9 Ways To Bulletproof Your Privacy Policy
Is your privacy policy rock solid, or could it use some work? Mistakes can mean lawsuits, regulatory fines, and damage to corporate reputations. Here's how to protect your company.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt4bf3a65c7466dcbf/64cb4c58a84b07b527006cca/code-707069_1280.jpg?width=700&auto=webp&quality=80&disable=upscale)
Any company that collects, stores, and uses personal information should have a privacy policy. However, not all privacy policies are created equal.
Although many privacy policies may look the same, the riskiest ones fail to reflect what the company actually does. These can expose the organization to potential regulatory audits, fines, lawsuits, and reputational harm. To reduce the risks associated with such disconnects, businesses should spend more time thinking about -- and operationalizing -- their protection of sensitive data.
However, many organizations don't take their privacy policies seriously enough, as evidenced by the growing number of data breaches and the increasing amount of regulatory oversight.
[ What's your disaster response plan? Read Crisis Response: 6 Ways Big Data Can Help. ]
"If the regulators fined everyone for failing to follow certain regulated procedures, they'd have to fine everybody because nobody does it right," said Walter O'Brien, in an interview. He's founder and CEO of Scorpion Computer Services, the real-life company (with a real live person) upon which CBS's Scorpion TV show is based. "They'd be fining 99% of the industry, and there would be an uproar," said O'Brien. "There should be an uproar. You don't sue Wells Fargo every time it gets hacked."
Toothless privacy policies are common. In June 2015, the Online Trust Alliance (OTA) audited the security, privacy, and consumer protection practices of approximately 1,000 companies, all of which are the leading organizations in their respective industries. They included the top Internet retailers, banks, US federal government sites, social networking and sharing sites, news and media companies, Internet of Things providers, and OTA members. Forty-five percent failed to protect consumers and their data from harm and online threats. Forty-four percent made OTA's "Honor Roll" because they achieved a weighted score of 80 or better on a scale of 1–100, based on 50 different data points. When the OTA audited the top 23 presidential candidates in September 2015, it found that 74% failed because of their privacy policies.
"The FTC has been very aggressively prosecuting companies that don't really do what they say or say what they do," said Jim Adler, in an interview. "Where companies go sideways is not so much what they say, but whether they can live up to what they're saying." Adler is chief security officer at big data analytics company Metanautix and member of The Department of Homeland Security Data Privacy and Integrity Advisory Committee.
To minimize your own company's risks, consider these nine pointers.
Few people read privacy policies, including the people who cut and paste them from other sites. After all, why spend the time and resources to recreate a boilerplate document? The short answer is that effective privacy policy isn't a boilerplate document. It accurately describes how a company handles personal information.
"Using another company's privacy policy creates serious legal risks because that policy can be used against you," said Tatiana Melnik, attorney at law, in an interview. "If the FTC looks at what you're doing and it doesn't match your privacy policy, it will be used against you as being woefully negligent. And the courts will assume that you put something out there that you didn't read."
Writing a privacy policy takes time to do right because it's a public statement about the information that's collected, how it's collected, how it's used, with whom it's shared, and how it's safeguarded. To avoid liability, make sure the policy accurately states what your company does.
Aligning a privacy policy with a company's technology and business practices is challenging because it requires the involvement of the many stakeholders who are responsible for the data. Without that, there are knowledge gaps and security gaps that can expose the company to a number of unanticipated and unwanted outcomes.
"The privacy policy should be very visible in your organization and clearly have the support of the CEO. The board should understand what you're doing to maintain your privacy policy and your privacy program, and how your risk profile is evolving over time," said Jason Straight, chief privacy officer and SVP of cyber-risk solutions at legal services outsourcing firm UnitedLex, in an interview.
Don't forget the stakeholders involved in the collection, storage, use, sharing, and safeguarding of data. That means marketing, advertising, the webmaster, IT, security, privacy, and general counsel.
There's a move to simplify privacy policies because they're too difficult for the average person to read and comprehend. Attention spans are short and privacy policies are long. Few people will take the time to read a document written in legalese and presented in a six-point type font. Because transparency is becoming a brand issue, some organizations are adopting a layered short notice, which presents privacy policy information in varying levels of detail: very short form; highlights; and the traditional full-blown document. Icons may also be used to simplify the communication of important points.
"You're kind of complying with the letter of regulation but violating the spirit of it by not making your privacy policy clear and understandable," said Patrick Fowler, chair of the privacy, data protection and cyber-security practice at law firm Snell & Wilmer, in an interview. "The average reading level of the average American is 8th grade. There have been studies of Fortune 500 privacy policies [that say] to understand those policies you have to have a college-level education."
There's also the concept of Security by Design, in which users are prompted to consider the potential consequences of their privacy choices in context as they use a product, so that they can make an informed choice. "The product has to align with the privacy policy in perpetuity as its being used. If the policy is changing every year, but the product is being revved every week, that's a problem," said Jim Adler, chief security officer at Metanautix and member of the Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee (DPIAC).
