Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Collapse Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Hacking, Malware, and Social Engineering Threats (January 2012)
SEC Issues Guidance on Cybersecurity and Cyber Incident Disclosure (December 2011)
The Militarization of Cyber Space and the Risks for U.S. Businesses (November 2011)
SEC Requires Disclosure of Cyber Attacks (October 2011)
Massachusetts Enacts Privacy Regulations (September 2011)
Avoiding Privacy Risks: Smile! You're on the Web Camera! (March 2010)
The Developing Legal Standards for Data Security (August 2008)
Privacy and Security Litigation and Enforcement: Growing Risks for Businesses? (May 2007)
Deflecting and Responding to Data Security Breaches (February 2006)
"Media Liability" Coverage in Tech/Media/eBusiness Policies (February 2006)
Variations in "Fraud/Dishonesty" Exclusions in Tech/Media/eBusiness Policies (January 2006)
Insuring Liability for Third-Party Claims Seeking Lost Profits (November 2005)
Addressing Liability Risks for Data Loss from an Insurance and Contractual Risk Transfer Perspective (July 2005)
Addressing Privacy Risk from an Insurance and Contractual Risk Transfer Perspective (May 2005)
Storing Liability: The Increasing Risks of Off-Site Data Storage (May 2005)
Privacy: Outsourcing and the Need for a Vendor Compliance Strategy (March 2005)
E-mail Privacy: Does Your E-mail Take a Pit Stop? (September 2004)
Indemnity and Insurance Provisions in E-Business Contracts (July 2004)
Protecting Data Assets: Not Just a Cyberspace Issue (June 2004)
New Liability Forms and Media, Tech, and E-Business Risks (May 2004)
Protecting Your Employees from Identity Theft (February 2004)
Creating a Privacy Policy Compliant with the New Online Privacy Protection Act (December 2003)
Tech E&O—A Primer for Risk Managers (November 2003)
Going Public: Dealing with the Disclosure Mandate of California's Latest Privacy Law (September 2003)
Cyber Liability Insurance Market Update (August 2003)
Security Requirements in a Privacy World (June 2003)
The Growing Privacy Risk and the Insurance Industry (February 2003)
Insuring First-Party Cyber Risk for Fortune 1000 Companies (November 2002)
Stand-Alone E-Business Insurance: Who's Buying, Selling, and Why? (September 2002)
The End of Computer Virus Coverage as We Know It? (May 2002)
You Say Professional Services, I Say B2B Activities (January 2002)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 1 (August 2001)
Is Computer Data "Tangible Property" or Subject to "Physical Loss or Damage"?—Part 2 (November 2001)
E-Commerce Insurance Issues: A Year in Review (June 2001)
New Stand-Alone E-Commerce Insurance for First-Party Risks? (February 2001)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 1) (December 2000)
New Stand-Alone E-Commerce Insurance for Third-Party Liability Claims (Part 2) (December 2000)
Third-Party Liability E-Commerce Risks and Traditional Insurance Programs (August 2000)
First-Party E-Commerce Risks (June 2000)
Insurance Issues for E-Commerce Activities (May 2000)
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management TechnologyRisk Management Technology
Expand SecuritySecurity
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements
Support

Creating a Privacy Policy Compliant with the New Online Privacy Protection Act

December 2003

A new California law is certain to result in lawsuits against commercial website operators who don't post an adequate privacy policy. Learn the requirements, ramifications, and what should be done to comply.

by Jennifer Simin, edited by Gary E. Clayton
www.privacycg.com

Risk managers grab the aspirin. Lack of a sufficient national standard in the United States for online privacy practices has been promising to produce a rash of state laws, each with its own compliance requirements. And, it's finally begun.

A new California law will certainly produce a flurry of lawsuits against commercial website operators who don't post a privacy policy that meets specific standards. It also opens up those operators to civil suits when they fail to comply with their own privacy policies. The law has a national impact, applying to any website operator that collects information on California residents. Similar laws are pending in New Jersey and New York with other states likely to follow suit.

