A new California law is certain to result in lawsuits against commercial
website operators who don't post an adequate privacy policy. Learn the requirements,
ramifications, and what should be done to comply.
Risk managers, grab the aspirin. Lack of a sufficient national standard
in the United States for online privacy practices has been promising to produce a rash of
state laws, each with its own compliance requirements. And, it's finally begun.
A new California law will certainly produce a flurry of lawsuits against
commercial website operators who don't post a privacy policy that meets specific standards.
It also opens up those operators to civil suits when they fail to comply with their own
privacy policies. The law has a national impact, applying to any website operator that
collects information on California residents. Similar laws are pending in New Jersey and
New York with other states likely to follow suit.
Effective July 1, 2004, California's Online Privacy Protection Act of
2003 (A.B. 68) requires owners of commercial Internet websites or online services (referred
to as "operators" under the Act) that collect personally identifiable information (PII)
from California residents to:
Conspicuously post their privacy policies on their websites
Disclose in their privacy policies the categories of personally
identifiable information collected from consumers
Disclose in their privacy policies the types of third parties with
whom that information may be shared
Provide in their privacy policy a description of the process
through which consumers may request changes to their personal information (when an
operator allows such changes)
Provide in their privacy policy a description of the process by
which consumers will be notified of material changes to their privacy policy
Identify in their privacy policy the policy's effective date
Violation of the Act occurs when an operator fails to post their privacy
policy within 30 days after being notified of noncompliance. Failure to comply with the Act
or with the provisions of one's own privacy policy is a violation of the Act when
noncompliance is either knowing and willful or negligent and material. And finally, ISPs
and similar entities that transmit or store PII at the request of third parties are exempt
from the law.
Sound complicated? Wait until you hear about the font and color
specifications required for the privacy policy. But, while compliance with A.B. 68 sounds
complex, it is an essential activity for any online organization. Noncompliance with
privacy laws will create legal costs and can have a negative effect on brand. Being sued
for neglecting online privacy may very well throw an organization into the court of public
opinion where the ruling can be a public relations nightmare that does irrevocable damage.
Would you, for instance, shop online at a website known for not protecting personal
data?
However, the risk associated with A.B. 68 applies not only to those who
don't comply with the law, but to those who do as well. That's because properly managing
privacy is a complex business initiative. In the case of A.B. 68, if you don't have the
right privacy policy, you're in trouble. But if you do post the right privacy policy you
become vulnerable to the inevitable compliance confusion and honest mistakes that cause
your organization to violate its stated policies. So, what's the best defense?
To begin, a clear understanding of the law is necessary for all members
of your organization. With that understanding in pocket, you can then develop, post, and
adhere to a privacy policy that helps mitigate the risks imposed by A.B. 68. This article
provides an explanation of the law's provisions and some practical guidelines for
complying.
Getting Down to the Details
First, it is important to understand what the law says and does not
say and to clarify the terminology used. The complete text of A.B. 68 can be read online. Following
is a detailed explanation of the provisions of the law. You'll need to get legal
counsel's opinion on how these provisions apply specifically to your organization and on
any ambiguous language that has yet to be interpreted in the courts.
What's the Point?
The stated purpose of A.B. 68 is to "improve the knowledge" that
consumers have "as to whether personally identifiable information obtained by the
commercial website through the Internet may be disclosed, sold or shared." In other
words, A.B. 68 requires transparency of information handling practices from
commercial website operators so that consumers can be well informed. The hope is that
with improved knowledge will come improved trust in online commerce.
Who Must Comply?
The law applies specifically to "An operator of a commercial
website or online service that collects personally identifiable information through
the Internet about individual consumers residing in California who use or visit its
commercial website or online service." However, "Internet service providers or
similar entities shall have no obligations under this act related to personally
identifiable information that they transmit or store at the request of third
parties." What's notable here is the reach of A.B. 68. The California law applies to
any commercial website operator collecting PII from Californians, regardless of the
operator's location. The law's reach stretches far beyond state lines.
What Constitutes
Personally Identifiable Information (PII)?
According to the letter of the law, personally identifiable
information is information about "an individual consumer collected online by the
operator from that individual and maintained by the operator in an accessible form,
including any of the following."
