Privacy Policy Online and Offline

Have you reviewed your Web site's privacy policy lately? I know you didn't post it a few years ago, when you first did your Web site, and forget about it. Right?

If you did, it's time to redo it from scratch. Much has changed in the privacy arena over the last few years. The privacy policy you posted may just be a time bomb waiting to explode. The Federal Trade Commission (FTC) has made it quite clear that it will increasingly scrutinize privacy policies and bring enforcement actions.

For those of us who pay attention to this area, the biggest recent surprise was a December 2001 statement by the Director of the FTC's Consumer Protection Bureau. Before the annual meeting of the Promotional Marketing Association, he said that the FTC's position was that it would consider privacy policies posted on a company's Web site to represent the company's position on privacy--both for data collected online and offline--unless the privacy policy clearly stated that it applied only to online data collection.

In my experience, few privacy policies make this distinction because lawyers assumed that if you posted a privacy policy online, it only applied to data collected online. This policy change was like a lightening bolt from the blue.

Bear in mind that online privacy policies started largely as a way to assuage the concerns of technophobic newbies to the Net who were worried about what information they might be unknowingly giving away, to they didn't know who, just by surfing the Net. So, privacy policies started as relatively simple documents. I think the first one I did years ago was only about a page long.

These policies have gradually evolved into much lengthier documents, but still the focus has always been on the technological collection of data. Therefore, you often see lots of discussion about uniquely online concerns like cookies.

Before online privacy policies were in vogue, the offline world had long established rules or maybe I should say it had been long established in the offline world that there were no rules. The fact was and still is that there's almost no privacy legislation in the United States and you could and still largely can buy and sell customer information like any other asset. If you sell a business in the offline world, you sell your customer list as a matter of routine course. After all, it's a valuable company asset.

Then came privacy polices, increased concern about digital data collected online, a push for more privacy legislation, consumers offended by how their personal information was treated like a commodity, and that brought us to where we are today. Interestingly, despite the push for increased privacy regulation in the United States, the only truly substantial pieces of recent legislation impact only the health care and financial worlds.

I would suggest that unless your privacy policy clearly distinguishes between online and offline data collection and was written this year, it's time to revisit it with your tech lawyer. In fact, this is an area of the law that's evolving so fast that you should consider reviewing your privacy policy at least annually.

In revisiting it, the first choice you need to make is to either to clearly state that it only applies to your online data collection practices or rewrite it as a comprehensive policy to address both your online and offline privacy policies. The way to go about this is more of a business than legal decision, but I would just point out that people are increasingly concerned about their privacy. A comprehensive privacy policy may be what it takes to make some people comfortable with doing business with you.

Although privacy is still largely unregulated in the United States, it doesn't mean that your customers and potential customers aren't concerned and sensitive about the issue. I would just suggest that from a business perspective, you just might want to take the high road as a way to win and keep customers.

Whatever you decide to do with your privacy policy, there is one piece of advice that you must follow. Whatever you say in your privacy policy must be completely accurate. Although the law may not specify what your privacy policy must say, the law is clear that you must abide by whatever it is you do say.

So now you have two reasons to reexamine that dusty Privacy Policy you posted a long, long time ago. One, you want to make sure that you properly deal with the fact that the policy may be deemed your offline policy too--a result you probably did not intend. Two, you want to be sure that it accurately reflects your privacy practices as they exist today.

This isn't rocket science and it's not hard to get this right. You just need to take the time and make the effort.