Effective July 1, 2004, California's Online Privacy Protection Act of 2003 (A.B. 68) requires owners of commercial Internet websites or online services (referred to as "operators" under the Act) that collect personally identifiable information (PII) from California residents to:

  • Conspicuously post their privacy policies on their websites
  • Disclose in their privacy policies the categories of personally identifiable information collected from consumers
  • Disclose in their privacy policies the types of third parties with whom that information may be shared
  • Provide in their privacy policy a description of the process through which consumers may request changes to their personal information (when an operator allows such changes)
  • Provide in their privacy policy a description of the process by which consumers will be notified of material changes to their privacy policy
  • Identify in their privacy policy the policy's effective date

Violation of the Act occurs when an operator fails to post their privacy policy within 30 days after being notified of noncompliance. Failure to comply with the Act or with the provisions of one's own privacy policy is a violation of the Act when noncompliance is either knowing and willful or negligent and material. And finally, ISPs and similar entities that transmit or store PII at the request of third parties are exempt from the law.

Sound complicated? Wait until you hear about the font and color specifications required for the privacy policy. But, while compliance with A.B. 68 sounds complex, it is an essential activity for any online organization. Noncompliance with privacy laws will create legal costs and can have a negative effect on brand. Being sued for neglecting online privacy may very well throw an organization into the court of public opinion where the ruling can be a public relations nightmare that does irrevocable damage. Would you, for instance, shop online at a website known for not protecting personal data?

However, the risk associated with A.B. 68 applies not only to those who don't comply with the law, but to those who do as well. That's because properly managing privacy is a complex business initiative. In the case of A.B. 68, if you don't have the right privacy policy, you're in trouble. But if you do post the right privacy policy you become vulnerable to the inevitable compliance confusion and honest mistakes that cause your organization to violate its stated policies. So, what's the best defense?

To begin, a clear understanding of the law is necessary for all members of your organization. With that understanding in pocket, you can then develop, post, and adhere to a privacy policy that helps mitigate the risks imposed by A.B. 68. This article provides an explanation of the law's provisions and some practical guidelines for complying.

Getting Down to the Details

First, it is important to understand what the law says and does not say and to clarify the terminology used. The complete text of A.B. 68 can be read online. Following is a detailed explanation of the provisions of the law. You'll need to get legal counsel's opinion on how these provisions apply specifically to your organization and on any ambiguous language that has yet to be interpreted in the courts.

What's the Point? The stated purpose of A.B. 68 is to "improve the knowledge" that consumers have "as to whether personally identifiable information obtained by the commercial website through the Internet may be disclosed, sold or shared." In other words, A.B. 68 requires transparency of information handling practices from commercial website operators so that consumers can be well informed. The hope is that with improved knowledge will come improved trust in online commerce.

Who Must Comply? The law applies specifically to "An operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service." However, "Internet service providers or similar entities shall have no obligations under this act related to personally identifiable information that they transmit or store at the request of third parties." What's notable here is the reach of A.B. 68. The California law applies to any commercial website operator collecting PII from Californians, regardless of the operator's location. The law's reach stretches far beyond state lines.

What Constitutes Personally Identifiable Information (PII)? According to the letter of the law, personally identifiable information is information about "an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:"

  • A first and last name
  • A home or other physical address, including street name and name of a city or town
  • An e-mail address
  • A telephone number
  • A social security number
  • Any other identifier that permits the physical or online contacting of a specific individual
  • Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with any of the above identifiers.

What's notable here is that the definition of PII could conceivably apply to cookies and tracking technologies even though these technologies are not specifically named in the law.

What Does It Mean To "Conspicuously Post" A Privacy Policy? Conspicuously posting the privacy policy includes any of the following.

