This is a cross-posting of an interesting November 29 entry in Foley Hoag’s Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar:
If your start-up’s website will collect user information…. and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website privacy policy is a “one size fits all, grab an example from a well know e-retailer or established company web-site that appears to have a similar business model, snip here, paste there and you’re all set” deal. My wide eyed stare of horror in reaction to this is mostly dismissed as symptomatic of the overly cautious view of life that seemingly plauges my profession. I have discussed this with a colleague Patrick Connolly and he had the great idea to write a primer on the issue of Privacy Policies for websites. Now let me warn you, Patrick’s primer is not short and it isn’t meant to be because it highlights the issues that we step through and the risks and possible reprisals that we consider when we draft a privacy policy for a particular start-up. So without further ado, here’s Patrick’s well thought out “Primer on the Website Privacy Policies”, hopefully once your done reading you’ll agree that your privacy policy is not something to be taken lightly.
Picture this: you’re an entrepreneur about to make your first foray into e-commerce. This is exciting, but you can’t help but feel a little concerned. Every day, you read a new story about advocacy groups and even Congress scolding businesses for being careless in their treatment of the personal data they collect, or criticizing the shadowy ways in which they collect it. Publishers of major websites are rethinking procedures as they discover tracking technologies residing on their sites that they weren’t even aware of. The dollar amount of settlements in the wake of high profile data breaches would be enough to cripple your budding enterprise. I’d be worried if you weren’t concerned about the increasingly high profile area of consumer privacy protection. Thinking carefully now and coming up with a website privacy policy in accordance with some simple guidelines can give you peace of mind and will allow you to focus on running and growing your business and making the most of your new website.
As you’re starting out, you probably have only a handful of site visitors. You may even know many of them personally and you know they are rooting for you to succeed. Because you would never want to do anything to breach the trust of your precious new customers, your task may seem simple: promise them absolute protection of their privacy. Promise to keep everything they share with you in a Seinfeldian vault, and promise that the combination to the vault is theirs alone. To achieve this, you may immediately set about cutting and pasting the most stringent provisions you can find from privacy policies of your favorite well-known websites. Danger! Resist the urge to do this. This approach is problematic (first off, consider the copyright implications). Instead, engage in some thoughtful planning and keep a few concepts in mind as you conceive your privacy policy….
First, when considering what your privacy policy must tell visitors to your website, a bit of good news is that there currently is no complex federal statute to weed through to determine what magic words your policy must contain (assuming, that is, that you’re not collecting financial or medical information, in which case you will need to comply with certain complex federal statutes). Instead, the Federal Trade Commission (“FTC”) is concerned that your policy disclose enough about your use of information as to not be unfair or deceptive. California, however, has been kind enough to provide a more specific, yet still relatively easily understood statute: the Online Privacy Protection Act of 2003 (“OPPA”). OPPA requires website operators that collect personally identifiable information about individual consumers living in California to “conspicuously” place a privacy policy on its website. Many website publishers use the OPPA requirements as guideposts in determining what to include in their privacy policies. To comply with OPPA, your privacy policy must: (i) identify the categories of personal information you collect; (ii) describe how you use that information; (iii) describe whether and with whom personal information is shared; (iv) describe the process, if one exists, for an individual consumer to review and request changes to any of his or her personal information that you have collected; (v) describe the process by which the operator notifies consumers of changes to the privacy policy; and (vi) to provide an effective date.
Now that OPPA has given you a rough idea of what you must tell visitors in your privacy policy, you need to consider what level of detail to include. Although there is no negotiation taking place, by asking your customers to accept the terms of your privacy policy you are attempting to enter into an agreement with them. For your side of the agreement, the more you promise, and the more you give your customers in terms of privacy protection, the more good will and reputational advantage you may earn. These are important values to keep in mind with consumer consciousness concerning privacy on the rise. On the other hand, your business will be bound to act in accordance with your privacy policy, the obligations it imposes, and the promises it contains. Over-promising now could hamper your business’s future ability to collect and use information in benevolent and rewarding, but currently unforeseen, ways. That said, I will reiterate the importance of disclosing enough so as not to mislead your customers. With a nod to OPPA, website privacy policies are often constructed by asking, and presented by providing the answers to, the following questions:
- When do we collect information? In addition to information you collect from users when they register as a member or order a product, do you collect information concerning site usage behavior, IP addresses and other anonymous information using tracking technologies? If so, one component of the answer to the “when?” question may be “any time a user visits the website.”