A first and last name
A home or other physical address, including street name and
name of a city or town
An email address
A telephone number
A social security number
Any other identifier that permits the physical or online
contacting of a specific individual
Information concerning a user that the website or online
service collects online from the user and maintains in personally identifiable
form in combination with any of the above identifiers.
What's notable here is that the definition of PII could
conceivably apply to cookies and tracking technologies even though these technologies
are not specifically named in the law.
What Does It Mean To
"Conspicuously Post" A Privacy Policy?
Conspicuously posting the privacy policy includes any of the
following.
A Web page on which the actual privacy policy is posted if
the Web page is the homepage or first significant page after entering the
website
An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or the first
significant page after entering the website, and if the icon contains the word
"privacy." The icon shall also use a color that contrasts with the background
color of the Web page or is otherwise distinguishable.
A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage or first
significant page after entering the website, and if the text link does one of the
following:
Includes the word "privacy."
Is written in capital letters equal to or greater in
size than the surrounding text
Is written in larger type than the surrounding text, or
in contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by symbols or
other marks that call attention to the language
Any other functional hyperlink that is so displayed that a
reasonable person would notice it
In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers of the
online service.
What Does It Mean To
Disclose Information?
The remaining provisions of A.B. 68 require disclosure of various
types of information: (1) categories of PII collected, (2) types of third parties
with whom information is shared, (3) the process (when allowed) for changing PII, (4)
the process by which you will notify consumers of policy changes, and (5) the privacy
policy's effective date. Disclosure is a risk-filled process. It requires that you
say what you do and do what you say or suffer the consequences of breaking your own
promises. In the case of A.B. 68, the consequence of not keeping your information
handling promises is a civil suit for unfair business practices. On a federal level,
the Federal Trade Commission is empowered to bring a deceptive or unfair trade
practices charge against a company that does not accurately reflect its
practices.
Creating a Compliant Policy
Developing, implementing and enforcing a strong privacy policy are
the most important actions a company can take to comply not just with California's A.B.
68, but with local, state, federal and international privacy regulations as well. In
addition, a privacy policy provides a company the opportunity to build trust with
consumers, employees, investors and stockholders.
Risk and legislation make privacy policy development tricky. Again,
posting a policy means you are promising to abide by the policy. Even if you post the
right privacy policy you become vulnerable to the inevitable compliance confusion and
honest mistakes that cause organizations to violate their stated policies.
Another difficulty is compliance with the growing patchwork of laws
prescribing standards and procedures for privacy policy development and implementation.
New Jersey and New York both have pending legislation similar to California's A.B. 68
(see N.Y. Assembly Bill No. 08035, N.Y. Assembly Bill No. 04385, and N.J. Assembly Bill
No. 365). A worst case scenario is described by the president of the Information
Technology Association of America (ITAA), Harris N. Miller, who asked Governor Gray
Davis to veto A.B. 68.
The regulatory scheme envisioned by A.B. 68 would pose significant
costs and challenges for companies. Imagine if many or all states adopt different
online privacy notice standards that conflict in some respect, websites would be
unable to comply without engaging in more data collection (asking every user what
state they are from) and engaging in the costly and onerous task of posting a
separate privacy notice for each state."
Source: Letter from Harris N. Miller,
President, Information Technology Association of America to Governor Gray Davis,
September 22, 2003, regarding A.B. 68.
To avoid a scenario like the one Mr. Miller describes, consider
developing your privacy policies using the highest possible standards, thereby covering
all your bases. Also, you may consider seeking outside help from privacy consultants in
managing your legislative compliance effort. The recommendations that follow take an
even higher road than A.B. 68 requires. The recommendations are not a substitute for
professional advice in specific situations, but should serve as helpful guidelines in
beginning your privacy policy development.
Privacy Assessment
Review
Before creating a competent privacy policy, a company must
understand its information practices. If it does not fully understand its own
procedures, it is likely to have a difficult time living up to the assertions of its
privacy policy. After an effective assessment, a company should be able to thoroughly
answer the types of questions outlined below.
Privacy Assessment Review Questions
What consumer and employee information does the company
collect?
