Any company that has a Web site and conducts business over the Internet ought to have some kind of online privacy policy. This policy should address the company’s rights to the use of personal information collected from users and how the company intends to use this information.
Many prominent Web sites offer visitors a link to a privacy policy statement — which range from a 1,500-word tome of very specific details to a simple one-liner. Regardless of how a company spells out its privacy policy, from a legal standpoint it is vital that it be clear and accurate, advises Benita A. Kahn, a partner with the Columbus-based law firm Vorys, Sater, Seymour and Pease LLP.
Smart Business spoke with Kahn about the key elements of a privacy policy, and why it is important for companies that conduct business on the Web to have one.
What is a privacy policy?
A privacy policy is a business’s statement on its Web site that discloses what information will be collected about visitors to the site and how that information will be used. It can also include how a user can have this data removed, and how the company plans on keeping this information secure.
The entire concept of a privacy policy is to disclose to the public what a company is doing with the users’ information. Legally, there is not a right or wrong way to use the information you collect, as long as how it will be used is clearly stated. What is important is that you accurately disclose how you are using the information. This applies to companies that are merchants. Those in financial institutions must comply with other rules and regulations handed down by the federal government.
Why is creating a privacy policy so vital?
I see privacy policies going the same route as the Federal CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, which became effective January 1, 2004. The idea of the CAN-SPAM Act, which spells out penalties for spammers, originated in California. Other states began issuing similar laws, and dealing with these Internet laws that vary slightly from state to state was a nightmarish proposition for companies that conducted business on the Web. The Federal CAN-SPAM Act preempted all the state laws.
We are seeing a similar scenario with privacy policies. Right now, there are 22 states that have a breach-of-security law on their books, which essentially means that a company needs to inform customers if any information has been digitally stolen (i.e., first name, last name, credit card or Social Security number). Like the state spam laws that existed before the Federal CAN-SPAM, the state laws are not identical, which makes it extremely difficult to comply if you have a national business.
Will there be a future federal privacy-policy act?
If the CAN-SPAM Act is any indication of the wave of the future, you can bet that there will soon be a federal privacy-policy law. So it would be wise for companies doing business on the Web to start thinking about their privacy policies.
How can a business create a good privacy policy?
Many businesses confuse a privacy policy with a marketing piece. These are not the same thing, and there should not be any puffy language, such as ‘your privacy is important to us.’ Draft this policy to tell just the facts.
It is primarily read when lawyers are involved. Write it with that in mind — a lawyer or regulator will be reviewing it someday for accuracy. What is important for them to know is what information you are collecting and how the company intends to use it. You also need to think about whether you’d like this privacy policy to cover just privacy online or in other locations in your company, such as a storefront.
Which professionals should you consult when creating a privacy policy?
The business owner can draft a privacy policy, but it ought to be run through your attorney, technical personnel and key company leaders. It is not a document written in isolation but a partnership of many people in the company.
One caveat: once you write one, the Federal Trade Commission considers it binding, so you can be exposed to FTC legal action if you mislead your customers about what you do with their information. So make sure you run it by your attorney first.
Benita A. Kahn is a certified privacy professional and an attorney whose practice areas include privacy, telecommunications and energy law. She is partner at Vorys, Sater, Seymour and Pease LLP, one of the largest law firms in the United States with offices in Columbus, Akron, Cincinnati and Cleveland, Ohio, as well as in Alexandria, Va., and Washington, D.C. Reach Kahn at (614) 464-6487 or bakahn@vssp.com.