Privacy policies: Establishing trust online

By Kendall Thiessen

Gibson, Dunn & Crutcher LLP

www.gibsondunn.com

SPONSORED CONTENT

Federal District Court Rules Corporate Transparency Act Unconstitutional . . . But Most Small Businesses Must Still Comply

Lyons Gaddis Real Estate and Business Attorney Cameron Grant shares important details of the Corporate Transparency Act (CTA).

Data privacy is perhaps the most important policy issue being debated in this session of Congress.

Last year alone, more than 100 bills were introduced relating to privacy and data protection. The FTC has consistently exercised its regulatory authority over fair commercial practices and advertising to aggressively pursue companies that fail to adhere to fair data practices. FTC investigations have targeted companies such as DoubleClick, Geocities and the recently bankrupted Toysmart.

There are four key principles that must be addressed by any company that collects personal information online. They arise from three sources: the Children˜s Online Privacy Protection Act (COPPA); the FTC˜s false advertising regulations and privacy guidelines; and the privacy standards developed by Internet certification programs. The four key principles are accurate notice and disclosure; user consent; security; and access.

Notice and disclosure is accomplished by drafting and posting a privacy policy. A privacy policy is a statement describing the way a company collects, uses and stores information. In other words, it answers the following questions—what information is collected, why the information is collected, where the information is stored and how it can be accessed by the user?

What type of information is collected? Does the site only collect demographic information or does it also collect personally identifiable information, such as name and home address? The policy should address the way information about children under 13 is collected, if at all.

Why is the information collected? The information could be used to develop the site, improve advertising or even market third-party products and services to users. Intended uses for the information should be clear and must include a description of any information that will be disclosed to third parties in connection with such uses.

Where is the information stored? All reasonable efforts should be made to safeguard the information. To provide adequate security, the information should be stored behind a firewall and access should be restricted to key employees.

How can a user update or correct personally identifiable information? For example, access is often provided through a password protected registration page or an e-mail sent to a customer service representative. Access should also include a way for the user to remove their information entirely.

These questions represent a starting point to the development of a comprehensive data collection and use policy. Whether you are an emerging Internet company or a brick and mortar company doing business on the Internet, accurately and comprehensively addressing these issues in a privacy policy is necessary to gaining the trust of your users. Kendall Thiessen is a member of the Emerging Technologies Practice Group, and practices in the Denver office of Gibson, Dunn & Crutcher LLP.