Privacy Policies: A Trap for the Unwary
Because of the growing number of privacy complaints from consumers, law enforcement officials and legislators are striving to enhance privacy protection. Legislatures in other countries, such as European Union members, have passed sweeping privacy requirements. In the United States, formal privacy laws generally have been limited to areas of enhanced vulnerability, such as children under 13 (COPPA), financial data (Gramm-Leach-Bliley) and health-related information (HIPAA).
However, a surprising number of privacy policies share a serious and often costly flaw: They are simply and unintentionally wrong. Rather than being an accurate description of the information flow through the company, they paint an overly rosy picture of minimal collection and even less disclosure, either because the writer doesn't know what the company's true practice is or because the policy is based on language cut and pasted from another Web site.
Consider a statement that many direct marketers make in their privacy policies: "We will not share your information with any third parties." What about the hosting company on whose computers the site is run? What about the delivery company bringing the purchase to the consumer's door? Doesn't it get the consumer's home address from the marketer? What about the credit card processing firm arranging payment?
Even if violations do not result in fines, the bad press can prove costly. Companies from Victoria's Secret to JetBlue have gotten scathing attention in the media for privacy breaches. Even rumored breaches can be costly. In 1996, Lexis/Nexis was falsely rumored to be revealing Social Security numbers and mothers' maiden names in one of its databases. The furor cost Lexis/Nexis heavily in customer service and damage control and prompted Congress to discuss legislation strengthening privacy rules.