOPPA or with the terms of its posted privacy policy either knowingly and willfully or negligently and materially.4 Failure to comply with CalOPPA may lead to an enforcement action by the California Attorney General (under the California Unfair Competition Law) and fines of up to $2,500 per violation.5

Other notable California data privacy laws include:

  • Privacy Rights for California Minors in the Digital World. This law allows minors to request the removal of content or information posted online and restricts the online advertising of certain products and services to minors.6
  • Student Online Personal Information Protection Act (SOPIPA). This Act protects the use of student data by operators of websites, mobile applications, or online services that have actual knowledge that the site, service, or application is primarily used for K-12 school purposes and was designed and marketed for such purposes.7

Other states may have similar laws to those in California (see, e.g., the Delaware Online Privacy and Protection Act (DOPPA), 6 Del. Code Ann. §§1201C–1206C) or laws that address other aspects of privacy, such as biometric data (see, e.g., Illinois’s Biometric Information Privacy Act, 740 ILCS 14/1–740 ILCS 14/99).

It is therefore critical to research the privacy laws of all states in which your client does business, as well as the federal laws and regulations that govern data privacy in your client’s industry sector, to ensure that the privacy policy complies with any applicable requirements. If your client does business in countries other than the United States, your client will also need to comply with those countries’ laws.

Information to Include in a Privacy Policy

In drafting a privacy policy, you may need to balance the completeness of the information conveyed in the policy with conciseness so that the result is approachable and is more likely to be read and understood. Jargon and legalese should be kept to a minimum, and hyperlinks to definitions or terms of art (e.g., cookies or data controller) should be included.

The policy should contain at least the following information:

  • What personal data is collected
  • How the data is collected (e.g., is the data collected directly from the consumer or from third-party sources?)
  • How the data will be used and protected (e.g., are there reasonable security safeguards in place?)
  • Whether the data will be shared with any affiliates or unrelated third parties for marketing (or other) purposes
  • The consumer’s rights and choices (e.g., any right to access the data and make corrections; rights and/or choices regarding data collection, use, and sharing)
  • Any opt-out or opt-in procedures
  • How cookies are used (cookies are small text files that a website transfers to a consumer’s hard drive or web browser, which are used to track user preferences, often for analytics and marketing purposes)
  • The organization’s contact information (e.g., an e-mail or postal address)
  • The effective date of the policy

Other information may be required depending on the states or countries where your client does business, the laws and regulations governing your client’s industry sector, and whether your client’s website targets children under the age of 13.

The policy should be flexible enough so that it will not need frequent changes. To this end, you should consider how the organization collects and uses data, not only presently, but in the future. For example, a company may not currently share information with affiliates for marketing purposes but may decide to do so at some later time. To account for this possibility, the privacy policy should state that information that a customer provides in connection with completing a transaction may be shared for marketing purposes with affiliated entities and unrelated third parties. Other potentially foreseeable collection and use should also be stated in the policy, which will help keep the document flexible and relevant.

“Layered” Policies

For websites or mobile apps especially, you should consider recommending a “layered” privacy policy to your client. The first layer would be a short-form version of the policy that consumers may immediately and easily view (even on a smartphone screen) which highlights the most important and necessary privacy disclosures. The short version may, for instance, describe the kinds of data being captured; the permitted uses and disclosures of the data; the consumer’s rights and choices; contact information; and a link to the long-form, more comprehensive version of the policy (i.e., the second layer). You might also consider including FAQ sheets as part of the second or even third layer.

Disclosing the Policy

A privacy policy should be posted in a prominent location (such as the homepage of your client’s website). Any link to the policy should be clear and conspicuous. This may be achieved, for instance, by using larger text in the link than the surrounding text, by using contrasting symbols or colors, or by using the word “privacy” in the link.

In some situations, annual privacy notices must be mailed or handdelivered to consumers to comply with relevant laws such as the Gramm-Leach-Bliley Act (GLBA). See, e.g., Regulation P (12 C.F.R. § 1016.9), adopted by the Consumer Financial Protection Bureau (CFPB) pursuant to the GLBA.

Note, however, that a recent amendment to the GLBA8 provides an exception to the annual privacy notice requirement if a financial institution:

  • Only shares nonpublic personal information (NPI) as permitted by the GLBA
  • Has not changed its policies and practices with regard to disclosing NPI since the most recent disclosure sent to consumers

Reviewing and Updating the Policy

A business should review its privacy policy on a regular basis and promptly update or revise the policy to reflect any material changes in how it uses or shares PII (though, ideally, the policy would be flexible enough to encompass such changes, as discussed above). It might also consider having a process in place for notifying consumers of any material changes.

Importance of Adhering to the Policy

It is important to advise your client that once it decides to create and publish a privacy policy, it needs to comply with the policy in practice. The Federal Trade Commission Act (FTCA) prohibits unfair and deceptive trade practices, and the FTC has taken the position that the use or dissemination of personal information in a manner different from what is indicated in a posted privacy policy is a deceptive trade practice under the FTCA, 15 U.S.C. § 45.

The FTC has brought numerous enforcement actions relating to privacy policies (or other consumer-facing statements) that resulted in consent decrees, including the imposition of fines and audit obligations (which in some cases may last for 20 years). Common reasons for enforcement actions include:

  • Broken promises
  • Retroactive privacy policy changes
  • Deceptive data collection or use
  • Inadequate data security
  • Inadequate disclosure of the amount of data gathering

Notable enforcement actions in these areas are discussed in further detail below.

