Privacy Policies are difficult to write because Privacy Law is rapidly changing in just about every jurisdiction. Each state has its own privacy laws, and the feds do, too. I don’t know if you’ve noticed, but there’s also a huge cultural shift that’s occurred over the last 10 years or so, where BILLIONS of people are taking their private information (date of birth, family members, children’s names, parties they attend, what companies they work for, what high school they went to, and on and on) and putting it out there on social media sites for any creeper to find.
We’ve had privacy laws for all of American History, but now our cultural “expectation of privacy” is nosediving. The big question that we have to ask ourselves when writing privacy policies is: where’s the line? How much, if at all, is the legal bar “lowered” for privacy, given our lowering expectations of privacy?
OK, let’s dig into it: Overall, privacy policies are legally binding agreements, similar to a terms of use contract, for users of your website, software portal, or app. Each of these platforms does different things with information that could be considered private, or in legal terms, “Highly Sensitive Confidential Information” (HSCI).
Normally, HSCI is information that, if disclosed to the public, could be harmful to that person or entity’s security or the business’s inner workings in general.
If you’re the owner of a website and you offer Contact Forms, where users put in their names and contact information such as email or phone numbers, some people would consider that information HSCI. I think that, since that information is so often readily available on social media sites, we could often argue that a person’s email address and even their phone number, may not rise to the level of “threatening their security if disclosed,” but that’s where we start to see the line get blurred. There have been judges that see it as clearly HSCI and ones that do not.
Nonetheless, the safest and most conservative route is to keep ALL information that is collected from a user of your website or software platform totally confidential and never to publicly disclose it.
There are probably third-party vendors, however, that your business will disclose that information to, though, and these should be called out. If, for example, you use a Customer Relations Management application, “CRM” where you input leads generated from your website or app into this third party vendor’s website, then you’re taking (what could be HSCI) and disclosing it to a third party that may, or may not, keep that information secret. Legally, if you put in writing that this will happen, in your Privacy Policy, and even go so far as to list out the particular vendors that you may disclose that information to (Google Analytics, CRMs, etc.) then you’re legally putting these users “on notice” that the information they provide to you will be disclosed to third parties–and effectively, they’d have a hard time suing you for doing that down the road.
A great privacy policy will list out all the ways in which information a user gives to you will be used, stored, and disclosed. It should list out what promises you’re making, if any, about what you will do with that information, and it should warn the user that they should not input information that they do NOT want disclosed in this way (sort of “putting the ball in their court,” so to speak).
Privacy laws differ in every state, and there are Federal Laws that supersede state laws as well. The internet, though (at least in America), doesn’t stop users from one state or another–it usually allows citizens of any state to access the URL. This means that you could get users from California for your Georgia-based website. California Privacy Laws are quite different from Georgia Privacy Laws. This means that your Privacy Policy may be “compliant” with Georgia laws but non-compliant with another state’s, for example.
There’s no easy way out of this debacle, but what I like to do is a sort of “enter at your own risk” statement, and just put it out there that this Privacy Policy may (or may not) be 100% compliant with all State’s Privacy Laws (because, the legal costs to research every state’s privacy laws and maintain compliance would be quite high) and that the user “enters the website at their own risk.” This is not a guaranteed win by any means, but in my experience, it’s been far better than nothing.
Overall, Privacy Laws are rapidly changing because our social expectation of privacy is rapidly declining. How that changes the actual law is mostly a mystery since these cases rarely go through trial and get a judge’s opinion on it. HSCI is usually the information privacy policies that should be concerned with. A good Privacy Policy will detail what information is collected, what vendors/third parties might get that information disclosed to them, and probably put a sort of “enter at your own risk” catchall provision. Despite the ever-changing privacy laws and all the differences across state lines, having a solid privacy policy will help your business a lot and is always better than nothing!
If you’d like to speak with a lawyer about your company’s privacy policy, feel free to give us a call at 470.268.5234!
