Are your privacy policies setting traps for your own company?
Consider a company that wanted to send promotional or advertising emails to customers who had registered on its website. On the surface, this shouldn’t be a problem: A business firm can normally send advertising to its customers. But on close inspection, that company’s website privacy policy stated, “We will use information you provide only for the purpose for which you provide it.” By sending email messages to customers who had registered for a different reason, the company was violating that promise.
The company was trapped by its own privacy policy. This isn’t uncommon. Too often privacy policies are written too broadly, or with too little consultation with your technical staff or consultants (as to what information you actually collect and what you do with it) or with your marketing staff (as to how you may want to use the information you collect).
Companies that are required to have website privacy polices — for example, those that fall under the realm of the California Online Privacy Protection Act or the Children’s Online Privacy Protection Act — should take special care in drafting, vetting, and revising website terms and privacy policies. Here are a few important warnings:
- Don’t just copy another company’s policy, assuming it to be a “standard” plain-vanilla policy. You need to tailor your terms and policies to your particular business needs.
- When you adopt legal fine print on your website, think about the warnings you hear on police TV shows: “Anything you say can and will be used against you.” Any assurance, promise, or prediction that you make in your website terms or privacy policy may well be scrutinized — and used against you — by class action lawyers. They prey on apparent divergences between promises made and practices followed.
- Avoid overbroad promises. For example, the word “never” should never be lightly placed in your privacy policy. With our rapidly changing technology, many companies are finding new and useful uses for information collected from their websites, emails and other electronic means of engaging customers.
- Find out what you actually do with customer information before promising that you won’t do something. You may have every intent not to save or use user information, for example, but don’t promise that you won’t collect it without finding out, from your technical people, what if any information is actually collected by your software and systems.
- Describe your polices as simply and clearly as you can, while maintaining accuracy. The Federal Trade Commission and other agencies, including the California Attorney General’s office, have recently focused on keeping online legal disclosures as clear and simple as possible. In some cases, as a sample financial privacy disclosure form shows, information may be most clearly presented in Q&A or tabular formats. The FTC even adopts that format for its own privacy policy.
If you haven’t thought twice about the privacy policy living at the bottom of your page, now is the time to revisit that fine print, update it, and ensure that language is in line with your current — and future — business goals.
Mark Sableman is a partner in Thompson Coburn’s Intellectual Property group. He is the editorial director of Internet Law Twists & Turns. You can find Mark on Twitter, and reach him at (314) 552-6103 or msableman@thompsoncoburn.com.