Haynes and Boone's Newsroom

Privacy Policies: Pssst… Everybody’s Doin’ It!
6/5/2002
Andrew S. Ehmke

In the buzzword-compliant society that we live in, one of the loudest buzzes these days is Privacy.  Start-up companies trumpet their privacy protecting software.  Privacy consultants are starting to dot the landscape.  Companies are employing Chief Privacy Officers.  The Federal Trade Commission is bringing charges and levying fines against companies for privacy violations.  The buzz (and the fear of the FTC) has led to companies posting privacy policies saying: “We will never disclose anything to anyone EVER! We love privacy!  Privacy is better than sliced bread!”

“What’s wrong with that?!” you say.  Well, if you pardon the cynic in me, unless you are one of the few types of websites that are required by law to have a privacy policy, the only thing a privacy policy is going to do is to get you into trouble.

Why would I say such a thing?  The fact of the matter is that, in the United States, privacy policies can say absolutely anything you want (the European Union is a different story altogether).  If you want to say “I’m going to disclose your personal information to the first porn site to pay me a $1”, well… you can.  Privacy policies are about The Truth.  Privacy policies have nothing to do with privacy.  Yet, companies always seem to post the most flowery, grandiose, and restrictive privacy policies on their websites.  And this gets them into trouble.

Take, for example, Eli Lilly and Company.  Eli Lilly offered an email-based service that would provide email reminders to subscribers about taking and refilling medication.  Eli Lilly’s privacy policy said Eli Lilly “respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests’ privacy as they take advantage of this resource.”  However, when Eli Lilly elected to terminate its email service, it inadvertently sent a single email to every subscriber by listing each subscriber in the “To:” field of the outgoing email.  This unintentionally disclosed each individual subscriber’s email address to all of the other subscribers.  The FTC charged Eli Lilly with violating its promise to keep the information confidential.  Food for thought… If there had not been a privacy policy, would the FTC have been able to bring charges?

In another example, Yahoo! had a privacy policy that limited how Yahoo! would use its users’ postal mail address, telephone numbers, and email addresses.  Recently, however, Yahoo! altered its privacy policy and sent an email informing each user that the user had 60 days to opt-in or opt-out of receiving marketing information.  Nothing earthshattering, except customers were outraged and the press had a field day.

Additionally, the FTC has taken the position that a privacy policy posted on your website should apply to any information that your company collects offline, unless you say that it doesn’t apply.

So, let’s tally up the score.  FTC and outraged users: 3.  Privacy Policy: 0.

These two examples certainly seem to indicate that a privacy policy was the root of the problem.  Clearly, then, no privacy policy, and the problems go away.  Right?

Not so fast, my friend.  I am not recommending against privacy policies.  For the most part, consumers like to know what they are getting themselves into, and, speaking as a frequent websurfer, seeing a well-drafted privacy policy on a website lends a certain credibility and respectability to a website.

That being said, the key to a privacy policy is not privacy. Rather, the key to a successful privacy policy is The Truth, which may have everything (or nothing) to do with privacy.  So when you draft your company’s policy, remember The Truth, and let me suggest these three concepts to help provide a foundation for The Truth: Honesty, Accuracy, and the Future.

Honesty:  If you are going to share your customer’s information with some third parties, tell them.  Put it in your policy.  Don’t make grandiose statements of “your privacy is important and we will do everything we can to ensure that your privacy is maintained,” unless you are absolutely 100% positive that the statement is true.  Watch out for the obvious: if you collect credit card information for payment, you need to be able to disclose information to the credit card authorization company.

Accuracy:  It’s all too easy for one part of your company to draft a privacy policy, without having any knowledge that another part of the company is disclosing information left and right.  It is important to pull in marketing, engineering, sales, corporate, and everybody else into the mix when drafting a privacy policy.  You’ll be amazed at how the rest of your company actually uses your customer’s information, and only with Accuracy can you successfully be Honest.

Future: This last point is also the hardest.  Just because you aren’t disclosing information today, doesn’t mean that you won’t want to tomorrow.  Most businesses have a 3-year or 5-year plan.  If you post your privacy policy, will you be able to execute your plan the way you want to in the coming years?  Look at Yahoo!’s troubles when it tried to modify its policy.  If you can understand, or at least guess, about how you might use information in the future, you can tailor your policy to help make that happen.  That way, when it does happen, you don’t have to revisit your privacy policy, and more importantly, you don’t have upset your customers.

In the end, a privacy policy should not be an afterthought that is remedied by simply copying a policy from www.abigcompany.com and posting it on your site.  Be Honest and Accurate.  Think about your company’s Future.  Remember, in the end, don’t listen to the buzz; the Truth has a much better ring to it.