What are the Requirements for Online Privacy Policies?
As with most projects, before investing time and energy, the first thing I like to do is define requirements. So, my first stop was the website of the Federal Trade Commission since they are the watchdog of the U.S. government when it comes to consumer privacy protection.
The FTC website provides a wealth of information regarding privacy and PII (personally-identifiable information). In fact, there is so much content available it’s downright overwhelming. After wading through most of it, this is what I believe to be most useful for online entrepreneurs:
- Identification of the entity collecting the data
- Identification of the uses to which the data will be put
- Identification of any potential recipients of the data
- The nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information)
- Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information
- The steps taken by the data collector to ensure the confidentiality, integrity and quality of the data
Principles of a Sound Data Security Plan – The FTC website offers a very informative brochure that details the do’s and don’ts of handling PII. It’s called “Protecting Personal Information – A Guide for Business”. To download a copy in PDF format, click the title of this paragraph.
Interactive Tutorial – If you prefer video and have about 20 minutes, this interactive video covers the same information contained in the above PDF document. The FTC recommends it as an effective way to explain the basics of PII security to your team if you have one. But even if you don’t have employees, this is a quality video worth checking out. To access, click the title of this section. You should see a link in the right sidebar.
- Keep it clear and easy to understand; don’t over complicate it with a lot of technical terms and legal jargon.
- Don’t say it if you can’t back it up. This is where some websites get into trouble for false or deceptive advertising.
- Get your entire team to buy-in to PII compliance.
While there are numerous federal requirements regulating the PII management practices of businesses, financial institutions and health care providers, surprisingly, as of this writing (June 2011) there is no federal requirement for privacy policies to be made available to consumers (i.e. posted on websites). That may soon be changing.
Pending Federal Legislation regarding Privacy Policies
During my initial research on the legal aspects of online privacy policies (see article Are Online Privacy Policies Required by Law?), I found that some U.S. states require privacy policies to be prominently posted but no such requirement at the federal level.
Today, 8 months later in mid-2011, there is an influx of bills pending in the United States Congress covering all aspects of online privacy including full disclosure. In the article Federal Legislation and Online Privacy Policies you will find a table listing 16 pending federal bills with links to the congressional database providing the status of each. Depending on what gets finalized and signed into law, requirements for collectors of PII could tighten significantly. This will affect most website and blog operators including those that simply collect email addresses for newsletters.
Other Sources of Requirements for Online Privacy Policies
Until a fair and balanced set of standards is signed into federal law, online privacy compliance will continue to be a challenge for the average website operator. As states enact their own privacy laws and industry icons like Google and Microsoft make their own rules (per self regulation promoted by the FTC), compliance continues to be a moving target.
|Sources for Best Practices regarding Online Privacy Policies|
|Rules, recommendations and tips from the FTC website|
|Selected requirements from bills pending in the U.S. Congress|
|Applicable requirements from stringent U.S. states like MA, CA, and NV|
|Requirements from online juggernauts like Google and Microsoft|
— Table 1A —
Realistically, regardless of who writes the privacy document, the questions need to be answered by the website owner or principal operator(s). The most conscientious consultant or attorney will usually not be as familiar with the site’s underlying functionality and supporting practices.
Questions to Consider
Examples and Sources
|What PII is collected?– Specifically, what PII (personally-identifiable information) is collected?||For examples of PII, see article What is PII?|
|Sensitive PII – If sensitive PII is collected is it done with affirmative consent? (opt-in)||Sensitive PII is personally-identifiable information which, if compromised, can cause a significant negative impact for the individual (i.e. financial & medical records, religious affiliation). Credit card information, bank accounts, and social security numbers are examples.|
|How is PII collected? – what is the method for collecting PII?||For example: newsletter form, contact/webmail form, subscription form, registration form, service application form, shopping cart transaction form?|
|Volume– What is the volume of PII collected?||For example, one particular bill pending in Congress only applies if PII of more than 5,000 individuals is collected during any consecutive 12-month period.|
|Purpose – Is there a clear, valid purpose for the collection of each element of PII?||Per pending federal legislation, collectors of PII should only collect as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service.|
|Minors– Is PII collected from children under the age of 13?||Is the product, service, or site-content targeted at children 12 and under? If so, COPPA applies if PII is collected.|
|Storage– Is the PII stored in a secure fashion? How and where is it stored?||Is it stored in a password-protected database on a secure server? Or on a password-protected and physically secure hard drive? Stored in encrypted format rather than clear text? Employee access on a need-to-know basis only?|
|Transmission – How is the PII transmitted?||If transmitted across public networks and wireless networks, is the data encrypted?|
|Usage– How is the PII used?||For example, is it used only for the stated purpose of the end-user form filled out by the consumer or is it also used for other purposes such as internal ad campaigns.|
|Opt-out– Is there an opt-out function and is it clearly available?||This refers to the website functionality not a browser (IE, Firefox, Chrome, etc.) feature.|
|Access– Can individuals access their PII and correct it or request that it no longer be used and distributed?||If it cannot be directly accessed and edited by the PII owner, can the owner request deletion via email, postal mail, or phone, for example? Per pending Senate bill S 799 section 202.|
|Retention – How long is the PII retained?||Pending federal legislation states that collectors of PII should retain it only for reasonable periods of time.|
|Disposal– How is the PII disposed of?||Pending federal legislation specifies acceptable methods. For examples, see House bill HR 1707, section 2.a.2: E & F.|
|Accuracy– Are procedures in place to ensure the data is accurate?||Pending federal legislation requires this in certain instances. See bill S 799, section 303 (a) and (b).|
|Breach policy– Has a breach policy plan been formulated?||For example, in the event of a security breach in which PII is acquired by an unauthorized party, is there a procedure for notifying owners of the PII?|
— Table 1B —
As indicated in the example for item #4 in Table 1B, some bills pending in Congress hold businesses to a higher standard if they deal with large amounts of PII. That seems logical since more people can be negatively affected if the data is abused or stolen.
Also, some of the questions in Table 1B stem from pending federal bills that do not specify how compliance must be achieved. Instead, they empower the Federal Trade Commission to establish rules within a defined time period after the bill becomes law. Interestingly, even at that point, the FTC will be prohibited from requiring a specific technological means of meeting a requirement (Source: S 799, title I, section 101, d). Given technology’s ever-increasing rate of change, that also makes sense.
It is important to remind readers that if a website or blog collects PII from residents outside the United States, different privacy laws apply. While those laws are outside the scope of this article, it may be the focus of a future research project to be posted here at .com. Stay tuned.
In fact, if you would like to receive future posts automatically via email or RSS feed, simply click on one of the links in the upper right corner of any page on this site to subscribe. Only an email address is required. You can unsubscribe at any time.
If you are interested in reading more about international requirements pertaining to information privacy, you may want to start with the EU and APEC. The European Union (EU), for example, is expected to introduce (sometime in 2011) the concept of the “right to be forgotten” which allows individuals to request that their data be completely removed once it has served its original purpose. Holders of information, such as ISPs and search engines may have to reveal who is collecting data and for what purpose. (Source: European Commission website, Safeguarding privacy in the digital age)
APEC (Asia-Pacific Economic Corporation) is a cooperative of 21 nations primarily concerned with global trade and economic issues. The APEC Privacy Framework promotes a flexible approach to information privacy protection while avoiding the creation of unnecessary barriers to information flows.
With the outline in hand, an informed decision can be made about what method to use to compose the final, consumer-friendly document. That is what the next post is about. It will examine a variety of options including:
- Using an online auto-generator service
- Customizing a template
- Hiring an internet-savvy, privacy-law attorney to draft it