Simply put, when you visit a site you look for signs of credibility when considering interactions with companies. So do your customers. A link at the bottom of your home page can be reassuring.
Ignorance doesn’t provide protection from prosecution. Failure to protect personal data can result in fines, loss of reputation, lost future sales, lawsuits, and even loss of a license to practice or imprisonment. You’ll want to check with your legal counsel to get guidance to comply with state, federal, international and other regulations.
The Better Business Bureau understands the importance for consumers to trust businesses online. Businesses must post privacy statements on their web site to earn the BBB seal of accreditation. The Direct Marketing Association requires its members to do the same to meet their ethical guidelines.
Charged with enforcing the prohibition of unfair or deceptive practices, the FTC prosecutes businesses that fail to protect the personal information of customers and others. Until comprehensive U.S. privacy legislation is passed, FTC actions provide guidance.
Once you post your privacy notice, it’s critical to maintain your practices to match that notice. Many FTC actions result from companies doing something different from what their posted privacy notices state. One company, which did not have a privacy notice on their site, was penalized for failing to observe the privacy notices of its clients.
The Better Business Bureau and the Direct Marketing Association both will report substandard marketplace practices to the FTC, not only of their members, but also of non-members, as will other privacy industry watchdogs, such as Privacy Rights Clearinghouse and investigative reporter Brian Krebs.
The Council of Better Business Bureaus (CBBB) serves both businesses and consumers by administering court-approved, class-action settlements.
Handling personal information across the pond: U.S./E.U. Safe Harbor
Does your site collect personal information from European web visitors?
The CBBB educates companies across all industry sectors on how to comply with European privacy requirements, which are stricter than those in the U.S. The BBB EU Safe Harbor program promotes privacy best practices, while enabling participating companies to provide independent, secure, and easy-to-use online dispute resolution free of charge to European consumers.
The Safe Harbor frameworks allow U.S. businesses to self-certify their compliance with European privacy standards, assuring European consumers that their data will be adequately protected. Participating companies must also offer consumers an accessible, independent dispute resolution option for privacy complaints.
Important components of a good privacy notice
A good privacy statement details how a company collects personal information, with whom it is shared, how it can be accessed and corrected, how data is secured, how policy changes will be communicated and how to address concerns over misuse of personal data.
- Policy (what personal information is being collected on the site)
- Choice (what options the customer has about how/whether her data is collected and used)
- Access (how a customer can see what data has been collected and change/correct it if necessary)
- Security (state how any data that is collected is stored/protected)
- Updates (how policy changes will be communicated)
Beyond a web site privacy statement
Massachusetts’ regulation 201 CMR 17.00 is just one example of broader rules that may apply to you. In this case, if you do business with state residents, your business must “maintain a comprehensive information security program that…contains administrative, technical, and physical safeguards…”
Earn the trust of your web site visitors by posting a complete privacy notice. Keep it up-to-date as you change your business practices. Make sure to proceed to create a comprehensive privacy program. You’ll be glad you did.