written by guest blogger Jonathan I. Ezor
One of the drafting tasks attorneys are increasingly faced with is to create privacy policies for their clients’ websites and other online resources. These policies are supposed to provide sufficient detail about a company’s personal information collection and use such that consumers can make informed choices about whether they will provide their information to the company. As with website terms of service, privacy policies often include contract-related provisions regarding consent, jurisdiction, notice, amendment, and other such elements.
Why do so many companies, even large and sophisticated ones, find themselves facing litigation and enforcement actions based on their privacy policies? Often, this is because those responsible for drafting the policy, whether in-house counsel, outside attorneys or non-lawyers, did not ensure that the policy was actually an accurate reflection of the company’s current and future practices. Too many privacy policies are cut and pasted from those on other sites, even when the other sites’ data practices have no relationship to those of the site using their text. This is a bad enough methodology when dealing with contractual language; in a disclosure document, which is primarily factual, it can be disastrous.
How, then, should those drafting privacy policies proceed in order to reduce the exposure of the site owner to consumer protection enforcement? There are a few key best practices:
Beyond the benefit of avoiding legal exposure, companies that demonstrate a commitment to responsible privacy practices and clear and accurate disclosure of those practices will also generate greater consumer confidence (and of course those organizations whose privacy practices are lax may well lose the trust of customers and business partners, let alone invite legal action). Attorneys, in their role as risk managers for their clients, can and should be an active part of a well-designed data collection and use strategy, especially when it comes to drafting privacy policies.
Jonathan I. Ezor is an Assistant Professor of Law and the Director of the Touro Law Center for Innovation in Business, Law and Technology and counsel to Olshan Frome Wolosky in New York City. He has been practicing technology business law for twenty years, and is a frequent speaker and writer on cutting-edge issues of Internet law. He is the author of multiple works, including Privacy and Data Protection in Business: Laws and Practices (LexisNexis 2012). He can be reached at firstname.lastname@example.org and followed on Twitter as @ProfJonathan.