Privacy Policies: From Compliance to Stewardship

privacypostimage

Recently, I read an article entitled “Do You Know How Your Data Is Being Used” by Joseph Titlebaum at Corporate Counsel. It is a good article and I recommend reading it; however, I want to focus on a small point made in the article and that is the failure in privacy compliance to update online privacy policies for new services and data collection.

According to the article, this failure is not on purpose, but often times is the result of not understanding the services being used or not being aware of exactly what data is collected and for what purpose it is used. But the failure to update the privacy policy for new services is potentially very costly, especially if the FTC finds that it rises to the level of deceptive practices. At that point, the offending company is now spending time, money and resources on an investigation and public relations damage control.

I think this failure to update the privacy policy for new services is really an internal privacy communication issue. Practically, when a vendor contract is obtained, it should pass through legal review. The good legal department will visit the vendor’s website and then sit down and discuss with the employee what the vendor services are, how they will be used and how the technology works. After a thorough understanding of the purpose of the service, the legal department can then determine if it needs to update its online privacy policy. The contract is signed and the employee(s) begins to use the service. But there is a broken link in this process and that is the statement of work for additional services. Often times, the statement of work is not accompanied by new terms of service, so legal review is unnecessary and the new service is not evaluated for privacy compliance.

Alternatively, many companies do not have in-house legal departments. For those businesses, the attorney may be prevented from completing the same level of diligence due to cost sensitivity (that $600/ hour billable rate adds up), or legal review is skipped altogether. In this situation, compliance with the privacy policy is at a higher risk of failure unless the business has very diligent outside counsel or a very aware employee, both of which are dependent on good training.

Some of these complications can be avoided if the vendor takes a more proactive approach. The Online Trust Alliance states that 2014 is the year we need to move from privacy compliance to stewardship. One form of stewardship we take at Sailthru is to provide language to our customers that they can add to their privacy policy when they use our services. It is a small extra step but I believe an important one that helps our customers avoid the above pitfalls in privacy compliance. This year I moderated a panel “From Privacy Compliance to Stewardship” at the OTA Data Privacy Day on January 28, 2014 and I fully support the movement from privacy compliance to stewardship.

To find out more, please check out more from The Online Trust Alliance.

Caroline McCaffery is General Counsel at Sailthru and an expert in Corporate Law, with more than 13 years of corporate transactional experience with scaling technology companies ranging from early-stage to large, multi-national corporations. She also brings over 3 years experience of navigating in the new and emerging Big Data Privacy and Security Law industry for early-stage clients.