First Publication Date: 4th February 2008.
Over the past few months, demands for increased privacy regulation have taken center stage as increasingly private transactions move to the Internet. According to The New York Times, the Clinton Administration plans to impose privacy regulations on health care information in the waning weeks of his presidential term. Companies are faced with renewed pressure to update privacy policies as tracking technologies change and consumer concern grows.
Privacy policies are not generic and must be tailored to the industry and to the activities promoted at the Web site. Nonetheless, there are certain basic principles that all policies should follow.
Elements of the policy
Any business Web site that gathers demographic information is well served to adopt a comprehensive privacy program. The FTC has identified five core components of such a program. They are:
(4) Integrity/Security; and
These five steps do not limit the ability of a company to collect demographic or market data. Instead, the policy serves to reflect the activities in an accurate manner.
• Consent – The policy should allow users to choose whether or not to provide the data. For most business organizations, the decision not to provide personal information should not eliminate the person from participation in at least some of the Web site’s services. For some activities, such as chatrooms and listservs, the ability to monitor and control the users requires that personal contact information be collected by the organization. If information is being collected only for control purposes, then the policy should explain how the information would be used, as well as how the use of the information will be limited.
• Access – Access refers to the user’s ability to review the information provided and insure that it is correct. The FTC states that to be meaningful, “access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.”
• Integrity – Business organizations generally recognize the value of the data they have collected in their membership lists. The value of this data is directly proportional to the security of that information and the accuracy of its content. Outdated, inaccurate information should be destroyed. Reasonable steps should be taken to protect the confidentiality of the data. And to the extent that data is used for demographic study, personal identification should be removed from the statistical profiles. In many instances, for example, use of zip codes provides all the geographic specificity necessary for a business’s study of usage and trends. Using names and addresses to study the neighbourhood living habits will slow the process while risking the confidentiality of individual privacy as multiple participants to the study share the data. Increasingly, the public is voting with its feet by refusing to associate with sites that sell individually identifiable information to commercial trackers.
Enforcement of privacy policies
In addition to FTC action, companies face tremendous public pressure to comply with their stated disclosure policies. Companies like Microsoft, eToys.com and Amazon.com have come under intense scrutiny for misuse – and sometimes merely aggressive use – of the detailed customer information. The first lesson is that the policy must be drafted with enforcement in mind. An absolute guarantee is probably unwise. “Never” is a long time in the Internet age, so a promise that data will never be shared – no matter how well intentioned – is probably unwise. “Never” may also imply a guarantee against inadvertent disclosure, hacker attacks and future business transactions. These are guarantees that few, if any, businesses are willing to make.
Another lesson is that things change. Include a statement in the policy that it may change from time to time, advising the consumer to review the privacy statement page on a regular basis. Similarly, while it is courteous and good business practice to put a notice on a Web site that announces changes to policies, do not make this notice a contractual obligation or make it a condition of the new policy going into effect. Good intentions do not always result in good deeds, and no company has been taken to task for doing more than it promised.
Changes to the company must also be anticipated. Proposed mergers between companies with differing privacy policies may give rise to regulatory challenges. Similarly, bankruptcy courts are beginning to balance the creditors’ interest in assets of the corporation with the stated privacy rights of the consumers in the database. In a bankruptcy proceeding involving Toysmart.com, the FTC, 40 states’ attorneys general and counsel for TRUSTe wrangled over the rights involved in the customer data. Ultimately, the settlement required that the data only be sold as part of a going concern sale of the Web site rather than as a separate asset.