Wednesday, June 23, 2004

Privacy and misinformation....

I have been trying to learn my way around blogs. In searching for other privacy-related blogs I have seen many blogs that don't know what they are talking about. Too many were talking about the new Claifornia legislation that requires websites to have privacy policies if they collect any personal information from California residents.

There were many complaints about how this law has California reaching outside of its borders. While I am not a fan of local and state Internet-related laws, until Capitol Hill begins to move on issues like these, states may feel they have to act to protect their own residents.

California isn't reaching outside of its borders. it is regulating others than reach within its borders. State consumer laws have always reglated sales to their residents, from any location. Catalogue sales, phone sales and mail-order sales are models of how this has always worked. This new law is no different.

And, frankly, it's a good idea in any event.

Unless the site is part of a regulated industry (I call them Kids, Cash and Kidneys (children's, financial and health privacy issues), no privacy policy is required in most cases in the United States.

Efforts to require them have, largely, failed.

Microsoft and IBM among others announced many years ago that they would not advertise at any site without a privacy policy. It's plain good business. And makes good sense. it's also respectful of the website users.

There's no magic to a privacy policy at a website. (The problems come, not from drafting one, but from understanding your data collection practices.)

Tell people what you are collecting and how.
Tell them how it is being used. (shared? if so, with whom?)
Can they access it to confirm it's accuracy or to see what the site has already (most sites don't have mechanisms for this)
Do they have a choice (other than by electing not to use the site?)
What's the choice.

think about any spyware or tracking technologies. think about banner ads or other third-party marketing and data collection that might be occurring at the site. If you have e-commerce, are you using outside vendors to ship, fulfillment operations outsourced?

it's that simple.

Whether you are collecting informatio from california residents or from those in Outer OshKosh, you owe your site visitors this simple courtesy. Note though, that you have now exposed yourself to liability that you might not otherwise have, especially if you're not part of the privacy-regulated industries. The Federal Trade Act gives the FTC authority over any misrepresentation (essentially consumer fraud), and if you have a privacy policy and don't follow it, it's a fraud on your users. So, craft one and make sure it's accurate and you follow it. Otherwise the FTC will come knocking.

A few simple tricks can also make sure that you are better protected when the unthinkable or unexpected happens. What if the company is sold? or merged into another? or unhappily, if the company goes belly-up and assets are sold in bankruptcy? what about your promise never to share this information or transfer this information to others. In each case, these are "others."

In the privacy policy, let them know that the data will move with any merger, sale of the business unit or assets associated with teh website and in the unlikely event of a bankruptcy, may be transferred by court order or operation of law, notwithstanding your statements to the contrary.

No comments:

Post a Comment

Parry Aftab is interested in hearing ideas and questions about digital safety, privacy and cybersense. Please do not advertise or promote services or products or include a link, video or image in your comment.

Now for the boring legal stuff:
We reserve the right to delete and/or moderate any comments at any time.
Note that Parry Aftab does not respond to legal questions and cannot address specific issues about reported abuse.She cannot be retained as legal counsel online, and any prospective client must sign a retainer agreement before becoming a legal client of Ms. Aftab. Any legal discussions are educational and informational only and anything submitted may be made public on this blog.

Ms.Aftab reserves the right to report any abuse, threats or harassment to the requisite authorities.

Post a Comment