How does the company collect the information?
How does the company use the consumer and employee
information?
What are the company's current privacy-related policies
and procedures?
Does the company share consumer data with affiliates
and/or nonaffiliated third parties?
What agreements does the company have in place with these
affiliates or third parties regarding the use of this personal data?
What data systems store and access personal data?
What level of security and confidentiality does the
company apply to personal data? What about affiliates and third parties?
Who will monitor the privacy process?
What actions will be required for compliance with
applicable regulations in your industry and what resources will be needed?
If you operate in countries other than the United States,
what are the differences in privacy policies of those countries, and how will
you comply with them?
Which individuals/job titles/departments have access to
consumer and employee data?
What training is provided to employees handling such
data?
Is your company prepared to deal with a media crisis or a
media opportunity involving privacy?
Once a company understands its information practices, it can
decide whether to change or improve them—often a good idea if little attention has
been focused on privacy issues in the past. It is at this time that a company is in a
better position to articulate a responsible privacy policy with accuracy.
To create a successful privacy policy, a company should consider
inclusion of the principles of Fair Information Practices, released by the
Organization for Economic Co-Operation and Development (OECD) in 1980. The principles
of Fair Information Practices include the following.
Notice/Awareness
Choice/Consent
Access/Participation
Integrity/Security
Enforcement/Redress
Notice/Awareness
The most fundamental privacy principle is Notice/Awareness—telling
individuals how their personal data will be collected and used. A section devoted
especially to Notice/Awareness is basic to a sound privacy policy. That section
should include the following subsections.
Introduction
Scope
Method of Data Collection
Type of Data Collected
Use of Data Collected
Data Sharing
Introduction
The notice portion of a privacy policy typically begins with a
statement of the company's overall commitment to privacy.
Scope
A privacy policy should disclose to a consumer the areas of the
company covered by the policy. For instance, does the policy cover both offline and
online data collection? Does it cover corporate affiliates or subsidiaries?
Method of Data
Collection
As a matter of notice to the consumer, a privacy policy should
identify how a company collects the consumer's personal information.
Does the company collect information that a consumer
voluntarily discloses through a collection form?
Does the company's Web server assign a permanent cookie file
on a computer's hard drive?
Does the Web server automatically collect IP address, Web
browser software or the referrer website?
Type of Data
Collected
A privacy policy should identify what kinds of information a
company collects from consumers—both personal and non-personal information. Rather
than identifying each piece of information the company collects (e.g., name, phone
number, IP address), a privacy policy can identify the general types of data the
company collects (such as contact information, profile information, billing
information, etc.).
Use of Data Collected
A privacy policy should disclose the ways a company uses personal
and nonpersonal information. To make an informed decision on whether to share
personal information with a company, a consumer must understand exactly how a company
distributes his/her information and applies it to particular purposes.
When creating a privacy policy, it is crucial to understand both
the primary and secondary purposes (uses) of personal information. Primary purposes
usually are initiated by and obvious to the consumer. For example, if a consumer
discloses his/her shipping address to receive a product, it should be obvious to the
consumer that the company will use this information for shipping purposes.
In some instances, however, a company may have secondary and
nonobvious purposes for the information. For example, a company also may use a home
address to send marketing materials to the consumer at a later date. In the interest
of fairness, a privacy policy should disclose both primary and secondary
purposes.
Data Sharing
A company that shares personal information with other parties
should create a privacy policy that identifies those parties and the purpose of the
disclosure. This is important, as a consumer may want to review the privacy policies
of third parties before disclosing personal information. If not given this
opportunity, the consumer may feel abused.
Choice/Consent
The next major issue in a privacy policy is Choice/Consent. At its
simplest, choice means giving a consumer options regarding how a company collects and
uses the personal information it collects. The first choice a consumer typically
makes is whether or not to give his personal information to a company.
After choosing to disclose information to a company, the consumer
should be given options regarding any later—especially secondary—uses of his/her
information. These options allow the consumer to remain in control. Traditionally, a
privacy policy considers two types of Choice/Consent systems: opt-in and opt-out.
