Posted by: Nick Leiber on August 12, 2009
This is a post by guest blogger Jonathan I. Ezor.
One of the biggest concerns among visitors to Web sites is how their personal information is going to be used. This isn’t a new development; back in March of 2000, BusinessWeek did a cover story on Internet privacy, including a survey showing that the vast majority of users were either very or somewhat concerned about how their information would be used. The same cover story discussed how best to inform and reassure users. (You can see other such surveys, dating back to 1997, here.)
Unfortunately, while the number of businesses with Web sites has continued to expand, as has the sites’ sophistication, the level of disclosure of data practices has not significantly improved. True, most Web sites (especially business ones) have posted “privacy policies,” but too many simply copy language they’ve found on other Web sites. The problem? The borrowed language may describe the practices of the other site, but may not be correct when it comes to the new site using the policy, and when it comes to privacy policies, inaccuracy can be expensive.
How do well-meaning companies get themselves into trouble with their privacy policies? Among the biggest problems is a statement such as, “We will not share your information with any third party.” Very reassuring; almost certainly false. When it comes to the Web, there are numerous legitimate third parties with whom the site owner must share user information just to operate the site: the site’s hosting company, the user’s own ISP (to whom the Web pages are transmitted on their way to the user), the courier delivering any purchases, the banks clearing credit card payments, etc.
Another problematic statement: “We collect your information through the form you complete on the site.” This may be true, but the siteowner will likely also be collecting personal information about the user from text messages, e-mails, faxes, telephone calls, postal mail or other communications with the user, as well as from outside sources (credit card processors, database vendors), etc. Further, though there is not (yet) a federal law requiring all Web sites to have privacy policies, states such as California have rules about policies and what needs to be included in them. (California’s Civil Code Section 1798.83, which mandates certain language and procedures for privacy policies, can be found on this page.)
There are also organizations like TRUSTe and P3PWiz that offer templates and consulting to help with policies. You may find some good information from the International Association of Privacy Professionals (IAPP). Finally, if your site collects information from children, includes health or financial data, or you have operations in other countries, there may be additional laws with which you must comply. For those, asking a competent lawyer is definitely a good idea.
Jonathan I. Ezor is the director of the Touro Law Center Institute for Business, Law and Technology, and an assistant professor of law and technology. He also serves as special counsel to The Lustigman Firm, a marketing and advertising law firm based in Manhattan. A technology attorney for more than 15 years, Ezor has represented advertising agencies, software developers, banks, retailers, and Internet service providers, and has been in-house counsel to an online retailer, an Internet-based document printing firm, and a multinational Web and software development company.