Privacy Policies: Why Having One Is Crucial For Your Company
While the United States has established some privacy regimens, like the Children’s Online Privacy Protection Act (COPPA), it has not yet enacted a comprehensive privacy law. As a result, many states have led the charge and require that companies, small and large, disclose their practices to consumers. Additionally, with the enactment of the General Data Protection Regulation (GDPR) in the EU in 2018, many companies find that they are subject to international standards for privacy laws. Because it is rare that a transaction only occurs in one state and because websites or apps have users in many jurisdictions, a company can easily find itself subject to the privacy laws of another state or country. In the United States, the primary federal agency that enforces privacy violations is the Federal Trade Commission (FTC). The FTC promulgates guidelines for privacy best practices and enforces certain federal rules, which will be discussed more in depth later.
- The legal name of the business. Contact information and a corporate address should also be included. If you are running a home business, we recommend opening a PO Box or hiring a mail-forwarding service to protect your privacy.
- Exactly what information is collected. You should disclose all information that is being collected, including names, email addresses, physical location, device information, or other personal information. Depending on the location of your data subject, you may also need to explain why the data is collected.
- How data is being collected. To make informed decisions, consumers should know how you are getting their data. You should disclose whether you are collecting the data automatically, collecting the data manually when the data subject submits information, or both. You should specifically provide information about cookies if your service uses them.
- Who the company shares data with and why. Examples of such third parties include: the company’s service providers, affiliates, vendors, and, in some cases, government agencies.
- How the consumer can review, change, or request deletion of the information collected by the company. Examples include allowing the consumer to opt-out of email communications, not sign up for an account, or request mechanisms to obtain a list for data collected.
- Age limitations for data collection. Federal and state laws provide substantial protection for the personal data of minors. You should list the ages of persons from which you will collect data and should have a mechanism available for parents to inform you if you accidentally obtained data from minors. While the federal law focuses on children under the age of 13, the California Consumer Privacy Act will prohibit selling personal information of a consumer under 16 without consent. Similarly, the GDPR’s default age for consent is 16. It is likely that future privacy laws will use 16 as the default.
Special considerations for mobile apps
- Building privacy considerations from the start
- Being transparent about your data practices
- Offering choices that are easy to find and use
- Protecting kids’ privacy (particularly COPPA compliance)
- Keeping user data secure
In order to comply with more stringent European internet privacy laws, such as GDPR, some websites and apps have begun using pop-up banners to alert users that their data is being collected. These pop-ups function very similarly to clickwrap agreements and have gained popularity largely in part because of the broad scope of GDPR’s language that extends its jurisdiction over any website or app that gathers data on European users. Accordingly, because there are no borders on the internet, many developers have instituted blanket privacy pop-ups or geographically coded consent notices to pop up only for European IP addresses.
Fallout from inadequate privacy practices and/or privacy policies is normally two-fold: regulatory discipline followed by a loss of consumer confidence. FTC disciplinary actions are part of the public domain and, importantly for startups, could be a massive red flag for potential investors. FTC enforcement can range from implementation of mandatory compliance reports to large monetary penalties.
Recently, the FTC has started reviewing companies that misrepresent their compliance with Privacy Shield principles or that still claim safe harbor applies. These companies, small and large, can find themselves subject to significant burdens that can stifle growth.
KEY POINTS TO REMEMBER
- Transparency is the key to good privacy practices. A trending principle for privacy legislation is privacy by design. Users should be informed and should be permitted to make decisions about what you collect and how you use it. To anticipate legislative trends, companies should err on the side of more user control.
- Finally, due to the changing nature of privacy laws, and for good measure, you should perform annual privacy audits of your company to ensure that you are up-to-date with the laws and that you have maintained compliance with your own policies.
Special thanks to Vela Wood law clerk, Brandon Flowers, for his assistance with this post.