The Privacy Tune-Up

I have the oil in my car changed every six months. Though I don’t drive many miles, it seems to me that preventive maintenance is a good idea and pays for itself by avoiding trouble. You may want to consider the same approach for your privacy policy. Every once in awhile, that policy will need a tune-up.

There are many reasons for doing a review annually. Here are some.

The law may have changed. Privacy laws continue to pass at the state level, and privacy remains on the federal agenda. A new law may affect some aspect of your company’s personal data collection, maintenance, use or disclosure. For example, at least a dozen states enacted security breach laws recently. It may be appropriate to update your policy or practices to reflect the new obligation. Even if laws that regulate your activities have not changed, the laws that control government access to privately maintained records may have. New government authority or procedures might affect what you say in your privacy policy.

The technology may have changed. For example, when was the last time you asked your Webmaster how your company’s site uses cookies? You may learn that a Web site that previously used session cookies now sets permanent cookies. Is the site now using Web bugs or other tracking technology? While none of this may be a big deal, a privacy policy should include a current and accurate description.

Have you added banner ads to your Web site? What are the data policies of the advertising company? Maybe those policies differ, and your privacy policy may need to reflect that.

Has your company changed its business in any substantial way lately? New products and services may affect the collection, maintenance, use or disclosure of personal information. Your privacy policy may be out of date or just plain wrong.

Has your company bought another company? Has your company been acquired? Any of these changes may call for revisions to a privacy policy. You may be sharing data with a new division or parent company in a way that is inconsistent with your old policy.

Are you doing business through a new joint venture with another company? If so, it’s a good bet that you are sharing information in a manner different than before.

Has your marketing department changed its approach to the renting of mailing lists? Perhaps a standing decision not to rent lists has been reversed or some other new use of customer information has been instituted.

Have your security policies or practices changed? The intense focus on security of late may have produced changes, and it is possible that a privacy policy can include something new and reassuring.

Are your Web links, e-mail addresses, telephone numbers and street addresses still the same? These little things can be overlooked. If your policy included the name of your privacy officer (which is not always a good idea), has that person changed? Maybe your company created a privacy officer position that might be described in the policy.

Have you changed your policy for preserving data? Legal and contractual requirements may oblige your company to maintain transaction records for a long time, but practices for long-term storage of data should be described in a privacy policy.

Have you changed your bank, credit card processor or other service providers? A privacy policy is unlikely to include this level of detail, but it might. Even if the policy offers only generic descriptions, a change in partners may create the need for a tweak.

Are you collecting more data from your customers? If not, maybe you are buying more data about them from third parties.

Not every company that has a privacy policy does so because of a legal obligation. Only a small percentage of companies are required to publish a privacy policy. However, it is possible, albeit very unlikely, that a federal or state government agency will seek to hold a company to its published policy. Another possibility is a private lawsuit. Any company not in compliance with its own policy is just asking to be sued.

Approach a privacy tune-up as an opportunity rather than a chore. Educate your colleagues about their obligations, learn about developments in your organization and review fundamental assumptions and data practices. A privacy policy is not just a notice to the world. It’s a tool for ensuring that everyone in your organization is aware that there are rules about the collection, maintenance, use and disclosure of personal information.

My final suggestion is that you consider having your privacy policy read periodically by someone with fresh eyes. An independent review may spot something that you and your in-house colleagues missed. That’s why I am grateful that this column is read by an editor.

Is routine maintenance a good idea? I drove my last two cars for 13 years and 12 years, and both were still running strong when I finally decided to get rid of them. I found that paying attention to the basics can be worthwhile.

Related Posts