- What information do we collect? The answer to this question is often broken down into the personally identifiable information (e.g. first and last name, address, telephone number, etc.) that is collected and into another category, often called aggregate information. Any data you collect from users on an anonymous basis to administer the site and analyze its usage probably falls into the aggregate information bucket.
- How do we use personal information? In your answer to this question you may include things like order fulfillment or storage in a contact database. Describe how you actually use information but beware of promises to never engage in certain other uses. As I will describe, amending away such an absolute promise in a privacy policy can be tricky.
- What information do we disclose to third parties? In answering this question, remember that you likely cannot make an absolute promise not to disclose personal information to thirds parties. Leaving aside the acts of various scalawags that are out of your control, you need to think about any necessary disclosures to contractors (e.g. those who ship goods ordered from your site), to courts or law enforcement agencies, or to third parties in the context of a business combination.
- How do our customers access and update their information? This process usually includes a user logging into their account on the site and updating the information they’ve shared. If such online functionality is not available, it’s a good idea to post an e-mail address where users can request changes to or deletion of their personal information.
Answering these questions will likely require you to perform some internal due diligence. You should engage all relevant departments (e.g. marketing, IT, billing) of your business in assessing and understanding your privacy practices. Once you have a thorough understanding of what you’re actually doing with respect to website visitors’ privacy, you can craft a policy that is consistent with reality and with other statements made on the website, and that you will be able to adhere to.
Although not required, some policies contain a description of the physical and technical safeguards used to safeguard privacy. You will likely build up trust capital by showing your customers that you have robust privacy protection practices in place. Watch out here, though. Don’t say you use, for example, secure socket link encryption for transactions if that’s not actually the case. This is an example of a provision that sounds great when you read it in the privacy policy posted on megaretailer.biz, but which you may not be able to adhere to. Better to remain silent on the security measures you employ than to give a list of impressive-sounding practices you don’t actually adhere to.
Another important consideration is your explanation of how the policy will be amended. Be aware that there are certain best practices to be followed in trying to ensure that your privacy policy as amended will apply to continuing users of your site. Once again, you’re trying to form an agreement with visitors to your website, and principles of contract formation are likely to apply. This means that each time you change your privacy policy, the best practices include notifying visitors of the changes and requiring them to accept the changes after clicking through the amended policy.
Keep the cumbersome amendment process in mind while crafting your privacy policy and deciding what promises you want to make at the outset. Visitors who use your site in reliance on the promises you make will likely have a right to have those promises enforced, and amending promises away as your business evolves is a tricky proposition. Avoid the temptation to make broad and absolute promises in your privacy policy, and cut out flowery, aspirational language. Although “legalese” should be scrapped in favor of language that is easily read and understood, resist the urge to go too far in the other direction. In your introductory paragraph, a clear description of the purpose and content of the privacy policy that doesn’t contain any promises you can’t fulfill or hidden liability traps beats a statement that effectively promises visitors the moon when it comes to protection of their privacy.
Of course, your company may have special concerns about its website. For example, if you plan to collect data from children under the age of 13, you’ll need to comply with the Children’s Online Privacy Protection Act (“COPPA”). Enforcement of COPPA is the responsibility of the FTC and has lately been the focus of review by the agency and the scrutiny of all sorts of advocacy groups. This is an area that may be in flux and deserves careful monitoring.
I have confidence that if you were able to find your way to this article, it won’t take long for you, perhaps with the able assistance of your attorney, to be well on your way to crafting a thoughtful, well-balanced website privacy policy using about the same number of words I’ve used in this primer.