How data can be used changes over time. One way of handling the uncertainty is to use overly broad language.
"Companies are drafting overly expansive privacy policies that say they can do anything and everything with users' data," said Omer Tene, VP of research and education at the International Association of Privacy Professionals (IAPP), in an interview. "The FTC has increasingly looked critically at these practices, and might actually view them as being unfair trade practices, which is a basis for enforcement actions."
Privacy policies are about notice and consent. An overly broad policy can fail to provide adequate notice of the data that's being collected, stored, used, and shared, and for what purposes. On the flip side, consumers may claim they did not know what they were consenting to because the language was vague.
Knowing that broad language can fuel disputes, some companies opt to write privacy policies that are so specific, they backfire.
"Drafting an overly restrictive policy might initially be seen as a good practice because you're constrained in your ability to use individuals' data," said Omer Tene, VP of Research and Education at the International Association of Privacy Professionals (IAPP). "The FTC has been filing claims against companies that are not doing what they said in their privacy policies." If you make your policy too narrow and end up going outside it, you could be punished, he said.
Consumers are often asked whether they consent to information sharing with a company, the company and its partners, or other third parties. Despite what companies say, what they do may differ significantly.
"We see this a lot in the healthcare space, where you may have a doctor promise something or other to their patients, but then they give broader rights to the [electronic healthcare record] vendor than is permitted by the patient. You have to make sure how the company handles data and shares it with others. It has to carry throughout the entire contracting relationship," said attorney Tatiana Melnik.
It's important to consider the entire flow of information and the potential parties that might touch the data, in order for you to ensure that privacy policies and practices are in sync. Issues can arise in mergers and acquisitions. In the Radio Shack bankruptcy case, the sale of its 117 million customer records was a highly contentious issue involving several state attorneys general and corporations including Apple.
A privacy policy shouldn't be a static document. Laws, statutes, regulations, technology, and cultural norms are changing all the time. Yet, a lot of privacy policies are out-of-date because they haven't been revisited often enough. If a discrepancy between privacy policies has been identified by a lawyer, a consultant, or the OTA, a common response is, "That's not what we do." Craig Spiezle, president and executive director of the OTA recommends revisiting the privacy policy with the business groups once a quarter.
"The number of data breaches ... is staggering. Companies create a privacy policy to build a program based on the current conditions. It may be perfectly good, compliant, and meet everybody's needs, but if you don't go back and check it, if you don't keep up with the changing expectations of your customers, you can really run afoul," said Jason Straight, chief privacy officer and SVP of cyber-risk solutions at UnitedLex, in an interview. "Mistakes are being made because we're living in a radically changing and increasingly global environment. You need to understand regulation and what turns people off to your company."
Privacy policies would have a better chance of being effective if protecting sensitive data was deemed to be everyone's job in the company -- an expected type of behavior.
"Everyone knows there are certain boundaries on appropriate work behavior in different areas. [Employees] get a handbook and there are policies. You need to have that level of awareness and education about privacy and how you handle data," said Craig Spiezle, president and executive director of the OTA.
The problem generally is a lack of consequences. Even though hacks, lawsuits, fines, and public outcries are growing in number, they still represent only a small percentage of all privacy policy breaches. In the absence of lawsuits, fines, public outcries, or other consequences, such as being reprimanded or fired, business as usual tends to chug along.
"Privacy policies say all kinds of nice things like, 'We will not leak our user data.' They don't say we will ensure that our on-site and off-site backups are encrypted at all times and not left on a disk drive next to the coffee machine. A great question to ask yourself is, 'Or else what?'" said Walter O'Brien. "All these policies don't have any teeth because they don't have an 'Or else what?' and if there's 'No else what,' it doesn't matter."
Privacy policies would have a better chance of being effective if protecting sensitive data was deemed to be everyone's job in the company -- an expected type of behavior.
"Everyone knows there are certain boundaries on appropriate work behavior in different areas. [Employees] get a handbook and there are policies. You need to have that level of awareness and education about privacy and how you handle data," said Craig Spiezle, president and executive director of the OTA.
The problem generally is a lack of consequences. Even though hacks, lawsuits, fines, and public outcries are growing in number, they still represent only a small percentage of all privacy policy breaches. In the absence of lawsuits, fines, public outcries, or other consequences, such as being reprimanded or fired, business as usual tends to chug along.
"Privacy policies say all kinds of nice things like, 'We will not leak our user data.' They don't say we will ensure that our on-site and off-site backups are encrypted at all times and not left on a disk drive next to the coffee machine. A great question to ask yourself is, 'Or else what?'" said Walter O'Brien. "All these policies don't have any teeth because they don't have an 'Or else what?' and if there's 'No else what,' it doesn't matter."
-
About the Author(s)
You May Also Like