Opt-in requires affirmative steps by the consumer to allow the
collection and/or use of information; opt-out requires affirmative steps to prevent
the collection and/or use of such information. The distinction lies in the default
rule that applies when the consumer takes no steps.
To be effective, any choice command should provide a simple and
easily accessible way for consumers to exercise their choices. For example, online
privacy policies should link a consumer from the privacy policy to the Choice/Consent
form.
Access/Participation
The third major issue in a privacy policy is Access/Participation,
which means a consumer's ability to view his/her personal data collected and to
contest that data's accuracy and completeness. Both access and participation are
essential to ensuring that data is accurate and complete.
To be meaningful, the "Access/Participation" section of the policy
must accurately describe the following.
The steps a consumer must take to access his/her personal
information
The cost of access, if applicable
The time expected to take consumers to receive access to
their information after making a request
The means for contesting inaccurate or incomplete data
The means to make corrections and/or objections to the data
file
The means to delete data or discontinue the use of personal
information.
If a company allows access to data that has been collected and/or
received, it is critical that adequate security mechanisms are in place to
authenticate the access request.
Integrity/Security
The fourth major issue in a privacy policy is
integrity/security—helping a consumer feel comfortable disclosing personal
information. A privacy policy should describe the steps a company takes to assure
data integrity and security. Trustworthy data is accurate, up-to-date and protected
from abuse.
Regarding security, a privacy policy might articulate a company's
commitment to prevent the unauthorized access and use of customer data. A company
should be careful not to overstate its level of protection—to avoid potential
liability, should a security breach occur. Making too strong a statement also might
encourage hackers to attempt to defeat the security mechanisms in place.
Enforcement/Redress
The preceding core principles of privacy protection can only be
effective when there is a means of enforcing them. Creating and publishing a privacy
policy on its own does not ensure compliance with core Fair Information Practices. A
company should give a consumer reassurance that it will follow the principles found
within its privacy policy. To do that, a company's privacy policy should describe the
enforcement approach the company plans.
To ensure a consumer understands the enforcement mechanisms a
company uses, a privacy policy should address topics such as the following.
Applicable privacy laws
External audits to verify compliance
Certification seals (such as Truste or BBB- Online) that
demonstrate the company has adopted and complies with a particular set of
standards
Systems to investigate and act upon complaints from
consumers
Methods available to invoke enforcement systems
Contact information where a consumer can send questions or
concerns
The appropriate individual in a company who is responsible
for privacy protection.
Regulations
In addition to the generic issues discussed in the preceding
sections, a privacy policy also needs to address specific issues such as special laws
or guidelines. If applicable, a company should state in its privacy policy that it
abides by relevant privacy codes or regulations (e.g. the EU-US Safe Harbor agreement
for companies doing business in Europe or the California Online Privacy Protection
Act 2003 for online commercial operators that collect PII from California
residents).
Publishing a Privacy Policy
A privacy policy needs to be published appropriately.
Clear and Conspicuous
After a privacy policy is written, it needs to be published in a
clear and conspicuous fashion. This means that the average person must be able to
find and understand the policy. An understandable policy uses everyday words (avoids
legalese), includes easy-to-read typeface and type size, uses wide margins and ample
spacing, and uses boldface or italics for key words. A readable policy also includes
design factors that "catch the eye" or call attention to the nature and significance
of the information in the notice.
When posting on a website, a company should place its privacy
policy in a prominent location. A user should be able to readily access the privacy
policy from the website's home page. A user also should be able to reach the privacy
policy from any Web page that collects consumer information. The requirements of A.B.
68 for clear and conspicuous posting provide a strong standard that will likely meet
all other requirements.
Versions
An effective privacy policy must also disclose the date the policy
was produced and posted, and should include a statement saying the company reserves
the right to modify or amend the policy at any time and for any reason. It is
essential that the policy inform consumers about the process by which they will be
notified of material changes to the policy. When there are material changes, the
company should abide by information practices described in its privacy policy at the
time the consumer provided his/her personal information.
Enforcing a Privacy Policy
Work on a privacy policy does not end with writing and publication.
