Advertiser Disclosure

4 Ways Your Privacy Policy Could Compromise Your Business

Eric Pesale

Eric Pesale is an attorney and entrepreneur who writes about business and legal issues for law firms, publications, and companies as the founder and chief legal contributor of Write For Law℠. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and has been published in CSO, the New York Law Journal, and Above the Law. He is actively engaged with startup business issues.
Editorial Note: Fundera exists to help you make better business decisions. That’s why we make sure our editorial integrity isn’t influenced by our own business. The opinions, analyses, reviews, or recommendations in this article are those of our editorial team alone.

Whether you’re collecting contact information from customers or storing payment and banking data for billing purposes, it’s highly likely that your business will at some point collect sensitive personal and banking data from your clients. Doing this, however, can attract a different kind of customer to your business: cybercriminals. In fact, Verizon’s 2018 Data Breach Investigations Report recently revealed that 58% of cybercrime victims over the past year identified themselves as small businesses.

Naturally, it would be wise to have the right documents in place to protect your business in the event a breach occurs. Well-drafted privacy policies that work in tandem with your website and product terms of service can help accomplish this if you collect data from your customers online. Borrowing privacy policy language from other companies’ websites, however, isn’t the best route to accomplishing this.  

No privacy policy is one-size-fits-all, and failing to implement one that fully accounts for your business’s needs and interests could lead to serious legal issues with the Federal Trade Commission (FTC) and, in some cases, international regulators. Here are some considerations to look out for the next time you’re reviewing your current privacy policy.

Not Reviewing Your Policies for Potential Misrepresentations

If your privacy policy makes certain claims regarding how you collect and manage consumers’ data, you’ll inevitably face sanctions for not meeting them.

Credit Karma, for example, recently faced FTC scrutiny for misleadingly stating that their app used Secure Sockets Layer (SSL)-encrypted connections to encrypt all data its customers shared with the company through the app. For several months in 2012, however, this wasn’t the case. Unaddressed vulnerabilities in the app allowed hackers to intercept these mobile connections to pilfer sensitive customer data through “man-in-the-middle” attacks.

As a result, hackers literally got “in the middle” of these connections and surreptitiously redirected consumer data away from Credit Karma. Once the FTC caught wind of this, Credit Karma was eventually sanctioned under the FTC Act for making material misrepresentations in their privacy policy. As a result, the company was ordered to undergo biennial cybersecurity audits by an independent professional for 20 years, upgrade their systems to address those vulnerabilities, avoid making additional misrepresentations about their privacy practices, and implement a comprehensive security plan to address and rectify all security flaws.  

These infrastructure upgrade and auditing costs can quickly add up for any business—and likely exceed the cost it would take to have experienced attorneys and data security consultants analyze and vet your privacy policy claims from the start.

Failing to Make Your Policies or Opt-Ins Easily Accessible for Customers

Simply posting your privacy policy online and burying it in your website footer could also backfire in the event your business faces disputes involving your privacy policy.

Zappos got into hot water on this issue in 2012 after it tried enforcing an arbitration clause in its online terms in response to class action complaints arising from a major data breach. However, the clause—and the rest of the site’s policies—was not conspicuously displayed to properly notify visitors about its existence. Instead, it was placed in the middle or bottom of each page alongside other links, and the website never referenced the terms at any point to visitors during the checkout or browsing processes. This important detail was one of many that motivated a federal judge to hold Zappos’ terms unenforceable, forcing the company to address these class action lawsuits through traditional litigation.  

As Santa Clara University Law School legal professor Eric Goldman notes, this scenario could have been avoided if the company used clickthrough agreements requiring customers to check boxes indicating they’ve read and assented to Zappos’ terms, and provide links to the website’s terms and privacy policy for customers to review.

Depending on your industry, you may have to take additional steps to notify customers about your privacy policies. Financial service providers who are subject to the FTC Privacy of Consumer Information Rule, for instance, must deliver annual copies of their privacy policies to customers they have a continuing business relationships with, along with short-form notices to consumers who conduct occasional transactions with them.

privacy policy

Not Accounting for Applicable State and International Laws

Just because your company is based in the United States doesn’t mean your business is exempt from extraterritorial privacy rules. This can hold true even if you incorporate specific “choice of law” language in your policy.

This scenario recently came to light in 2013, when a Canadian Adobe customer filed a complaint with Canada’s privacy commissioner after finding his sensitive Adobe account information available for downloading on a website popular with cybercriminals. In his complaint, the customer alleged that U.S.-based Adobe was liable under Canada’s federal data protection law, PIPEDA, because the company had failed to properly notify him about the breach. Adobe tried countering this complaint by stating, in part, that it wasn’t liable under PIPEDA because both its privacy policy and website terms of use required all of its North American customers to resolve disputes with the company under California state law.

Adobe, however, had a Canada-specific website, maintained corporate offices and employees in Canada, and required its Canadian customers to disclose some forms of personal information in order to access its services from Canada. These were some of the reasons why the Canadian privacy commissioner’s office decided the U.S. company had substantial enough connections with Canada to be within its jurisdiction and, in turn, eligible for PIPEDA sanctions.

This principle doesn’t just apply to cross-border transactions; a number of U.S. states, including California, recently enacted their own data security laws in response to GDPR that businesses will additionally need to account for when drafting their policies.

Using Legalese Over Plain Language

Even though privacy policies are legal documents, they shouldn’t be riddled with complicated language and lawyerly terms. In fact, the GDPR expressly forbids this: Recital 39 of the law, which covers GDPR’s data processing principles, mandates that any communications relating to the processing of users’ personal data be easily accessible, easy to understand, and use “clear and plain language.” PIPEDA, the FTC Privacy of Consumer Financial Information Rule, and other privacy laws require businesses to follow suit with this.

To see how readable your privacy policy is, you can try running a readability analysis using Microsoft Word or by plugging your privacy policy URL link into an online Flesch Reading Score testing tool.

***

In short, you shouldn’t be cutting corners when drafting your privacy policy and other terms. You should consider the states, countries, and sectors you plan to be doing business in, and consult with an experienced business or technology transactions attorney to explore your options and draft a privacy policy that’s tailored to your organization’s specific needs. In the end, it will be time well spent—and billable hours well saved.

Disclaimer: This article has been prepared for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.

Eric Pesale

Eric Pesale is an attorney and entrepreneur who writes about business and legal issues for law firms, publications, and companies as the founder and chief legal contributor of Write For Law℠. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and has been published in CSO, the New York Law Journal, and Above the Law. He is actively engaged with startup business issues.

Our Picks