Have you ever taken a second to look around and notice your surroundings? How many people can you spot immersed in their mobile devices, tablets, or laptops? While you’re at it, go ahead and count yourself because you’re currently reading this article using one of those devices. Technology has become such an integral part of our daily lives that the average person spends roughly seven hours looking at a screen each day. Now what you may or may not realize is that the amount of personal information being collected and/or even stored during that time of screen use, is approximately 2.5 quintillion bytes. That’s a lot of your personal data that you may not know how or for what purpose it is being utilized.
Conversely, more and more consumers are consciously choosing which businesses they decide to engage with online based on the company’s data collection practices. This is where an effective privacy policy comes in to play. Before you can mention it, if your business has an online presence or collects payments online or tracks consumer data in any form (hey Google Analytics), then this article is for you, and it is critical that your organization has an effective privacy policy in place.
Generally, a privacy policy is a binding and enforceable statement of a company’s practices regarding how they use, collect, store, and share consumer data. While these policies are binding and enforceable, individual plaintiffs are typically unsuccessful in their breach of contract claims stemming from privacy policy non-compliance. So why is it so hard for these plaintiffs to prevail in such cause of actions? The answer is that traditional legal theories do not adequately address privacy related issues, specifically because the injury sustained from privacy claims are so intangible, unlike other legal doctrines where the injuries are concrete. Because of this, it is almost impossible for a plaintiff to prove damages to ultimately prevail.1
However, in recent years the Federal Trade Commission (FTC) has championed the cause of enforcing such privacy policy actions. Particularly, these FTC suits tend to arise most frequently when companies misrepresent their privacy practices based upon the terms of their privacy policies. A number of these claims could have been avoided if those companies had more clear and concise terms and if they simply kept their privacy policy updated, but we will discuss more on this later. This is why it is not only imperative to have an iron-clad privacy policy in place, but also to ensure that the company remains compliant with the practices set forth within their policy.
Currently, the United States does not have any uniform data privacy laws. Instead, there are numerous federal laws that govern specific industry sectors pertaining to data privacy, but there is no significant piece of federal legislation that encapsulates this area as a whole. Meanwhile, there has been a steady rise of state legislation targeting privacy laws that have been enacted within the past two decades. The most notable being the California Consumer Privacy Act (CCPA), which has been the catalyst for other states to enact their own privacy laws. With new and emergent technologies being introduced into today’s society and as we move further into the digital age, you can expect more and more states to follow suit with similar data privacy regulations as well.
With each state adopting a different standard for data privacy regulation, this may prove challenging to companies in the near future. In particular, imagine your business being required to comply with each state’s specific data privacy law even where your company does not intentionally avail itself to do business. This leaves businesses susceptible to costly penalties for violations and/or pending litigation. For instance, under the CCPA certain companies, whether a California entity or not, may be fined if a California resident, among other things, is not adequately informed of the company’s data collection practices within a privacy policy and are not allowed to have their information removed upon request, via a “Do Not Sell My Personal Information” page on the site. While the CCPA is expansive and requires much more transparency to be provided by companies in an effort to protect consumer privacy rights, this is just an example of how the law can be violated by those doing business with a defective privacy policy or absent such a policy at all. Remember, this is only one state’s legal requirements; many other states have jumped onto the data privacy bandwagon and have their own nuances for what is necessary within a company’s privacy policy.
Now, what can you do to ensure that your company’s privacy policy won’t land your company in hot water? Well, it’s important to note that a privacy policy is not one size fits all, so it’s best that you don’t just copy and paste another organizations privacy policy onto your site and think that you’re covered. Here’s an overview of what an effective policy should entail. First and foremost, it is important to note that a privacy policy should be drafted to fit within a company’s specific industry and to reflect its business processes. Start by identifying the personally identifiable information (PII) that your company is or will be collecting from the consumer. You will need to know what your specific industry or governing law considers to be PII, as there is no universal definition.
Next, you will want to ensure that your policy aligns with the laws governing the dominant industry to which your organization belongs. An example would be detailing the ways in which your organization handles consumer financial PII if the company is within the financial industry or how a consumer’s health information is being secured if your company is within the health care industry Most importantly, the policy should explain how the company remains in compliance with those respective bodies of law. Also, don’t forget about state regulations where your company does business and where a substantial part of your consumer base resides (remember the CCPA as previously discussed). Another notable law to keep in mind is the Children’s Online Privacy Protection Act, also known as (COPPA). This legislation applies to websites and online services directed to children under the age of 13 that knowingly collects personal information from a child.
It’s worth mentioning that companies should ensure that its privacy policy remains updated on a regular basis. In fact, keeping your policy updated is an annual requirement under the CCPA, so it is best practice for businesses, regardless of the industry, to do so each year anyway. Consider also implementing a method of notifying consumers of any material changes to the policy as well. Finally, keeping your policy succinct with your current business practices and ensuring that the policy is up to date helps to prevent any actions brought by the FTC. The FTC is known for cracking down on organizations based on broken promises made within the privacy policy, retroactive privacy policy changes, deceptive data collection or use, inadequate data security and/or inadequate disclosure of the amount of data being collected.
In closing, remember that not only is having an effective privacy policy critical to your business, but also what matters is that your policy is tailored specifically to your organizational landscape and that it always remains fair to the consumer.
1Bernard Chao, Privacy Losses as Wrongful Gains, 106 Iowa L. Rev. 555 (2020).
