Recent legal developments regarding privacy and data security have added new requirements, and the failure to comply could result in substantial liability.
Two Cardinal Rules Regarding Privacy and Data Security
As you begin your review, it’s important not to overlook the forest for the sake of the trees, so to speak. There are two cardinal rules to always keep in mind.
* Does it describe all the ways you use the information?
* Does it describe with whom you share the information (or provide the means to access it)?
* Collection of Anonymous, Passive Information. Disclose how you collect anonymous, passive information with technology such as cookies, Internet tags, log files, and server logs, etc.
* Cookies. Cookies require special disclosures. Distinguish between 1st party cookies that you serve and 3rd party cookies served by others such as by Google for its Google Analytics service. Given the recent controversy and litigation over Flash cookies, it’s recommended that you do not use them, but if you do, you should explain clearly what they are and their effect on data collection.
* Behavioral Ads. Disclose whether you reserve the right to serve 3rd party cookies for purposes of serving behavioral ads, such as participation in Google’s AdSense network. Behavioral ads are based on anonymous data collected on how a user’s computer browses the Internet, including websites visited, searches made, and content read.
* Categories of Personal Information. You should clearly disclose all of the categories of personal information collected on your site. Personal information includes any information that may be used to identify a person, such as an email address.
* Sharing of Personal Information. Make sure that you identify all of the ways you share personal information, particularly information that may be shared for purposes of dírect marketing. Also, identify any types of parties that you reserve the right to share personal information with such as corporate affiliates, service providers, and any party that may acquire your website business in the future.
* Links to Other Sites. State that visitors should review the privacy policies on these sites and that you have no responsibility for the policies and practices of these sites.
* Data Security. Disclose your standards for data security. Even if you are silent regarding data security standards, the FTC requires that you initiate and maintain “reasonable and appropriate” data security procedures.
* Children’s Online Policy. If you do not knowingly collect information from, or sell to, children under the age of 13, you should state accordingly. However, if you knowingly deal with children under the age of 13, you should strictly comply with the Children’s Online Privacy Protection Act (COPPA).
* Updating Personal Information. Describe how a user who has an account with your site may update the user’s personal information.
Privacy and Security Practices Checklist
The FTC is empowered to represent the interests of consumers in the area of “unfair and deceptive trade practices.” The FTC has filed over 30 “unfair and deceptive trade practices” lawsuits in the last few years for what the FTC believes are lax practices regarding privacy and data security.
Here’s a checklist of privacy and security practices to consider.
* Physical Data Security. As stated above, the FTC requires that you initiate and maintain “reasonable and appropriate” data security procedures. These procedures include physical security measures and logical data access protection with strict controls over internal and external access to data.
* Service Providers. The FTC has made it clear that any third party, such as your website developer, website maintenance service provider, or hosting service provider, who has access to personal information in your website’s server, should be bound contractually to maintain the privacy and security of personal information.
* Outsourcing Website Hosting. Web hosting service providers require special consideration. The key is to ensure that the service provider’s security practices equal or exceed your practices if hosting were not outsourced.
* Administrative Security. A recent FTC case highlighted the FTC’s requirements for “administrative controls” for data security, including and requiring administrators to use hard-to-guess passwords that are changed frequently, suspense or disablement of administrative passwords after a reasonable number of unsuccessful login attempts, and restricted access to administrative controls.
* Red Flag Identity Theft Policy. If your site acts as a “creditor” by using consumer reports with credít transactions, furnishing information to a consumer reporting agency for a credít transaction, or advancing funds to or on behalf of a person based on a person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf, then you’re required to implement a policy by the Fair and Accurate Credit Transactions Act of 2003. The purpose of the policy is to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.
New regulations are emerging and developing at a rapid pace. Failure to comply may result in substantial liability.