Whether you’re collecting contact information from customers or storing payment and banking data for billing purposes, it’s highly likely that your business will at some point collect sensitive personal and banking data from your clients. Doing this, however, can attract a different kind of customer to your business: cybercriminals. In fact, Verizon’s 2018 Data Breach Investigations Report recently revealed that 58% of cybercrime victims over the past year identified themselves as small businesses.
Not Reviewing Your Policies for Potential Misrepresentations
Credit Karma, for example, recently faced FTC scrutiny for misleadingly stating that their app used Secure Sockets Layer (SSL)-encrypted connections to encrypt all data its customers shared with the company through the app. For several months in 2012, however, this wasn’t the case. Unaddressed vulnerabilities in the app allowed hackers to intercept these mobile connections to pilfer sensitive customer data through “man-in-the-middle” attacks.
Failing to Make Your Policies or Opt-Ins Easily Accessible for Customers
Zappos got into hot water on this issue in 2012 after it tried enforcing an arbitration clause in its online terms in response to class action complaints arising from a major data breach. However, the clause—and the rest of the site’s policies—was not conspicuously displayed to properly notify visitors about its existence. Instead, it was placed in the middle or bottom of each page alongside other links, and the website never referenced the terms at any point to visitors during the checkout or browsing processes. This important detail was one of many that motivated a federal judge to hold Zappos’ terms unenforceable, forcing the company to address these class action lawsuits through traditional litigation.
Depending on your industry, you may have to take additional steps to notify customers about your privacy policies. Financial service providers who are subject to the FTC Privacy of Consumer Information Rule, for instance, must deliver annual copies of their privacy policies to customers they have a continuing business relationships with, along with short-form notices to consumers who conduct occasional transactions with them.
Not Accounting for Applicable State and International Laws
Just because your company is based in the United States doesn’t mean your business is exempt from extraterritorial privacy rules. This can hold true even if you incorporate specific “choice of law” language in your policy.
Adobe, however, had a Canada-specific website, maintained corporate offices and employees in Canada, and required its Canadian customers to disclose some forms of personal information in order to access its services from Canada. These were some of the reasons why the Canadian privacy commissioner’s office decided the U.S. company had substantial enough connections with Canada to be within its jurisdiction and, in turn, eligible for PIPEDA sanctions.
This principle doesn’t just apply to cross-border transactions; a number of U.S. states, including California, recently enacted their own data security laws in response to GDPR that businesses will additionally need to account for when drafting their policies.
Using Legalese Over Plain Language
Even though privacy policies are legal documents, they shouldn’t be riddled with complicated language and lawyerly terms. In fact, the GDPR expressly forbids this: Recital 39 of the law, which covers GDPR’s data processing principles, mandates that any communications relating to the processing of users’ personal data be easily accessible, easy to understand, and use “clear and plain language.” PIPEDA, the FTC Privacy of Consumer Financial Information Rule, and other privacy laws require businesses to follow suit with this.
Disclaimer: This article has been prepared for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.