In Part 1, which can be found here, we covered some basic privacy policy concepts.  Here in Part 2, we address three problems associated with privacy policies in practice.

1.    You Don’t Have One, But You Really Should 

There is no general federal or state law that requires a company to have a privacy policy in all circumstances.  But there are several laws that require one in some circumstances.  Not having a privacy policy when it is required by law is a potential compliance problem that can lead to liability.

Federal Law Privacy Policy Requirements:

The Children’s Online Privacy Protection Act (COPPA).  Commercial websites and online services (including mobile apps) that knowingly collect information about, or target children under age 13 must post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children

The Gramm-Leach-Bliley Act requires institutions “significantly engaged” in financial activities give “clear, conspicuous, and accurate statements” of their information-sharing practices.  This includes describing “what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information.” The notice applies to the “nonpublic personal information” the company gathers and discloses about its consumers and customers.”

The Health Insurance Portability and Accountability Act (HIPAA) privacy rules requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic.

State Law Privacy Policy Requirements:

California:  Calif. Bus. & Prof. Code §§ 22575-22578

This ground-breaking California privacy policy law has been in effect since July 1, 2004. As described by the California Attorney General’s office, it requires “operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information. The privacy policy must also provide information on the operator’s online tracking practices. An operator is in violation for failure to post a policy within 30 days of being notified of noncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply with the provisions of its policy.”

California expanded its Online Privacy Protection Act on January 1, 2014 in two respects.  First, the operator of a commercial web site or online service must now disclose in its privacy policy how it responds to a web browser ‘Do Not Track’ signal or similar mechanisms providing consumers (theoretically, at least) with the ability to exercise choice about online tracking of their personal information across sites or services and over time.  Second, it also requires the operator to disclose whether third parties are or may be conducting such tracking on the operator’s site or service.

The California privacy policy law arguably could be considered a de-facto national privacy policy law, as it says it applies to any commercial web site or online service in the country, so long as they collect personal information on California residents.

In 2012, the State of California brought its first enforcement action under CalOPPA when it sued Delta Airlines.  The action alleged that Delta’s mobile app “Fly Delta” collected PII from California residents who downloaded it, but that the app did not provide a privacy policy.  The State sought statutory penalties of $2,500.00 for each time the allegedly non-compliant mobile app was downloaded by a California resident.  However, that case was dismissed with prejudice in 2013, apparently on federal preemption grounds.

Connecticut:  Conn. Gen. Stat. § 42-471

Connecticut requires any person who collects Social Security numbers in the course of business to create a privacy protection policy.  The policy must be ”publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

2.    You  Have a Privacy Policy, But You Don’t Follow It 

Forgetting to provide a mandated privacy policy is risky business.  Having a published privacy policy and not following it can bring a whole different set of headaches, including possible claims of deceptive or unfair trade practice.

In the last few years, the Federal Trade Commission (FTC) and, more recently, the Federal Communications Commission (FCC) have brought enforcement actions that resulted in significant settlement terms, and in the case of the FCC, a multi-million dollar fine against companies that violated their own privacy policies.

In a February 26, 2015 public statement, FTC Director Jessica Rich explained how the FTC uses its enforcement power with regard to privacy policy failings:

If a company makes materially misleading statements or omissions about privacy or data security that are likely to mislead reasonable consumers, such statements or omissions are deceptive. The FTC has used this authority, for example, to challenge false and misleading claims about how companies use and share consumer data; whether they track consumers’ movements online; whether they are honoring consumers’ opt-outs; and whether they are delivering on promises to secure consumers’ financial and health data.

In the last several years the FTC has brought several Section 5 (deceptive and/or unfair trade practice) actions for various reasons including making allegedly misleading statements in privacy policies.  This includes actions against Snapchat, GMR Transcription Services, Credit Karma and TRENDnet. To resolve these FTC actions, the offending company typically must sign a consent order which requires it to:

• Establish comprehensive security programs designed to address security risks during the development of their products, programs or applications,
• Undergo independent security assessments every other year for the next 20 years, and
• Make no additional misrepresentations about the level of privacy or security of their products and services.

Then, for the next 20 years, the company risks a contempt of court finding, or worse, if it fails to strictly comply with the terms of the consent order.

In October 2014, the FCC announced a $10 million fine against to two telecommunications companies that failed to provide adequate protection for the personal data of up to 305,000 consumers, thus exposing them to potential identity theft and fraud.  In announcing the fine, the FCC made special mention of the privacy policy violation:

In their privacy policies, the two companies stated that they had in place ‘technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.’  Yet, from September 2012 through April 2013, the sensitive documents they collected from consumers were apparently stored in a format accessible via the Internet and readable by anyone.

3.    You Have a Privacy Policy, But Most People Can’t Understand It

Here’s a common disconnect:  a company wants to be transparent about its privacy practices, but its privacy policy language is so long, complex and granular in detail that it requires a post-graduate reading level to understand it.  How does that happen?  Sometimes privacy policies also unnecessarily include Terms and Conditions of Use, or even license agreements.  Sometimes form takes priority over substance.   To be more transparent and less opaque, a privacy policy should be written in clear and concise language that average consumers will understand.  In practice, that seems to be easier said than done.

Complaints about the readability of privacy policies are not new.  In its December 2010 Preliminary Staff Report, “Protecting Consumer Privacy in an Era of Rapid Change,” the FTC found that most corporate privacy policies are “incomprehensible,” and that “consumers typically do not read, let alone understand” these privacy statements. The FTC noted that, in general, “privacy policies do a poor job of informing consumers about companies’ data practices or disclosing changes to their practices.” Even companies that have thorough privacy disclosures were criticized by the FTC as having policies that are “opaque” and “too long and too difficult to navigate.”  The FTC issued the final version of that report in March 2012, and included a series of recommendations for businesses and policymakers.

A recently-published whitepaper,”Privacy Policies:  How to Communicate Effectively with Consumers” addressed the reading comprehension level needed to understand the privacy policies of Fortune 500 corporations.  The average U.S. adult reads at an 8^th grade reading level. The clear majority of Fortune 500 privacy policies in the study require a reading comprehension level beyond that of the average U.S. adult.  Remarkably, 82% of those privacy policies required a college-level reading level.

In terms of length, the whitepaper noted another rather remarkable disconnect:

Most of the privacy policies [in the study] would require the average reader more than seven minutes to read….Taking into consideration that average amount of time a person spends on a website is 42 seconds, consumers are unlikely to spend seven minutes reading a privacy policy.  

This is particularly true on mobile devices with their smaller screens and fonts.  The California Attorney General’s office has suggestions for improving the readability of privacy policies in a May 2014 pamphlet, “Making Your Privacy Practices Public”.

What Are The Take-Aways? 

Privacy policies are becoming more important legal documents and potential sources of exposure for companies in the Big/Data/Breach era.  In order to maximize their benefits and minimize their risks, companies should consider the following when it comes to its privacy policy:

• The privacy policy must accurately reflect the company’s actual privacy practices, and as the company’s privacy practices evolve, so must its privacy policy.  In other words, “say what you do, and do what you say”.
• It should be should be written in clear and concise language that average consumers will understand.
• It should be regularly reviewed to make sure it complies with statutory and other requirements.
• Because of the evolving legal issues involved, a company should consider engaging counsel experienced in this area to assist in creating and updating its privacy policy.