Do You Follow Your Own Privacy Policy?
There are dozens of federal statutes and regulations that govern consumer privacy. They regulate what data a company can collect and how you must protect it once you have it. One of the best ways to mess up in e-commerce is not to follow your own guidelines. (As a side note, one of the best ways to mess up as an employer is not to follow your own employee handbook!)
The Federal Trade Commission, which enforces unfair trade practices, can bring federal action against companies that do not comply with their stated privacy policies or violate other consumer protection laws. As of 2015, the FTC has brought approximately 130 spam and spyware cases, 50 general privacy lawsuits, 60 cases alleging data security breaches, 30 cases for violating the Gramm-Leach-Bliley Act which protects financial data, 20 cases for violation of children’s privacy under COPPA (see below), and 122 do-not-call cases.
Violation of your own stated policy can be a violation of Section 5 of the Federal Trade Commission Act and, in North Carolina, an unfair trade practice allows a plaintiff to ask for triple damages and punitive damages.
Privacy law, as it relates to consumer protection, comes from multiple sources and varies based on the industry. Highly regulated industries, such as medical or financial firms, have significantly higher regulation and oversight of their information policies and practices. So do companies that might attract children to their website.
An online privacy policy is a statement that discloses the ways you gather, use, disclose and manage customer information gathered via your website.The privacy policy should be coordinated with general disclaimers or terms and conditions that explain what your website does or doesn’t do, and what remedies a customer has if there is a problem.
At a minimum, the privacy policy should state clearly:
• What information is collected;
• Whether personal information is stored separately by individual account or aggregated for statistical/analytical purposes;
• Whether it is kept confidential;
• What security measures are employed; and
• Whether it is shared with partners, or sold to other companies.
Before your website goes live, make sure your privacy policies adequately represent what your company does with the data, and that you are prepared to actually follow you policy. Your terms and conditions should be appropriate to your business, e-commerce activities and data collection.