  • A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the website
  • An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the website, and if the icon contains the word "privacy." The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.
  • A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the website, and if the text link does one of the following:
    • Includes the word "privacy."
    • Is written in capital letters equal to or greater in size than the surrounding text
    • Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language
  • Any other functional hyperlink that is so displayed that a reasonable person would notice it
  • In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

What Does It Mean To Disclose Information? The remaining provisions of A.B. 68 require disclosure of various types of information: (1) categories of PII collected, (2) types of third parties with whom information is shared, (3) the process (when allowed) for changing PII, (4) the process by which you will notify consumers of policy changes, and (5) the privacy policy's effective date. Disclosure is a risk-filled process. It requires that you say what you do and do what you say or suffer the consequences of breaking your own promises. In the case of A.B. 68, the consequence of not keeping your information handling promises is a civil suit for unfair business practices. On a federal level, the Federal Trade Commission is empowered to bring a deceptive or unfair trade practices charge against a company that does not accurately reflect its practices.

Creating a Compliant Policy

Developing, implementing and enforcing a strong privacy policy are the most important actions a company can take to comply not just with California's A.B. 68, but with local, state, federal and international privacy regulations as well. In addition, a privacy policy provides a company the opportunity to build trust with consumers, employees, investors and stockholders.

Risk and legislation make privacy policy development tricky. Again, posting a policy means you are promising to abide by the policy. Even if you post the right privacy policy you become vulnerable to the inevitable compliance confusion and honest mistakes that cause organizations to violate their stated policies.

Another difficulty is compliance with the growing patchwork of laws prescribing standards and procedures for privacy policy development and implementation. New Jersey and New York both have pending legislation similar to California's A.B. 68 (see N.Y. Assembly Bill No. 08035, N.Y. Assembly Bill No. 04385, and N.J. Assembly Bill No. 365). A worst case scenario is described by the president of the Information Technology Association of America (ITAA), Harris N. Miller, who asked Governor Gray Davis to veto A.B. 68:

The regulatory scheme envisioned by A.B. 68 would pose significant costs and challenges for companies. Imagine if many or all states adopt different online privacy notice standards that conflict in some respect, websites would be unable to comply without engaging in more data collection (asking every user what state they are from) and engaging in the costly and onerous task of posting a separate privacy notice for each state."1

To avoid a scenario like the one Mr. Miller describes, consider developing your privacy policies using the highest possible standards, thereby covering all your bases. Also, you may consider seeking outside help from privacy consultants in managing your legislative compliance effort. The recommendations that follow take an even higher road than A.B. 68 requires. The recommendations are not a substitute for professional advice in specific situations, but should serve as helpful guidelines in beginning your privacy policy development.

Privacy Assessment Review. Before creating a competent privacy policy, a company must understand its information practices. If it does not fully understand its own procedures, it is likely to have a difficult time living up to the assertions of its privacy policy. After an effective assessment, a company should be able to thoroughly answer the types of questions outlined in Figure 1.


FIGURE 1
PRIVACY ASSESSMENT REVIEW QUESTIONS

  1. What consumer and employee information does the company collect?
  2. How does the company collect the information?
  3. How does the company use the consumer and employee information?
  4. What are the company's current privacy-related policies and procedures?
  5. Does the company share consumer data with affiliates and/or nonaffiliated third parties?
  6. What agreements does the company have in place with these affiliates or third parties regarding the use of this personal data?
  7. What data systems store and access personal data?
  8. What level of security and confidentiality does the company apply to personal data? What about affiliates and third parties?
  9. Who will monitor the privacy process?
  10. What actions will be required for compliance with applicable regulations in your industry and what resources will be needed?
  11. If you operate in countries other than the United States, what are the differences in privacy policies of those countries, and how will you comply with them?
  12. Which individuals/job titles/departments have access to consumer and employee data?
  13. What training is provided to employees handling such data?
  14. Is your company prepared to deal with a media crisis or a media opportunity involving privacy?

Once a company understands its information practices, it can decide whether to change or improve them—often a good idea if little attention has been focused on privacy issues in the past. It is at this time that a company is in a better position to articulate a responsible privacy policy with accuracy.

