Skip to main content
Top Button
Promises, Promises: Review Your Company's Privacy Notice...Before The FTC Does Promises, Promises: Review Your Company's Privacy Notice...Before The FTC Does

Promises, Promises: Review Your Company's Privacy Notice...Before The FTC Does

As first appeared on Inside Indiana Business
 
When your company makes promises in its privacy notice, the Federal Trade Commission can take action to hold your company accountable for these promises. The FTC has brought over 30 legal actions against companies accused of violating consumers' privacy rights and several have been against companies accused of failing to keep promises about privacy.
 
These actions may be instituted even when companies have no legal obligation beyond their stated promises to perform in accordance with their privacy notices. Here are five tips for drafting and implementing an effective privacy notice.

1. Determine your company's actual privacy practices.

As stated in its recent warning to Facebook and WhatsApp about their obligations to protect the privacy of their users, the FTC contends that “absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time the data was collected.” Thus, it is important for a company to know how it is using or plans to use consumers’ personal information before the company creates a notice to consumers. Here are some questions you may want answered before drafting or revising a privacy notice:

• What personal information is the company collecting?
• Where is that information kept and how is it secured?
• Is the information shared with third parties?
• How does the company handle consumer requests related to the use, storage, and sharing of the information?
• Is the company planning on using the information in other ways in the future?

2. Ensure your company’s current practices are legally compliant.

There are multiple state and federal laws and administrative regulations governing the disclosure and use of consumer information. Depending on which laws apply, failure to comply with these laws and regulations may result in severe penalties and prompt an enforcement action from the FTC. In some cases, it may be appropriate to consult with legal counsel to determine which laws apply and draft internal privacy policies consistent with these laws.

3. Use plain language and a layered approach.

In its final report on protecting consumer privacy, the FTC observed a widespread belief that “most privacy policies are generally ineffective for informing consumers about a company’s data practices because they are too long, are difficult to comprehend, and lack uniformity.” Thus, the FTC proposed that privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.

One such method being used by several companies is to “layer” privacy notices. The first layer is a short summary of the main elements of the privacy notice using language that is easy to understand. The first layer can have multiple links to the second layer, which has detailed information from the full notice. Here are examples of layered privacy notices in action: Cisco, Google, Proctor & Gamble, United States Postal Service, and Walmart.

4. Ensure that the appropriate personnel are knowledgeable about the privacy notice and policy.

You may want to make sure that the necessary employees are aware of both the company’s privacy notice (what you state to the public) and the company’s privacy policy (the policies communicated inside the company). You can do this by posting the notice and/or policy at the location of the company and by providing regular training to employees who work with the collected information.

5. Review and revise.

Of course, laws and business practices continually change, so it is important to review your privacy notice and practices periodically. It is generally good practice to have an “effective date” or “last revised date” legend that is easily identifiable on the privacy notice and to save and store older versions of the privacy policy and associated notice. Lastly, as demonstrated in the FTC’s recent warning to Facebook and WhatsApp, companies should exercise care in making changes to their policies and may want to offer consumers an opportunity to opt out of such changes.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances. 
 

Sign up for Venture Briefing
View Full Site View Mobile Optimized