Is it weird not to have a privacy policy? (And other thoughts on privacy policy best practices)

0
266

Foley Hoag Counsel Christopher Escobedo Hart writes on security, privacy, and the law. In the post below he examines whether an organization needs a website privacy policy.
________________

You probably are employed by an organization that has a website privacy policy. I am. That’s because most organizations process personal information through their websites in some way, such as through online forms that ask you to sign up for newsletters or marketing promotions.

What if your organization doesn’t process any personal information through its website? What if you run a B2B startup and just have an informational website that tells the public about what you do, where you’re located, and how to call you? Do you need a privacy policy? Does it look weird not to have one?

It probably does look weird, given how ubiquitous website privacy policies are, but whether you ought to have a privacy policy is surprisingly not straightforward!

On the one hand, the answer seems to be no: if you’re not collecting information, then what is there to advise customers about? On the other, maybe the answer is yes: better to inform individuals that nothing is being collected than to leave them (and maybe even regulators) wondering why you’re not informing people about what you do with information.

Answering the question thus entails a risk analysis. The risk of not placing a privacy policy on your website when you don’t collect personal information is that it “looks weird” not to have it, perhaps encouraging people not to trust you and inviting the scrutiny of regulators interested in what they might assume is your lack of adequate controls on personal information. But the risk of placing a policy on your website is that you could be signing up for obligations you don’t mean to take on.

Privacy policies in the U.S. are a creature of the peculiarities of U.S. privacy regulation, which in the ordinary course rests a great deal on the obligations companies impose on themselves. (So when people concerned about EU privacy regulations ask me “How can I make my privacy policy GDPR compliant?” my answer is, it doesn’t really work that way – GDPR compliance is not primarily tied to what you say in your policy.) Privacy policies are those obligations: they tell customers what information you collect, what you do with it, who you give it to, and how you secure it. If you don’t actually do what you say you do in your policies, you can find yourself in the crosshairs of the FTC or other consumer protection authorities (such as state attorney general offices) that have broad data privacy authority based on whether you are being unfair or deceptive with customers.

So the upshot is that while it might look weird not to have a privacy policy if you don’t collect any personal information, and there might be a good reason to create and publish a “privacy policy” that says you don’t collect information, you need to take care. For example, perhaps you don’t collect information now — but what you if the use of your website changes as your company grows? Certainly don’t make a promise that you “will never” collect personal information. You might! And when you do, you will need to update your privacy policy. Thinking ahead to how your collection practices might change tomorrow is a good way of being careful about what you tell the public today.

Now, you might be wondering — does such a company really exist? Is it possible to have a website out in the world that doesn’t collect personal information? And the answer is, that really depends on what you mean by “personal information.” While in the U.S. we mostly think of “personal information” as your name plus some other identifying and sensitive information (such a credit card or social security number), the definition could also include cookies or other web tracking technologies that are common to the point of being ubiquitous. Indeed, information that web tracking technologies collect increasingly falls under the ambit of personal information subject to regulation).

Whatever you are (or aren’t) collecting in the way of personal information, audit your policies regularly. The rule of thumb is “annually,” but really, you should be looking at your privacy policy on a much more frequent basis. Data flows tend to change in all sorts of ways in the ordinary course of a business. Maybe you decide to use a third party cloud service to store information, or a vendor to process payments; you will need to update your policy to reflect that you are providing information to third parties. Maybe you decide to create a survey for customers to fill out; you will need to update your policy to reflect what you do with that information. And increasingly, as data privacy laws change and become more robust, you will need to tell individuals who come on to your website how they can access, correct, and delete information.  Obligations differ, as well, depending on your industry:  what you need to promise might change if you traffic in financial information or health care data, or if you market to children.

So in the end, while just having a template website privacy policy isn’t going to solve your privacy compliance needs (and could in fact create major headaches), investigating what information you get, what you do with it, and thinking about how that could change in the future can help you think about what you should be communicating through your privacy policy.