To create a successful privacy policy, a company should consider inclusion of the principles of Fair Information Practices, released by the Organization for Economic Co-Operation and Development (OECD) in 1980. The principles of Fair Information Practices include:

  • Notice/Awareness
  • Choice/Consent
  • Access/Participation
  • Integrity/Security
  • Enforcement/Redress

An explanation of the Fair Information Practices follows.

Notice/Awareness. The most fundamental privacy principle is Notice/Awareness—telling individuals how their personal data will be collected and used. A section devoted especially to Notice/Awareness is basic to a sound privacy policy. That section should include the following subsections:

  • Introduction
  • Scope
  • Method of Data Collection
  • Type of Data Collected
  • Use of Data Collected
  • Data Sharing

Introduction. The notice portion of a privacy policy typically begins with a statement of the company's overall commitment to privacy.

Scope. A privacy policy should disclose to a consumer the areas of the company covered by the policy. For instance, does the policy cover both offline and online data collection? Does it cover corporate affiliates or subsidiaries?

Method of Data Collection. As a matter of notice to the consumer, a privacy policy should identify how a company collects the consumer's personal information:

  • Does the company collect information that a consumer voluntarily discloses through a collection form?
  • Does the company's Web server assign a permanent cookie file on a computer's hard drive?
  • Does the Web server automatically collect IP address, Web browser software or the referrer website?

Type of Data Collected. A privacy policy should identify what kinds of information a company collects from consumers—both personal and non-personal information. Rather than identifying each piece of information the company collects (e.g., name, phone number, IP address), a privacy policy can identify the general types of data the company collects (such as contact information, profile information, billing information, etc.).

Use of Data Collected. A privacy policy should disclose the ways a company uses personal and nonpersonal information. To make an informed decision on whether to share personal information with a company, a consumer must understand exactly how a company distributes his/her information and applies it to particular purposes.

When creating a privacy policy, it is crucial to understand both the primary and secondary purposes (uses) of personal information. Primary purposes usually are initiated by and obvious to the consumer. For example, if a consumer discloses his/her shipping address to receive a product, it should be obvious to the consumer that the company will use this information for shipping purposes.

In some instances, however, a company may have secondary and nonobvious purposes for the information. For example, a company also may use a home address to send marketing materials to the consumer at a later date. In the interest of fairness, a privacy policy should disclose both primary and secondary purposes.

Data Sharing. A company that shares personal information with other parties should create a privacy policy that identifies those parties and the purpose of the disclosure. This is important, as a consumer may want to review the privacy policies of third parties before disclosing personal information. If not given this opportunity, the consumer may feel abused.

Choice/Consent. The next major issue in a privacy policy is Choice/Consent. At its simplest, choice means giving a consumer options regarding how a company collects and uses the personal information it collects. The first choice a consumer typically makes is whether or not to give his personal information to a company.

After choosing to disclose information to a company, the consumer should be given options regarding any later—especially secondary—uses of his/her information. These options allow the consumer to remain in control. Traditionally, a privacy policy considers two types of Choice/Consent systems: opt-in and opt-out.

Opt-in requires affirmative steps by the consumer to allow the collection and/or use of information; opt-out requires affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule that applies when the consumer takes no steps.

To be effective, any choice command should provide a simple and easily accessible way for consumers to exercise their choices. For example, online privacy policies should link a consumer from the privacy policy to the Choice/Consent form.

Access/Participation. The third major issue in a privacy policy is Access/Participation, which means a consumer's ability to view his/her personal data collected and to contest that data's accuracy and completeness. Both access and participation are essential to ensuring that data is accurate and complete.

To be meaningful, the "Access/Participation" section of the policy must accurately describe the following:

  • The steps a consumer must take to access his/her personal information
  • The cost of access, if applicable
  • The time expected to take consumers to receive access to their information after making a request
  • The means for contesting inaccurate or incomplete data
  • The means to make corrections and/or objections to the data file
  • The means to delete data or discontinue the use of personal information.

If a company allows access to data that has been collected and/or received, it is critical that adequate security mechanisms are in place to authenticate the access request.

