Many businesses find this out the hard way. In general, privacy policies are intended to tell customers about the kinds of personal information collected about them, and regulators routinely admonish companies for collecting information beyond what they promise, for failing to adequately protect customer data from hackers or engaging in unfair business practices. Google (GOOG), Facebook (FB), and Myspace have been among the Federal Trade Commission’s highest-profile targets; all three settled the FTC accusations either by paying fines or agreeing to beef up their privacy practices and undergo independent privacy audits for 20 years.
An online retailer, for example, may retain a customer’s name, home address, and credit-card information; technical details like IP address, the type of browser used, and login data; and shopping and browsing history including Web pages viewed and products purchased. Some of that data probably gets shared—with third-party ad companies, data analytics providers, e-mail marketers, payment processors, and even, potentially, law enforcement.
The laws governing privacy are inconsistent. Some individual industries like health care and financial services are subject to federal law. So are businesses that cater to children under age 13, such as Nick.com, the website of Nickelodeon (VIA). In California, for example, all online companies doing business with residents must post privacy policies on their websites.
In effect, virtually every company of a certain size falls under some requirement. Even those that aren’t required to have a policy tend to create one to build trust with customers and help protect against lawsuits. Laws for online and offline businesses are largely the same. The primary difference is offline companies tend to collect less data. When they do it, you’re usually aware of it. Imagine giving your IP address—or, for that matter, your broad window-shopping history—to your local Foot Locker (FL).
Companies make several common mistakes with their privacy policies, says James Snell, co-chair of the privacy and security group at the Bingham McCutchen law firm. Startups, in particular, often make grandiose statements: “We’re never going to use your information,” for example. Down the line, they change their minds.
“I really counsel business to take a life-cycle approach—not what you’re doing today, but what you think you might be doing five or 10 years from now,” Snell says. A company’s marketing team, for example, may eventually want to use individual shopping histories to offer customers ads or discounts for products they’ve looked at in the past.
Another mistake: making promises that are impossible to keep. Companies may boast of having such tight security that no hacker will ever steal customer information. In fact, Snell says, in this day and age, no computer system is completely safe. Companies should instead say they take reasonable steps to secure data, and leave it at that, Snell says.
Then there are the companies that simply cut and paste privacy policies from competitors, maybe changing a few words to avoid copyright infringement. Bad idea, says Snell. Technology inevitably varies between companies, which would make borrowed policies wrong more often than not.
With the increased adoption of mobile devices, the debate over privacy has intensified. Phones and tablets can precisely and persistently track a user’s location, which raises extra privacy concerns. Mobile app developers must follow the usual set of laws in terms of privacy. But the nascent industry is rife with companies that fail to comply, according to regulators.
Between rule violations, bad press, and customer concerns, privacy policies often come under fire. In general, they’re far too complicated, says Jeff Chester, executive director at the Center for Digital Democracy, a digital rights group that advocates tougher privacy laws. This may be strategic, he says: Companies are deliberately vague about how much information they collect and what they do with it.
To get started, Diane Honda, Barracuda’s general counsel, used the service herself so she could understand the privacy implications. Once up to speed, she interviewed the lead engineer and product manger about the kinds of customer data collected, how it would be used, and how the product may evolve in the future. She also read the privacy policies of competitors and other technology companies she respected, like Apple. All the while, she created a checklist of what customers expected and what the law required.
Honda says she went through several drafts. Near the end of the process, she had colleagues from sales, marketing, and an administrative assistant review the policy to make sure it was readable. “They’re the average users,” she says. A description of why data is shared with third parties raised concerns as being overly broad. In response, Honda specified in the policy that there was “no other use” for the data besides marketing or providing and enhancing the product.
That doesn’t mean users will stumble across a clever turn of phrase, Honda says. It’s not intended to be poetry. “Philosophically, I just wanted people who read it to understand,” she says.