It is extremely important that a company makes sure it honors its policy. No privacy
policy can guarantee compliance and encourage consumer trust without corporate
follow-through; a company must integrate its privacy approach into its corporate
culture. After creating and publishing a privacy policy, a company must train and
educate its workforce on the policy and motivate employees to live up to the standards
it sets.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
A new California law is certain to result in lawsuits against commercial website operators who don't post an adequate privacy policy. Learn the requirements, ramifications, and what should be done to comply.
Risk managers, grab the aspirin. Lack of a sufficient national standard in the United States for online privacy practices has been promising to produce a rash of state laws, each with its own compliance requirements. And, it's finally begun.
A new California law will certainly produce a flurry of lawsuits against commercial website operators who don't post a privacy policy that meets specific standards. It also opens up those operators to civil suits when they fail to comply with their own privacy policies. The law has a national impact, applying to any website operator that collects information on California residents. Similar laws are pending in New Jersey and New York with other states likely to follow suit.
Effective July 1, 2004, California's Online Privacy Protection Act of 2003 (A.B. 68) requires owners of commercial Internet websites or online services (referred to as "operators" under the Act) that collect personally identifiable information (PII) from California residents to:
Violation of the Act occurs when an operator fails to post their privacy policy within 30 days after being notified of noncompliance. Failure to comply with the Act or with the provisions of one's own privacy policy is a violation of the Act when noncompliance is either knowing and willful or negligent and material. And finally, ISPs and similar entities that transmit or store PII at the request of third parties are exempt from the law.
Sound complicated? Wait until you hear about the font and color specifications required for the privacy policy. But, while compliance with A.B. 68 sounds complex, it is an essential activity for any online organization. Noncompliance with privacy laws will create legal costs and can have a negative effect on brand. Being sued for neglecting online privacy may very well throw an organization into the court of public opinion where the ruling can be a public relations nightmare that does irrevocable damage. Would you, for instance, shop online at a website known for not protecting personal data?
However, the risk associated with A.B. 68 applies not only to those who don't comply with the law, but to those who do as well. That's because properly managing privacy is a complex business initiative. In the case of A.B. 68, if you don't have the right privacy policy, you're in trouble. But if you do post the right privacy policy you become vulnerable to the inevitable compliance confusion and honest mistakes that cause your organization to violate its stated policies. So, what's the best defense?
To begin, a clear understanding of the law is necessary for all members of your organization. With that understanding in pocket, you can then develop, post, and adhere to a privacy policy that helps mitigate the risks imposed by A.B. 68. This article provides an explanation of the law's provisions and some practical guidelines for complying.
Getting Down to the Details
First, it is important to understand what the law says and does not say and to clarify the terminology used. The complete text of A.B. 68 can be read online. Following is a detailed explanation of the provisions of the law. You'll need to get legal counsel's opinion on how these provisions apply specifically to your organization and on any ambiguous language that has yet to be interpreted in the courts.
What's the Point?
The stated purpose of A.B. 68 is to "improve the knowledge" that consumers have "as to whether personally identifiable information obtained by the commercial website through the Internet may be disclosed, sold or shared." In other words, A.B. 68 requires transparency of information handling practices from commercial website operators so that consumers can be well informed. The hope is that with improved knowledge will come improved trust in online commerce.
Who Must Comply?
The law applies specifically to "An operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service." However, "Internet service providers or similar entities shall have no obligations under this act related to personally identifiable information that they transmit or store at the request of third parties." What's notable here is the reach of A.B. 68. The California law applies to any commercial website operator collecting PII from Californians, regardless of the operator's location. The law's reach stretches far beyond state lines.
What Constitutes Personally Identifiable Information (PII)?
According to the letter of the law, personally identifiable information is information about "an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following."
What's notable here is that the definition of PII could conceivably apply to cookies and tracking technologies even though these technologies are not specifically named in the law.
What Does It Mean To "Conspicuously Post" A Privacy Policy?
Conspicuously posting the privacy policy includes any of the following.
What Does It Mean To Disclose Information?