Integrity/Security. The fourth major issue in a privacy policy is integrity/security—helping a consumer feel comfortable disclosing personal information. A privacy policy should describe the steps a company takes to assure data integrity and security. Trustworthy data is accurate, up-to-date and protected from abuse.

Regarding security, a privacy policy might articulate a company's commitment to prevent the unauthorized access and use of customer data. A company should be careful not to overstate its level of protection—to avoid potential liability, should a security breach occur. Making too strong a statement also might encourage hackers to attempt to defeat the security mechanisms in place.

Enforcement/Redress. The preceding core principles of privacy protection can only be effective when there is a means of enforcing them. Creating and publishing a privacy policy on its own does not ensure compliance with core Fair Information Practices. A company should give a consumer reassurance that it will follow the principles found within its privacy policy. To do that, a company's privacy policy should describe the enforcement approach the company plans.

To ensure a consumer understands the enforcement mechanisms a company uses, a privacy policy should address topics such as:

  • Applicable privacy laws
  • External audits to verify compliance
  • Certification seals (such as Truste or BBB- Online) that demonstrate the company has adopted and complies with a particular set of standards
  • Systems to investigate and act upon complaints from consumers
  • Methods available to invoke enforcement systems
  • Contact information where a consumer can send questions or concerns
  • The appropriate individual in a company who is responsible for privacy protection.

Regulations. In addition to the generic issues discussed in the preceding sections, a privacy policy also needs to address specific issues such as special laws or guidelines. If applicable, a company should state in its privacy policy that it abides by relevant privacy codes or regulations (e.g. the EU-US Safe Harbor agreement for companies doing business in Europe or the California Online Privacy Protection Act 2003 for online commercial operators that collect PII from California residents).

Publishing a Privacy Policy

Clear and Conspicuous. After a privacy policy is written, it needs to be published in a clear and conspicuous fashion. This means that the average person must be able to find and understand the policy. An understandable policy uses everyday words (avoids legalese), includes easy-to-read typeface and type size, uses wide margins and ample spacing, and uses boldface or italics for key words. A readable policy also includes design factors that "catch the eye" or call attention to the nature and significance of the information in the notice.

When posting on a website, a company should place its privacy policy in a prominent location. A user should be able to readily access the privacy policy from the website's home page. A user also should be able to reach the privacy policy from any Web page that collects consumer information. The requirements of A.B. 68 for clear and conspicuous posting provide a strong standard that will likely meet all other requirements.

Versions. An effective privacy policy must also disclose the date the policy was produced and posted, and should include a statement saying the company reserves the right to modify or amend the policy at any time and for any reason. It is essential that the policy inform consumers about the process by which they will be notified of material changes to the policy. When there are material changes, the company should abide by information practices described in its privacy policy at the time the consumer provided his/her personal information.

Enforcing a Privacy Policy

Work on a privacy policy does not end with writing and publication. It is extremely important that a company makes sure it honors its policy. No privacy policy can guarantee compliance and encourage consumer trust without corporate follow-through; a company must integrate its privacy approach into its corporate culture. After creating and publishing a privacy policy, a company must train and educate its workforce on the policy and motivate employees to live up to the standards it sets.

Jennifer Siminis an editor with the Knowledge Products division of Privacy Council, Inc., the global resource for privacy and data protection services. Ms. Simin has edited over 10 books and interactive CD-ROMs on privacy and data protection including Privacy Manager Work Plan, HIPAA Privacy Implementation Guide, and PR Strategies for Privacy Issues. Currently, she is editor of the nation's leading privacy, data and security digest, Privacy Weekly, which is also published by Privacy Council every Wednesday. Before entering the privacy arena, Ms. Simin spent 7 years in business-to-business marketing with a focus on healthcare, energy services, and commercial real estate markets.

1Letter from Harris N. Miller, President, Information Technology Association of America to Governor Gray Davis, September 22, 2003, regarding A.B. 68.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Advertisements
    
 
© 2000-2012 International Risk Management Institute, Inc. (IRMI). All rights reserved.