Taking the Fear out of Privacy Policies

Since I’m writing this article the day after Halloween, it seems appropriate to discuss a topic that much of the industry considers very scary: your inhouse privacy policies.

Be it your own written Do-Not-Call policy or your company’s internal policies regarding the collection and dissemination of customer information, documenting and managing these policies can send a chill down your spine that would rival anything Hollywood can produce. And yet, as we all know, we have nothing to fear from Michael Myers or Freddie Krueger. Likewise, we should not fear the creation and implementation of these policies for two primary reasons: They are mandated by law and, as such, we have to live with them every day; and, the law does not dictate what they must say but rather allows companies to develop their own internal programs that work within their existing business structure.

Federal Law

On this I’ll be brief, because the topic has been discussed at length in these pages over the past several years. But for those of you who have never heard of the TCPA or the TSR, here is the quick and easy guide to the law. The TCPA prohibits initiating telephone calls for the purpose of transmitting an unsolicited advertisement about the commercial availability of goods or services, unless you have in place an internal program for tracking the requests of consumers who do not wish to receive further calls from your company.

All such requests are to be maintained in a do-not-call list, and those individuals are not to be called again by your company or any affiliate where it is reasonable to assume that the request should apply to the affiliate as well. Similarly, the TSR prohibits calls made to consumers who have previously requested that they not be called again.

Of particular note, however, is the provision of the TCPA that requires each company making telephonic solicitations to have a written DNC policy available upon demand. The policy should spell out your internal mechanisms for logging DNC requests and how they are processed to ensure that consumers making such a request are not called again. These policies must be communicated to your employees making calls, and they must be trained in how to handle a DNC request. It has been held that this written policy must be made available to consumers, even if the company has not made a call to the consumer.

Additionally, some firms, by virtue of the products they sell or the type of consumer they call, are required to maintain an internal privacy policy that dictates how consumer information will be collected and used by the company. I’ll admit at this point the requirements seem a little scary. You can almost hear the haunting music in the background. But there is truly nothing to fear.

Your Policy

While the law dictates that you have these policies, it does not mandate what must be contained in the policy, nor does it mandate specific language that must be used. Each company is given the opportunity to analyze their internal business practices and develop a DNC or a privacy program that works within their existing business model.

Once that program has been developed, you are free to describe it any way you like – as long as it is accurate in the description. There are no magic words or phrases that must be used, and unlike your high school essay assignments (really scary) there are no word minimums or maximums. It is usually sufficient to describe the entire process in three to five paragraphs on one page.

But like the horror films that have you believe the monster is dead – only to have him sit up one last time – our policy discussion also has one last scare for you. What is tempting in these situations is to draft these grand edicts about your company’s commitment to privacy, and the great lengths you go to ensure the security of every American consumer, when, in fact, you simply collect the names of people requesting to be placed on the DNC list on a sheet of paper and feed them into your computer. Resist the temptation to write prose that would make Shakespeare proud. Every corporate policy writer wants to make the company look its best. In this instance, however, that is a risky proposition.

As we discussed above, there is no requirement as to what your policy must say or how it should be implemented. Companies have been getting into trouble lately by violating their own internal policies. It is not unlawful to have a simple DNC policy. What is unlawful is presenting a wonderful piece of fiction describing in great detail your company’s 12-step DNC process when, in fact, there are two people that handle the program by themselves. The attorneys general across the land have alleged that a company that does not follow its own internal policies has committed an unfair and deceptive trade practice.

So remember, it’s OK to have a policy that resembles Frankenstein’s monster. Just make sure that the monster you create is one you can live with. And don’t be afraid.

Tyler Prochnow is an attorney with Lathrop & Gage, Kansas City, MO, and counsel to the American Teleservices Association. His e-mail address is [email protected]

Related Posts