The remaining provisions of A.B. 68 require disclosure of various types of information: (1) categories of PII collected, (2) types of third parties with whom information is shared, (3) the process (when allowed) for changing PII, (4) the process by which you will notify consumers of policy changes, and (5) the privacy policy's effective date. Disclosure is a risk-filled process. It requires that you say what you do and do what you say or suffer the consequences of breaking your own promises. In the case of A.B. 68, the consequence of not keeping your information handling promises is a civil suit for unfair business practices. On a federal level, the Federal Trade Commission is empowered to bring a deceptive or unfair trade practices charge against a company that does not accurately reflect its practices.
Creating a Compliant Policy
Developing, implementing and enforcing a strong privacy policy are the most important actions a company can take to comply not just with California's A.B. 68, but with local, state, federal and international privacy regulations as well. In addition, a privacy policy provides a company the opportunity to build trust with consumers, employees, investors and stockholders.
Risk and legislation make privacy policy development tricky. Again, posting a policy means you are promising to abide by the policy. Even if you post the right privacy policy you become vulnerable to the inevitable compliance confusion and honest mistakes that cause organizations to violate their stated policies.
Another difficulty is compliance with the growing patchwork of laws prescribing standards and procedures for privacy policy development and implementation. New Jersey and New York both have pending legislation similar to California's A.B. 68 (see N.Y. Assembly Bill No. 08035, N.Y. Assembly Bill No. 04385, and N.J. Assembly Bill No. 365). A worst case scenario is described by the president of the Information Technology Association of America (ITAA), Harris N. Miller, who asked Governor Gray Davis to veto A.B. 68.
To avoid a scenario like the one Mr. Miller describes, consider developing your privacy policies using the highest possible standards, thereby covering all your bases. Also, you may consider seeking outside help from privacy consultants in managing your legislative compliance effort. The recommendations that follow take an even higher road than A.B. 68 requires. The recommendations are not a substitute for professional advice in specific situations, but should serve as helpful guidelines in beginning your privacy policy development.
Privacy Assessment Review
Before creating a competent privacy policy, a company must understand its information practices. If it does not fully understand its own procedures, it is likely to have a difficult time living up to the assertions of its privacy policy. After an effective assessment, a company should be able to thoroughly answer the types of questions outlined below.
Privacy Assessment Review Questions
Once a company understands its information practices, it can decide whether to change or improve them—often a good idea if little attention has been focused on privacy issues in the past. It is at this time that a company is in a better position to articulate a responsible privacy policy with accuracy.
To create a successful privacy policy, a company should consider inclusion of the principles of Fair Information Practices, released by the Organization for Economic Co-Operation and Development (OECD) in 1980. The principles of Fair Information Practices include the following.
Notice/Awareness
The most fundamental privacy principle is Notice/Awareness—telling individuals how their personal data will be collected and used. A section devoted especially to Notice/Awareness is basic to a sound privacy policy. That section should include the following subsections.
Introduction
The notice portion of a privacy policy typically begins with a statement of the company's overall commitment to privacy.
Scope
A privacy policy should disclose to a consumer the areas of the company covered by the policy. For instance, does the policy cover both offline and online data collection? Does it cover corporate affiliates or subsidiaries?
Method of Data Collection
As a matter of notice to the consumer, a privacy policy should identify how a company collects the consumer's personal information.
Type of Data Collected
A privacy policy should identify what kinds of information a company collects from consumers—both personal and non-personal information. Rather than identifying each piece of information the company collects (e.g., name, phone number, IP address), a privacy policy can identify the general types of data the company collects (such as contact information, profile information, billing information, etc.).
Use of Data Collected
A privacy policy should disclose the ways a company uses personal and nonpersonal information. To make an informed decision on whether to share personal information with a company, a consumer must understand exactly how a company distributes his/her information and applies it to particular purposes.
When creating a privacy policy, it is crucial to understand both the primary and secondary purposes (uses) of personal information. Primary purposes usually are initiated by and obvious to the consumer. For example, if a consumer discloses his/her shipping address to receive a product, it should be obvious to the consumer that the company will use this information for shipping purposes.
In some instances, however, a company may have secondary and nonobvious purposes for the information. For example, a company also may use a home address to send marketing materials to the consumer at a later date. In the interest of fairness, a privacy policy should disclose both primary and secondary purposes.
