Why Your Company Needs a Privacy Policy


Why Your Company Needs a Privacy Policy

By: Andrea J. Shaw, Shareholder, Bernstein Shur

As a privacy lawyer I’m asked all the time “does my company really need a privacy policy?” Everyone expects me to say “yes!” They also expect me to say “I can draft one for you.” It’s true, I do respond with both of those phrases. This article explains why those are my responses. The short answer is because it’ll make it easier for you to focus on running your business (and it’s the right thing to do for your customers).

The U.S. legal landscape is a patchwork quilt of privacy laws. There is no one federal legal scheme, but instead it varies from state to state and from industry to industry. One commonality is that it is becoming ever more challenging to keep track of the various patches and how they apply to a given business. Just in the data security law space alone, the number of states with privacy laws on the books doubled from 2016 to 2018[1].

Privacy Law Categories / State Laws[2]

Privacy laws can be grouped into various categories (this is not an all-inclusive list):

  • data breach laws;
  • children’s online privacy protection;
  • privacy policies and practices for websites or online services;
  • false and misleading statements in website privacy policies;
  • data disposal laws;
  • data security laws;
  • cybersecurity laws

Not all states have laws addressing all categories. We are seeing an increasing amount of state legislation being proposed year over year addressing privacy concerns. In risk management terms “the direction of the risk is increasing.”

Federal Laws/Enforcement

Simply because a given state doesn’t have a privacy law specifically addressing a particular category doesn’t mean you are in the clear. Depending on your industry there may be federal regulatory agencies which may be enforcing privacy laws. For example, the Federal Trade Commission (“FTC”) has jurisdiction over most companies and individuals doing business in the U.S. The big exception to FTC regulation is for companies that are primarily regulated by other federal agencies (e.g., financial institutions). The FTC has taken a number of actions where it doesn’t have a statute or regulation directly on point using its statutory authority to prosecute “unfair or deceptive acts and practices.” In maybe the simplest example of the breadth of the FTC’s enforcement power, the FTC requires a company that has a privacy policy to comply with it. It also requires companies to give consumers notice if they make a material change to their privacy policy and to give the consumer an opportunity to opt out. At this point you may be thinking “if that’s the case isn’t creating a privacy policy just making more work and increasing my risk?”  While it may seem like that on its face, if you have an internet presence and collect any data, chances are you are collecting information that is governed by one or more of the applicable state laws.

Last, the FTC has taken enforcement actions against companies who failed to protect consumer data on the grounds that they violated the prohibition on unfair or deceptive acts or practices.   Instituting (and following) a privacy policy helps mitigate these risks.

Emerging Issues

California is the first state to pass a data privacy law similar to what governs data privacy in Europe (Global Data Protection Regulation, better known as “GDPR”). It is slated to take effect January 1, 2020. It gives California residents certain rights regarding their information.  It also imposes various notice requirements as well as provides the consumer with the right to choose how some of their data/information is handled. If you collect data from any California residents, a privacy policy will help everyone at your company understand what can and cannot happen with that data.

What it all Means

If you only take two things away from this article I hope that they are (1) the privacy legal landscape is complex, and (2) a well drafted privacy policy can help you manage the risk of non-compliance. Given the complexity of the legal scheme it is more important than ever to understand what data you collect, how you use it, and in what jurisdiction the consumers’ whose data you are collecting reside. It’s challenging to do this well without a privacy policy.  Creating and maintaining a privacy policy instills discipline for your business regarding privacy risks. It forces you to periodically revisit your internal processes to ensure your privacy practices still align with what your policy says. It tells everyone at the company that privacy matters to the company and helps to create a culture of privacy and data protection. These things all go a long way to helping you manage and reduce your privacy risk. By having your privacy requirements buttoned up you can focus on what is really important – running your business.

[2] Note that this article does not provide a complete analysis of all possible applicable state privacy laws, but rather is mean to give you an overview of the risks associated with not having a privacy policy.