Does your organization need a privacy policy?

It is a widely held belief that every organization’s website needs a corresponding privacy policy. However, this is not the case. Whether you need an online privacy policy depends on what your organization does, where it does it, and your contractual obligations.

According to Professor Ari Ezra Waldman, “Privacy policies have been around since the 1990s. It was then that widespread internet use created popular concerns about privacy and led to several privacy-related litigations … Privacy policies have since become ubiquitous, developing first as industry’s way to stave off regulation.”

However, most of the excitement surrounding privacy policies was generated by the EU’s GDPR (General Data Protection Regulation), which came into force in May 2018. Article 12 of the Regulation requires organizations “to provide any information … relating to processing [of] the data subject.” Recital 60 makes clear that this information shall “give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.” As a result, any organization under the jurisdiction of the GDPR must outline all details of data processing, generally in the form of a privacy policy or other statement published online.

But what if you are an American organization not subject to the GDPR? Then whether you need a privacy policy depends on what you do, where you do it, and whether you’ve contractually agreed to any privacy obligations.

First, what do you do? Are your customers children? Are you in or affiliated with the health care business? Are you in any form of finance? If you deal with any types of “sensitive” information or special categories of personal data, certain specific laws may require you to outline details of processing related to this sensitive data.

Second, where do you do business? Certain states have enhanced their privacy laws to require that businesses operating under their jurisdiction meet specific privacy and cybersecurity standards. If you do business in, or target citizens of, California, Connecticut, Delaware, Michigan, or Nevada, you may be subject to certain laws that require you to outline details of data processing.

Finally, you may have contractual obligations requiring a published privacy policy. For example, many third-party data dealers and other “data processors” have flow-down language in their vendor contracts requiring partners to publish privacy information. Google Analytics terms of service, like many others, require its customers to post a privacy policy on their own site that “must provide notice of Your use of cookies that are used to collect data.” You should check your existing contracts to see if you need a privacy policy in addition to local regulatory requirements.

But what if you don’t deal with sensitive data, your local laws don’t require it, or you are not contractually obliged? Do you still need a privacy policy?

Chances are you might not need a privacy policy after all. Why, then, are so many organizations scrambling to draft them? This is most likely because they feel that they should. In other words, even if Company A does not actually need to publish a privacy policy, it may do so anyway because Company B has published a privacy policy, and Company A does not want to look inadequate in comparison. The idea is that if everyone has one, I should too!

However, publishing a policy can subject you to increased scrutiny. Many organizations that create privacy policies don’t want to fulfill their promises, can’t fulfill their promises, or are unaware of what they promised.

For the past decade, the FTC (Federal Trade Commission) has used its power to prevent unfair or deceptive trade to fine organizations such as LifeLock, Twitter, Facebook, Google, Wyndham Hotels, Fandango, Credit Karma, and Uber, usually for not doing what their published privacy policies promised.

Part of the problem is that many existing privacy policies are too long and too complicated. For example, Twitter’s privacy policy is more than 3,000 words long, and Facebook’s is more than 4,000. This length and complexity is an open invitation for regulatory fines. The European Commission’s Head of Consumer Affairs, Vera Jourova, warned Facebook that she was “running out of patience” and that the social media giant needs to make additional changes to its terms of service to bring them into line with the GDPR.

U.S. firms may not need to worry about EU regulators, but they should be concerned about the FTC. All 50 states have UDAP (Unfair and Deceptive Acts and Practices) statutes, which are enforced by state attorney generals, and some have serious teeth (many have mandatory treble damages). In the past 15 years, a core group of states – California, Connecticut, Illinois, Indiana, Maryland, Massachusetts, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Texas, Vermont, and Washington – have taken the lead on UDAP enforcement. Recently, all 50 states prosecuted Uber under UDAP statutes, and collectively obtained a $148 million settlement against the organization.

So before you go online and pick out a generic privacy policy, think long and hard about what you do, where you do it, and what you can reasonably promise. This is especially true with regard to cybersecurity, as well as privacy. Unless you have a robust cybersecurity risk management framework in place, it is probably not a good idea to promise cybersecurity in your privacy policy.

