As the debate over privacy protection legislation rages in Congress, many online marketers are unaware that they already face potentially crippling liability from failure to adhere to express privacy policies, existing state privacy rules and Federal Trade Commission privacy protection requirements.
With consumer and regulatory hysteria growing daily, it is certain that the dangers inherent in online data trading will continue to grow for the foreseeable future. The question then, given the hodgepodge of state laws and the potential effect of the passage of federal privacy legislation (which may pre-empt the states'), is what can a company that collects personally identifiable data do to protect itself?
The answer is surprisingly simple. It can craft a comprehensive privacy policy that provides flexibility while meeting the basic requirements of the various state laws and self-regulatory schemes created by the technology industry in concert with the FTC.
If a company collects any data from its customers, it should consider itself at risk. It can, however easily minimize such risk by instituting and adhering to a privacy policy that includes certain minimum requirements.
· A privacy policy should be easily located through a clearly marked link. The link should be on the home page and, if feasible, every other regularly accessed page on a site. The policy should be written in clear language. It should contain the name of the company, the company's address and phone and e-mail information for contact purposes.
· A privacy policy must describe what personally identifiable information (such as name, street address, e-mail address, phone number) and anonymous information (such as site usage) is collected on the site. It must disclose whether the site uses cookies or other software tools to collect data. It must also state how the information will be used (for internal use only, to market to potential advertisers, etc.) and declare whether it will be shared with third parties. If a company says it does not share with outside parties, it must be prepared to face difficulties if it later changes that aspect of its policy. In that respect, a company is probably better off reserving the right to sell its customer database without customer permission.
· If a site is directed to children younger than 13, the Child Online Privacy Protection Act of 1999 prohibits the marketer from collecting personal data without the express written permission of the parents. Because of the difficulties inherent in obtaining verifiable permission, some top Internet companies have halted all data collection from young children because they have found compliance with COPPA to be overly difficult and extremely costly.
· Every existing set of self-regulatory principles (including FTC suggestions and the self-regulatory principles recently issued by the Interactive Advertising Bureau) requires that online marketers give their customers the choice of whether their information can be used.
This principle is also included in many state laws and almost certainly will be part of any federal legislation. To comply, a consumer must be given the ability to opt out of data sharing. For those companies that wish to be more conservative, consideration can be given to allowing consumers to opt in where data will be shared with third parties. Whether it's opt out or opt in, the procedure should be simple and easily accessible, and they should be able to opt out at any time.
The bottom line is, regardless of whether the marketplace hysteria over consumer privacy is based upon perception or reality, a company can take simple steps to avoid most of the risks involved in collecting data from consumers. Federal legislation may be inevitable, and once enacted is certain to be enforced with vigor. Those companies that have not adopted privacy policies may find themselves on the receiving end of that enforcement.