Data Sharing
A company that shares personal information with other parties should create a privacy policy that identifies those parties and the purpose of the disclosure. This is important, as a consumer may want to review the privacy policies of third parties before disclosing personal information. If not given this opportunity, the consumer may feel abused.
Choice/Consent
The next major issue in a privacy policy is Choice/Consent. At its simplest, choice means giving a consumer options regarding how a company collects and uses the personal information it collects. The first choice a consumer typically makes is whether or not to give his personal information to a company.
After choosing to disclose information to a company, the consumer should be given options regarding any later—especially secondary—uses of his/her information. These options allow the consumer to remain in control. Traditionally, a privacy policy considers two types of Choice/Consent systems: opt-in and opt-out.
Opt-in requires affirmative steps by the consumer to allow the collection and/or use of information; opt-out requires affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule that applies when the consumer takes no steps.
To be effective, any choice command should provide a simple and easily accessible way for consumers to exercise their choices. For example, online privacy policies should link a consumer from the privacy policy to the Choice/Consent form.
Access/Participation
The third major issue in a privacy policy is Access/Participation, which means a consumer's ability to view his/her personal data collected and to contest that data's accuracy and completeness. Both access and participation are essential to ensuring that data is accurate and complete.
To be meaningful, the "Access/Participation" section of the policy must accurately describe the following.
If a company allows access to data that has been collected and/or received, it is critical that adequate security mechanisms are in place to authenticate the access request.
Integrity/Security
The fourth major issue in a privacy policy is integrity/security—helping a consumer feel comfortable disclosing personal information. A privacy policy should describe the steps a company takes to assure data integrity and security. Trustworthy data is accurate, up-to-date and protected from abuse.
Regarding security, a privacy policy might articulate a company's commitment to prevent the unauthorized access and use of customer data. A company should be careful not to overstate its level of protection—to avoid potential liability, should a security breach occur. Making too strong a statement also might encourage hackers to attempt to defeat the security mechanisms in place.
Enforcement/Redress
The preceding core principles of privacy protection can only be effective when there is a means of enforcing them. Creating and publishing a privacy policy on its own does not ensure compliance with core Fair Information Practices. A company should give a consumer reassurance that it will follow the principles found within its privacy policy. To do that, a company's privacy policy should describe the enforcement approach the company plans.
To ensure a consumer understands the enforcement mechanisms a company uses, a privacy policy should address topics such as the following.
Regulations
In addition to the generic issues discussed in the preceding sections, a privacy policy also needs to address specific issues such as special laws or guidelines. If applicable, a company should state in its privacy policy that it abides by relevant privacy codes or regulations (e.g. the EU-US Safe Harbor agreement for companies doing business in Europe or the California Online Privacy Protection Act 2003 for online commercial operators that collect PII from California residents).
Publishing a Privacy Policy
A privacy policy needs to be published appropriately.
Clear and Conspicuous
After a privacy policy is written, it needs to be published in a clear and conspicuous fashion. This means that the average person must be able to find and understand the policy. An understandable policy uses everyday words (avoids legalese), includes easy-to-read typeface and type size, uses wide margins and ample spacing, and uses boldface or italics for key words. A readable policy also includes design factors that "catch the eye" or call attention to the nature and significance of the information in the notice.
When posting on a website, a company should place its privacy policy in a prominent location. A user should be able to readily access the privacy policy from the website's home page. A user also should be able to reach the privacy policy from any Web page that collects consumer information. The requirements of A.B. 68 for clear and conspicuous posting provide a strong standard that will likely meet all other requirements.
Versions
An effective privacy policy must also disclose the date the policy was produced and posted, and should include a statement saying the company reserves the right to modify or amend the policy at any time and for any reason. It is essential that the policy inform consumers about the process by which they will be notified of material changes to the policy. When there are material changes, the company should abide by information practices described in its privacy policy at the time the consumer provided his/her personal information.
Enforcing a Privacy Policy
Work on a privacy policy does not end with writing and publication. It is extremely important that a company makes sure it honors its policy. No privacy policy can guarantee compliance and encourage consumer trust without corporate follow-through; a company must integrate its privacy approach into its corporate culture. After creating and publishing a privacy policy, a company must train and educate its workforce on the policy and motivate employees to live up to the standards it sets.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.