Broken Promises

In In re Nomi Technologies, Inc.,9 respondent had used mobile device tracking technology to track consumers’ movements within retail stores. (Specifically, it sold the technology to retailers and, as such, had no direct contact with the consumers whose information was being tracked.) Respondent’s privacy policy stated that consumers could opt out of such tracking either online or in stores using the technology, and that consumers would be informed when the tracking was taking place. However, respondent did not require its retailer clients to notify consumers that they were being tracked.

The FTC alleged that the privacy disclosures in respondent’s policy were deceptive and violated Section 5 of the FTC Act because respondent did not, in fact, provide in-store opt-out mechanisms or notify consumers of the tracking. The FTC noted that retailers that contracted with respondent were not obligated to post notices of the tracking program in their stores and that respondent’s website did not list all of the retailers using its technology. Thus, the fact that consumers could opt out via respondent’s website did not overcome the failure to provide in-store opt-out mechanisms.

Retroactive Privacy Policy Changes

In In re Gateway Learning Corp.,10 respondent’s online privacy policy stated that it would not sell, rent, or loan customer personal information to third parties without consent. However, respondent began renting personal information to third parties without informing customers or obtaining consent and subsequently revised its policy to state that it would provide customer information to “reputable companies” from time to time. Finding that the retroactive change to the privacy policy was material and constituted an unfair practice, the FTC barred respondent from making future retroactive material changes to its policy without first obtaining consumer consent.

Deceptive Data Collection or Use

In In re PaymentsMD, LLC,11 the FTC alleged that a medical billing provider and its former CEO used the sign-up process for an online billing portal—where consumers could view their billing history—to deceptively obtain consumers’ consent to collect highly detailed medical information from pharmacies, medical laboratories, and insurance companies. As part of the settlement, the FTC banned respondents from deceiving consumers about how they collect and use information, including how the information may be shared with or collected from a third party.

Inadequate Data Security

In In Re Oracle Corp.,12 respondent Oracle Corp. had acquired Java Standard Edition (Java SE) software from Sun Microsystems in 2010. Oracle was aware that older versions of Java SE were insecure and offered updates to consumers. Oracle warranted, as part of the update process, that both the updates and the consumer’s system would be “safe and secure” with the “latest . . . security updates.” However, the update only removed the most recent version of Java SE and not any of the earlier insecure versions. The FTC alleged that Oracle’s failure to disclose the limitations of the update process was deceptive in light of its statements regarding security.

Inadequate Disclosure of the Amount of Data Gathering

In In re Compete, Inc.,13 respondent, a web analytics company, collected data about consumers through two products: a Toolbar and a Consumer Input Panel. Respondent represented that its products would collect and transmit information about the websites consumers visited but failed to disclose the extent of personal information that was collected and transmitted. Such information included consumers’ Social Security numbers, credit card and bank account numbers, and security codes and expiration dates. The FTC alleged that respondent’s failure to disclose the extent of data gathering violated Section 5 of the FTC Act.


Elizabeth C. Rogers is a shareholder in Greenberg Traurig’s Cybersecurity, Privacy and Crisis Management practice group.


To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Drafting Privacy Policies > Practice Notes > Drafting Privacy Policies

Related Content

For a comprehensive discussion on preparing for and responding to a data breach, see

> PLANNING FOR & MANAGING A DATA BREACH

RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach

For assistance in preparing a data breach notification letter, see

> PREPARING A BREACH NOTIFICATION LETTER

RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach

For a list of the individual data breach security statutes by state, see

> CHART – KEY REQUIREMENTS OF STATE DATA BREACH LAWS

RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach

For more information on the Controlling the Assault of NonSolicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), see

> COMPLYING WITH THE CAN-SPAM ACT

RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

For a detailed discussion on the Gramm-Leach-Bliley Act (GLBA), see

> COMPLYING WITH THE PRIVACY REQUIREMENTS OF THE GRAMM-LEACH-BLILEY ACT (GLBA)

RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

For an explanation of the requirements of the Children’s Online Privacy Protection Act and Rule (COPPA), see

> COMPLYING WITH THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)

RESEARCH PATH: Intellectual Property & Technology > Privacy and Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

1. Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6502(a)(1). 2. Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.4(d). 3. California Online Privacy Protection Act, Cal. Bus. & Prof. Code § 22575. 4. Cal. Bus. & Prof. Code §§ 22575(a), 22576. 5. Cal. Bus. & Prof. Code § 17206(a). 6. Cal. Bus. & Prof. Code §§ 22580–22582. 7. Cal. Bus. & Prof. Code §§ 22584–2285. 8. Section 75001 of the Fixing America’s Surface Transportation Act (the FAST Act), 114 P.L. 94 (effective Dec. 4, 2015). 9. In re Nomi Techs., Inc., 2015 FTC LEXIS 101 (F.T.C. Apr. 23, 2015). 10. In re Gateway Learning Corp., 138 F.T.C. 443 (F.T.C. 2004). 11. In re PaymentsMD, LLC, 2015 FTC LEXIS 24 (F.T.C. Jan. 27, 2015). 12. In re Oracle Corp., 2015 FTC LEXIS 292 (F.T.C. Dec. 21, 2015). 13. In re Compete, Inc., 2013 FTC LEXIS 14 (F.T.C. Feb. 20, 2013).