A privacy policy is a legal document, an enforceable contract, that tells visitors to your website how your business will collect, use and safeguard any personal information you obtain from them. If you have detailed Privacy Policy that details exactly how you collect and use PII, but you violate your own Policy, you can subject yourself to legal liability to your visitors who relied on the Privacy Policy terms you said you would follow. It is a two-way street, the customer is “agreeing” to provide PII under the terms you say you will be using it for, but if you misuse data or otherwise don’t uphold your end of the bargain, you can be taken to court as well.
The FTC first hoisted the privacy flag over e-commerce in 1995 with its Fair Information Practice Principles, which in a nutshell, the FTC said that people need to be aware of what information is being collected about them, and what is being done with it. Breaking this down further, Aaron Kelly Arizona Lawyer says we can develop a framework for what the FTC looks at in terms of privacy…and thus what your Privacy Policy might want to address, which are:
1) That consumers be given notice of the site’s information practices;
2) That consumers be given the choice as to how their personal information is used, including the choice to opt out of third-party distribution of the information collected from or about them
3) That consumers be given reasonable access to information the site has collected about them and stored by the company
4) That the appropriate steps are taken to ensure the security and integrity of any information collected from consumers
5) That there is a mechanism in place to enforce these principles of privacy protection and means of redress for injured parties.
6) A company’s privacy policy should be easy to find, read and understand and should clearly state what information is being collected; how the information is being used; whether the information will be distributed to third parties; what the individual’s choices are regarding data collection; a statement of the organization’s commitment to data security; and the steps that will be taken to ensure data quality and access.
While there are laws dealing with privacy policies, Aaron Kelly Attorney there’s nothing specific that says to website owners, “Post a privacy policy or go to jail!” Because there is no official law requiring such detail (at least, not in the U.S.), a website owner may be tempted to ignore these concepts entirely, but that is a potentially risky move. There is still Section 5 of the 1914 Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices.” Several companies have been investigated and fined under a wide-reaching interpretation that their failure to abide by their privacy policies and protect sensitive consumer data constitutes an “unfair business practice”, that being properly protecting sensitive PII. The legal theory and reason they getting fined is the concept that they have been entrusted with certain information (often due to their own Privacy Policy that promises a visitor’s PII will be treated with care) and that by allowing the information to fall into the wrong person’s hands, they have breached the duty they were trusted with, even when they did not purposely reveal data that was accessed by outside hackers.
Before we get to the potential stick, let’s dangle the carrot. Isn’t posting a privacy policy just plain good business sense? In the online world, where the lines between what is real and what is not are blurred, there is always a slight apprehension on the part of the consumer as to whether what is being communicated to them is true. To overcome this, you have to instill trust in your customers and with that trust comes loyalty to your “brand”, even if you’re just the middleman in an e-commerce transaction. Just how do you do this, you may be asking? It’s simple… be transparent.