 |
|||||||||||||||
 |
|||||||||||||||
 |
|||||||||||||||
 |
|||||||||||||||
|
|||||||||||||||
 |
|||||||||||||||
 |
|||||||||||||||
 |
 |
 |
 |
|
| Web Site Privacy Policy Statements Revisited Now that the message has gotten out into the Internet community that Web sites should post privacy policies, thanks to the FTC, state attorneys general and some private party litigation (mostly against DoubleClick), site sponsors and their agencies need to take a thoughtful approach to preparing the proper policy for each site. There is no standard cookie cutter form which fits all sites and, as the FTC enforcement action against GeoCities demonstrates, posting a policy which says one thing and doing something else with personally identifiable information can be a costly legal mistake and damage your name and reputation. Almost equally important is the point that privacy policies must be regularly reviewed and updated, partly because the site itself and its collection, storage and use methods will be likely to change over time, but mostly because the law in this area is evolving so quickly due to pressure from privacy advocates on federal and state governments here in the U.S. and to the problems presented to the U.S. by the Common Market Privacy Directive. Recent developments have driven several changes in how privacy policies are drafted, some of which are outlined below: US/Common Market Safe Harbor (3/14/00). Policies should address all aspects of privacy of personally identifiable information specified in the Safe Harbor: 1. notice of what is collected, by what entity, for what uses, to what third parties it is disclosed and what choices the individual has for limiting collection, use and disclosure, 2. opt out instructions as to use and further disclosure of information collected (or mandatory opt in for sensitive information, such as medical/health information); 3. limiting disclosure to third parties which themselves comply with Safe Harbor principles; 4. providing information about security arrangements in use to protect stored information; 5. instructions about how stored data can be checked to assure information is accurate; 6. instructions about how individuals can access stored data to correct or delete it, and 7. whether site is certified by any of the privacy certification authorities, such as Truste or BBB. New disclosures are now appearing on U.S. based sites to deal with recent challenges to existing privacy policies and practices. Even if you do not sell, rent or otherwise disclose personal information collected by the site to third parties in the ordinary course of business, the site should state in its privacy policy that certain third party agents (the site sponsor's ad agency, ISP et al.) and other third parties performing services for the site sponsor (technical auditors, developers, order fulfillment operations) may have access to the personally identifiable information in order to do their jobs, since even this may be considered a disclosure by the site sponsor to a third party. After one recent dotcom bankruptcy disaster where the trustee offered the failed site's database for sale by auction and ended up in a stand-off with the FTC, it has become clear that, if you want flexibility in selling your business assets, whether in bankruptcy or under happier circumstances, the site should specifically permit transfer of personal information databases to “successors in business and purchasers of site assets” or some similar words in its privacy policy. Privacy policies should not be buried in general legal rules and disclaimers, but should be clearly drafted and free standing. The policy should be accessible by a privacy clickthrough button, preferably in red and separated from distracting surrounding site or page content. The clickthrough button probably does not need to be on every page, but it should be available at sign on and again before any personally identifiable information is collected from the individual for the purpose of registering or placing an order (and preferably on every page of long information collection forms). It is advisable to deal with collection of non-personally identifiable information in the site privacy policy. If cookies or similar devices are used to collect aggregate and anonymous information about site use patterns, give a clear explanation about how collection is done, what is collected, how it is stored, used and disclosed. The FTC continues to be very interested in "profiling" and whether this information may be matched with personally identifiable information from other offline and online sources to create a fully identified Web user or buyer database, a very valuable business tool but very threatening to Web users and their privacy advocates. This is what triggered the recent DoubleClick privacy litigation wave. A full description of profiling practices and how the user may detect and disable them or opt out is desirable on the site. If you use cookies, say so. Much to its chagrin, Truste itself was recently challenged for use of cookies on its own site although its defense was that a third party performing site-related services had implemented the cookies without Truste's knowledge and consent; this suggests that site sponsor contracts with third parties working on any site should deal explicitly with this issue. Finally, explain to the user clearly how to have all personally identifiable information deleted. When contacted with such a deletion request, do it promptly. Specify your location and choice of law and jurisdiction. Obtain user consent to all site rules and privacy policies or, at least, state that site use constitutes consent. Reserve the right to change your policies and explain how the effective date of all such changes affects (or does not affect) previously collected information. If absolutely no information is collected by the site, given the current climate of suspicion among Web users, state this clearly. Just be sure it is and continues to be true if you make this statement and make it clear that the statement applies only to your site, not linked sites reached through page clicks or ad clicks. Next time you ask your lawyer for a "boiler plate" privacy policy, do listen and give full business and technical details when the lawyer asks for a clear explanation about the site and its current practices. This is important! Policies that work must be custom or semi-custom in their drafting, and must reflect the site's practices in the real world of the Internet. © 2000 Davis & Gilbert LLP |
| Davis & Gilbert LLP • 1740 Broadway • New York, NY 10019 tel: 212.468.4800 • fax: 212.468.4888 |
|
| Privacy Policy • Terms & Conditions |