Though I may be predisposed to this specific type of news given my profession, it seems like every time I open my newsfeed there is another story about a large social media platform facing off against a country’s government about that company’s practices as they relate to the handling of information, personal and otherwise, it collects on its users.
Here in the US, there is no comprehensive, overarching data protection regime that companies are forced to contend with, but we are not completely without guardrails when it comes to a company’s data collection and use practices. That starts with the Federal Trade Commission (FTC) who is tasked generally with ensuring fair trade and protecting consumers from unfair or deceptive practices.
The organization’s enforcement ability as it relates to data privacy stems from Section 5 of the FTC Act which prohibits those practices the FTC determines are unfair or deceptive. The FTC has successfully used that authority to monitor and enforce consumer privacy violations dating back almost to the origination of the internet.
FTC practices have evolved over time through rulemaking, enforcement cases, and general evolution of the Commission to focus in large part on protecting consumers’ data privacy against misleading privacy statements. If a company’s practices and representations to its users are unaligned (i.e. deceptive), then consumers are unable to make a conscious choice to visit or avoid those websites or applications.
To ensure that consumers retain agency regarding their data, the FTC wants companies to transparently communicate their data collection and use practices and match those representations with actual practice. That communication comes in the form of a privacy statement or policy that a user will agree to, either expressly or impliedly, prior to accessing a website or application, and can be found at the bottom of most webpages.
The FTC’s use of Section 5 as a means of enforcing transparent and accurate privacy policies also inhibits the use of “off the rack” privacy policies. While data collection and use practices may be similar within an industry or even across industries, they often differ from company to company. The architecture with which any application or product is built will be proprietary and may collect and use information in proprietary manner, and as a result, the needs and use of user information will likely vary.
Privacy policies should generally contain some permutation the following concepts customized to fit a company’s practices:
Data Collection and Processing: Detail the types of personal information collected, the methods of collection, and the lawful basis for processing.
User Rights: Outline the rights users have regarding their data, including the right to access, correct, and delete personal information.
Data Security Measures: Describe the security protocols in place to protect user data from unauthorized access, disclosure, alteration, and destruction.
Third-Party Sharing: Disclose if and how user data is shared with third parties, including the purposes of such sharing and the identity of those parties.
Applicable Federal Sector Regulations: While the federal government does not have a comprehensive set of data protection regulations, Congress has enacted legislation that applies to certain industries or sectors, such as certain types of health-related information under the Healthcare Insurance Portability and Accountability Act (HIPAA) and financial information under the Gramm-Leach-Bliley Act (GLBA).
State Specific Regulations: California led the charge enacting the California Consumer Privacy Act (CCPA) and subsequent California Privacy Rights Act (CPRA), and a growing number of states are stepping into the data protection space in the absence of comprehensive federal legislation. A company should evaluate what state laws apply to its circumstances and include any applicable requirements in the policy.
Foreign Regulations: The nature of the internet means that just about anyone with an internet connection can access a US based website or application, and while US law will generally govern the company, there may be instances where compliance with foreign legislation may make sense.
Minor Protections: The Children’s Online Privacy Protection Act (COPPA) regulates the collection of personal information from children under 13 years of age and compliance may involve informing parents about a sites data collection practices as well as a means of parental consent to collect such information.
Contact Information: Provide clear contact details for users to reach out with privacy-related concerns or inquiries.
Additionally, when working with an attorney, he or she may raise additional concepts that are not captured here. Privacy regulation is one of the more rapidly evolving bodies of law, and the guidance coming from regulatory bodies is continually updated to reflect changes in technology and data protection principles.
Privacy policies may seem daunting, complex, or even unnecessary, but they are an important part of the regulatory landscape and offer an opportunity to express transparency and reasonableness to customers. They help tell the story of a company’s product or services and when plainly drafted can provide comfort to customers who are concerned about how their data is collected and used.
This article is for informational purposes only and may not be considered legal advice.
About Peak Counsel - We are a start-up oriented, business law firm which has redesigned legal services to make them individualized, efficient, and accessible. We focus on relationships and results, not the billable hour, so you can focus on what matters most to you: starting, growing, diversifying, or selling your business.