Though I may be predisposed to this specific type of news given my profession, it seems like every time I open my newsfeed there is another story about a large social media platform facing off against a country’s government about that company’s practices as they relate to the handling of information, personal and otherwise, it collects on its users.
The claim from the governmental body often looks like the following: The social media platform is in violation of our regulations because the platform collects and uses user information in ways that are different (read, more expansive or intrusive) than the practices outlined in public facing documents like the company’s privacy policy. After a few news cycles and administrative or judicial processes, those claims are often settled, and we wait until the next platform takes its turn. This tends to play out most often in the European theater due primarily to the rigorous legislation that is GDPR.
Here in the US, there is no comprehensive, overarching data protection regime that companies are forced to contend with, but we are not completely without guardrails when it comes to a company’s data collection and use practices. That starts with the Federal Trade Commission (FTC) who is tasked generally with ensuring fair trade and protecting consumers from unfair or deceptive practices.
The organization’s enforcement ability as it relates to data privacy stems from Section 5 of the FTC Act which prohibits those practices the FTC determines are unfair or deceptive. The FTC has successfully used that authority to monitor and enforce consumer privacy violations dating back almost to the origination of the internet.
FTC practices have evolved over time through rulemaking, enforcement cases, and general evolution of the Commission to focus in large part on protecting consumers’ data privacy against misleading privacy statements. If a company’s practices and representations to its users are unaligned (i.e. deceptive), then consumers are unable to make a conscious choice to visit or avoid those websites or applications.
To ensure that consumers retain agency regarding their data, the FTC wants companies to transparently communicate their data collection and use practices and match those representations with actual practice. That communication comes in the form of a privacy statement or policy that a user will agree to, either expressly or impliedly, prior to accessing a website or application, and can be found at the bottom of most webpages.
Does My Company Need a Privacy Policy and If So, Can I Pull One ‘Off the Rack’?
Common questions I receive from clients are whether a privacy policy is needed and whether an “off the rack” can simply be added to the bottom of their webpages. To answer the first question, we need to start with the FTC.
As mentioned above, the FTC is tasked with protecting consumers from unfair and deceptive business practices. Policy statements incongruous with actual data practices risk FTC enforcement because that mismatch between policy and practice are deceptive, so if an application or webpage collects and uses information related to a user, which is nearly every application and webpage on the internet, it will almost assuredly need to publicize those collection and use practices as it relates to that information to avoid running afoul of the FTC, and that most often takes the form of a privacy policy. This also means that having no policy posted is risky behavior given the need of a business to collect even minimal information on its users to provide services.
The FTC’s use of Section 5 as a means of enforcing transparent and accurate privacy policies also inhibits the use of “off the rack” privacy policies. While data collection and use practices may be similar within an industry or even across industries, they often differ from company to company. The architecture with which any application or product is built will be proprietary and may collect and use information in proprietary manner, and as a result, the needs and use of user information will likely vary.
This leaves a potential gap and legal exposure between a template privacy policy, if one is used, and a company’s practices. The only way to ensure that that exposure is minimized is to document a clear outline of the data collection and use practices and then draft a policy that reflects those practices as opposed to a blanket template. Going with a privacy policy designed to fit a different company and different set of circumstances raises the risk profile of the company unnecessarily.
Common Elements of a Privacy Policy
Now that we have established that having a privacy policy can be beneficial to the company, the next step is to consider the contents of the policy. This will often accompany a data mapping exercise, where the company accounts for the data it collects and uses.
Privacy policies should generally contain some permutation the following concepts customized to fit a company’s practices:
Introduction and Overview: Clearly articulate the purpose of the privacy policy, the types of information collected, and how it will be used.
Data Collection and Processing: Detail the types of personal information collected, the methods of collection, and the lawful basis for processing.
User Rights: Outline the rights users have regarding their data, including the right to access, correct, and delete personal information.
Data Security Measures: Describe the security protocols in place to protect user data from unauthorized access, disclosure, alteration, and destruction.
Cookies and Tracking Technologies: Explain the use of cookies, tracking pixels, and other technologies, and provide users with options to manage cookie preferences. This is often captured in a separate but linked ‘Cookie Policy’ that outlines the types of cookies that a company uses and whether those cookies can be deactivated.
Third-Party Sharing: Disclose if and how user data is shared with third parties, including the purposes of such sharing and the identity of those parties.
Policy Updates: Specify how and when the privacy policy will be updated, and the mechanisms for informing users about changes.
Applicable Federal Sector Regulations: While the federal government does not have a comprehensive set of data protection regulations, Congress has enacted legislation that applies to certain industries or sectors, such as certain types of health-related information under the Healthcare Insurance Portability and Accountability Act (HIPAA) and financial information under the Gramm-Leach-Bliley Act (GLBA).
State Specific Regulations: California led the charge enacting the California Consumer Privacy Act (CCPA) and subsequent California Privacy Rights Act (CPRA), and a growing number of states are stepping into the data protection space in the absence of comprehensive federal legislation. A company should evaluate what state laws apply to its circumstances and include any applicable requirements in the policy.
Foreign Regulations: The nature of the internet means that just about anyone with an internet connection can access a US based website or application, and while US law will generally govern the company, there may be instances where compliance with foreign legislation may make sense.
Minor Protections: The Children’s Online Privacy Protection Act (COPPA) regulates the collection of personal information from children under 13 years of age and compliance may involve informing parents about a sites data collection practices as well as a means of parental consent to collect such information.
Contact Information: Provide clear contact details for users to reach out with privacy-related concerns or inquiries.
The above list should be viewed not as a comprehensive set of rules to follow when drafting a privacy policy but a menu to choose from as they apply to a given circumstance.
Additionally, when working with an attorney, he or she may raise additional concepts that are not captured here. Privacy regulation is one of the more rapidly evolving bodies of law, and the guidance coming from regulatory bodies is continually updated to reflect changes in technology and data protection principles.
Privacy policies may seem daunting, complex, or even unnecessary, but they are an important part of the regulatory landscape and offer an opportunity to express transparency and reasonableness to customers. They help tell the story of a company’s product or services and when plainly drafted can provide comfort to customers who are concerned about how their data is collected and used.
This article is for informational purposes only and may not be considered legal advice.
About Peak Counsel - We are a start-up oriented, business law firm which has redesigned legal services to make them individualized, efficient, and accessible. We focus on relationships and results, not the billable hour, so you can focus on what matters most to you: starting, growing, diversifying, or selling your business.