What to Include When Writing a Privacy Policy

By Milton L. Petersen, published on June 13, 2011, in Business in Savannah.

As we move to an ever-more-interconnected world, the privacy and confidentiality of personal information is becoming increasingly important and harder to control.

There are various different laws and regulations that require companies to maintain privacy policies and to make them available to their customers. For example, HIPAA requires health care providers and health plans to maintain notices of privacy practices and make them available to their patients or members. The Gramm-Leach-Bliley Act requires financial institutions to develop privacy policies and share them with their customers. Most Web sites have privacy policies, and the Federal Trade Commission has authority to bring actions to enforce those policies.

We’ve all received copies of countless privacy policies (many of which doubtlessly are never read), and many business owners have worked with developing them. However, what should a consumer look for, and what should a business include, in a sound privacy policy?

The widely-accepted concepts that are commonly used as the model for creating privacy policies, both in the United States and internationally, are known as the “Fair Information Practice Principles.” Initially proposed in a U.S. advisory committee report in 1973, these guidelines have since been used as the foundation for many privacy laws and regulations and the basis of fair and adequate privacy policies.

The first core principle of the Fair Information Practice Principles is that of notice and awareness. In a well-written privacy policy, this means to clearly identify the entity collecting information, what data are being collected, how collected information will be used, and with whom collected information will be shared. Each of these issues should be succinctly, and accurately, addressed.

For example, a Web site privacy policy should describe the specific information collected (i.e., the particular data fields, such as name, address, telephone number, etc.) and the different ways that information is being collected (whether through forms, submission of orders, interactions with or among customers, tracking cookies, etc.).

Visitors to a Web site should also be informed of the specific ways in which collected information will be used (e.g., to fulfill submitted orders, to respond to requests for information, etc.) and with whom that information will be shared (e.g., to suppliers and subcontractors in fulfilling submitted orders or responding to requests for information, or to marketers and other unrelated third parties).

The next core principle of the Fair Information Practice Principles is that of choice and consent. A good privacy policy should inform the consumer of the options regarding how information about him or her is used (especially uses beyond that for which the information was provided, such as to fulfill a submitted order). This often means giving the consumer the option to “opt-in” or “opt-out” of additional uses of information. Regardless of the particular choices given the consumer, those choices, and how they may be exercised by the consumer, need to be clearly explained.

Access and participation is the next core principle of the Fair Information Practice Principles. This means providing consumers with the right to access, verify, and correct or update information collected about them. Obviously, the extent to which this right will need to be accommodated will depend upon how long, and for what purposes, personal information is maintained.

The core principle of integrity and security translates into explaining to consumers how information about them is protected and the different types of security measures used to protect that information. Consumers are entitled to reassurance that information about them will be properly protected.

Enforcement and redress forms the last of the core principles of the Fair Information Practice Principles. A privacy policy should identify a specific person or office that concerned consumers may contact with questions about the privacy policy or how information about them is used. From a consumer’s point of view, it is much more reassuring to be provided with the name and telephone number of a privacy officer who may be contacted, rather than just an impersonal, generic email address.

In the United States, any number of different governmental or regulatory authorities could possibly be involved in enforcement actions regarding privacy policies, depending upon the particular industry and type of privacy policy. In any event, a business posting or distributing a privacy policy needs to make sure that the policy accurately and adequately reflects its actual privacy practices.
____________
Milton L. Petersen is a partner with HunterMaclean’s Information Technology Practice Group. He can be reached at 912-236-0261 or mpetersen@huntermaclean.com.