Below is a list of some (but perhaps not all) of the laws that you should consider when drafting a privacy policy:

  • COPPA 15 U.S.C. §§ 6501-6506 (2012) (protecting information websites gather from children)
    • Requires operators of websites and online services to provide notice of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information
  • Family Educational Rights and Privacy Act of 1974, 20 U.S.C. §§ 1221, 1232g (2012) (school records)
  • GLBA 15 U.S.C. §§ 6803(2012) 12 CFR 332.9 (delivering privacy and opt-out notices)
  • HIPAA 42 U.S.C. § 300gg (2012), 29 U.S.C. § 1181 (2012), and 42 U.S.C. § 1320 d (2012) 45 CFR 164.520 (notice of privacy practices for protected health information)
  • Privacy Act of 1974, 5 U.S.C. § 552a (2012) (covers only personal information maintained by federal government)
  • Right to Financial Privacy Act of 1978, U.S.C. §§ 3401-3422 (2012) (bank records)
  • Cable Communications Policy Act of 1984, 47 U.S.C. § 551 (2012)
    • A cable operator shall provide notice in the form of a separate, written statement to subscribers that informs the subscriber of the nature of personally identifiable information collected (e.g. television viewing habits)
  • The Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2522, 2701- 2709 (2012) (protection against federal surveillance and electronic searches)
  • The Americans With Disability Act, 42 U.S. Code § 12115
    • Requires an employer to post written notices in an accessible format to employees
  • E-Government Act,880. E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899 (regulating federal agencies that gather and store personal data)
  • Florida Statutes §501.171 (covers breaches)
    • Its protection clause requires businesses to take “reasonable measures to protect and secure data”
  • BUS. & PROF. CODE (CalOPPA) §§ 22575-22579
    • Requires operators of commercial websites or online services to disclose in their privacy policy how they respond to a web browser
  • California Ed. Code § 99122
    • Requires private non-profit or for-profit post-secondary educational institutions to post a social media privacy policy on the institution’s website
  • Connecticut CONN. GEN. STAT. ANN. § 42-471(b)
    • Requires any person or entity that collects Social Security numbers in the course of business to have a “publicly displayed” policy on a web page that must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers
  • Delaware’s Online Privacy and Protection Act. DEL. CODE ANN. § 1201 (2000)
    • Requires operators of commercial websites and other providers to make their privacy policies conspicuously available on their website
  • Michigan MICH. COMP. LAWS § 445.84(1) (2005)
    • An organization who obtains one or more Social Security numbers in the ordinary course of business shall create a privacy policy
  • Nevada S.B. 538
    • Requires certain operators of websites or online services that collect certain information from state residents to provide notice of certain provisions relating to the privacy of the information
  • Unfair & Deceptive Acts & Practices (UDAP)
    • All states have a consumer protection law that prohibits deceptive practices. Some have rights of private action and some allow for treble damages. These statutes can and have been used to punish organizations for failing to fulfill promises on their website privacy policies. However, almost all of them have exemptions and some have been seriously weakened by courts
  • State governments in 17 states require state government websites or state government portals to establish privacy policies and procedures, or to incorporate machine-readable privacy policies into their websites

Register for our upcoming webinar

Join us on Tuesday, March 19, 2019, 1:00 p.m. – 2:00 p.m. (EDT) for our free webinar, “How will my organization be penalized if it fails to adhere to the CCPA?”

Affecting organizations both in and out of California, the California Consumer Privacy Act (CCPA) could potentially incur millions in legal costs to your organization if you collect and process the personal data of California residents.

This webinar will cover:

  • Penalties for breach of the CCPA
  • Penalties for loss of records in a breach
  • Breach notifications
  • The use of ISO 27001, ISO 27002, ISO 22301, and ISO 27035
  • The benefits of an ISO 27001 framework vs. SOC 2 concepts

Register now >>>