The Danger of a Monkey See, Monkey Do Approach to a Privacy Policy


Last year odds are you suddenly found your inbox inundated with nearly identical emails from different companies. The subject line and content concerned “an update to our privacy policy.” This sudden uptick in privacy policy updates coincided with the European Union’s General Data Protection Regulation going into effect. One of the immediate ramifications for companies under the GDPR umbrella was the requirement that a privacy policy be accessible, easily understandable, and include key disclosures which entailed how exactly an organization collected and used one’s personal information. Inspired by GDPR, California passed its own privacy law, the California Consumer Privacy Act (CCPA), in June of 2018. The CCPA also has very specific privacy policy requirements for businesses subject to the law.

The cumulative result of stringent privacy laws like GDPR and CCPA has been an increase in consumer concern about how companies make use of their data and the desire for additional regulation over data collection practices. As a result of this heightened awareness, many companies have adopted a monkey see, monkey do approach to privacy policy construction – a seemingly innocent enough mistake with potentially serious legal repercussions.

Watch What You Say

Most businesses, especially small to medium-sized ones, don’t think twice about copying and pasting another company’s privacy policy. Even worse yet, companies don’t even have to copy someone else’s privacy policy. Instead, they make use of a free template pulled from the Internet. This copycat approach to how a business collects and disseminates user information comes with legal exposure.

A statement that your organization applies 256-bit encryption to personal information may sound good in theory but what happens if this isn’t actually true in practice?

Now you may be asking yourself, “Yeah, but who really reads privacy policies anyway?” The Federal Trade Commission, for one. Every so often the FTC sues companies over misrepresentations found in their privacy practices. One such enforcement action took place this past July when the FTC sued company ClixSense. ClixSense had an online rewards website (ClixSense.com) that paid users to view advertisements and perform other menial tasks. The company collected and stored sensitive personal information on its users, including social security numbers, dates of birth, and email addresses. ClixSense suffered a data breach in 2016 which resulted in the exposure of personal information on more than 6.6 million consumers. As part of its lawsuit, the FTC found ClixSense deceived consumers through false representations found in its privacy policy (“we utilize the latest security and encryption techniques to protect your information“), when in fact the company left sensitive information in plain text and failed to implement even minimal data security measures. The FTC settled with ClixSense after the company agreed to implement a comprehensive information security program.

In addition to federal oversight, numerous states have laws that govern a company’s collection of personal information and how organizations communicate these practices in privacy policies. Besides the aforementioned CCPA, Delaware law requires any operator of a commercial website who collects personally identifiable information on Delaware users to clearly convey certain information about its data collection practices in a privacy policy. The failure to do so can result in an enforcement action from the Delaware Department of Justice. Oregon, too, just recently passed a law governing inaccurate statements found in privacy policies. In a similar manner to the FTC’s approach, the Oregon Attorney General can punish false claims made in the course of a company’s use, disclosure, maintenance, and disposal of consumer data. While these states may be at the forefront of data collection regulation they surely won’t be the last. Privacy experts agree that additional state-specific legislation on Internet data privacy policies and practices is likely to increase in the near future.

Drafting and/or Reviewing a Privacy Policy

A company who either does not have a privacy policy or who has not reviewed an existing policy in some time should start out by asking the same three questions. What information do we collect? How do we collect the information? And finally, how do we use the information collected? The answers to these three questions should serve as the starting point for a legally sufficient privacy policy.

With these initial questions out of the way, a company should describe how it plans to protect the information collected (i.e., specific technical, physical and administrative safeguards that are in place) and who has access (i.e., affiliates or third parties). Lastly, it’s increasingly important for a privacy policy to list out what different consumer rights may or may not be available (e.g., whether a user can op-in/opt-out of certain data collection practices). These are just some of the provisions always present in an effective privacy policy.

Speaking of effectiveness, a privacy policy should be easily understood and clearly accessible. A privacy policy that’s easily understood is a document written in plain language that refrains from unnecessary legal jargon. With respect to accessibility, the policy should be clear and conspicuous on a company’s webpage in place where users are most likely to see it.

Conclusion

The use of another’s privacy policy invokes the law of unintended consequences. While free of charge and maybe seen as just “good enough”, organizations fail to anticipate the consequences of saying one thing about privacy only to then do another. With greater state and federal oversight over data collection than ever before, companies must craft a privacy policy that accurately reflects its internal processes and recognizes the growing expanse of privacy norms afforded to individuals.

 

Need help drafting or reviewing your company’s privacy policy? Contact me today.