From Mobile to PCs: The Fine Art of Privacy on the Web

From Mobile to PCs: The Fine Art of Privacy on the Web
Creating a privacy policy requires many considerations. Missteps can mean legal trouble and more (Photograph by William Howard/Getty Images)
Photograph by William Howard/Getty Images

Let’s face it: Only a lawyer or an insomniac could really love a privacy policy. They stretch on for pages, lean on legal jargon, and strain the eyes with tiny type. Yet for most companies, particularly those doing business online, the privacy policy is a vitally important document. Missteps can mean legal trouble, bad PR, and customer defections.

Many businesses find this out the hard way. In general, privacy policies are intended to tell customers about the kinds of personal information collected about them, and regulators routinely admonish companies for collecting information beyond what they promise, for failing to adequately protect customer data from hackers or engaging in unfair business practices. Google, Facebook, and Myspace have been among the Federal Trade Commission’s highest-profile targets; all three settled the FTC accusations either by paying fines or agreeing to beef up their privacy practices and undergo independent privacy audits for 20 years.

For companies, creating the right privacy policy is a complicated process. The relevant laws vary by state and by industry. The minutiae can be highly technical; at the same time, customers typically say they want privacy policies written in plain English—then don’t bother to read them anyway.

To oversimplify, a privacy policy explains what data a company collects about its customers and what it can do with the data. Does the company share it or sell it? Where is it stored and for how long? How is it protected from hacking or theft?

An online retailer, for example, may retain a customer’s name, home address, and credit-card information; technical details like IP address, the type of browser used, and login data; and shopping and browsing history including Web pages viewed and products purchased. Some of that data probably gets shared—with third-party ad companies, data analytics providers, e-mail marketers, payment processors, and even, potentially, law enforcement.

The laws governing privacy are inconsistent. Some individual industries like health care and financial services are subject to federal law. So are businesses that cater to children under age 13, such as, the website of Nickelodeon. In California, for example, all online companies doing business with residents must post privacy policies on their websites.

In effect, virtually every company of a certain size falls under some requirement. Even those that aren’t required to have a policy tend to create one to build trust with customers and help protect against lawsuits. Laws for online and offline businesses are largely the same. The primary difference is offline companies tend to collect less data. When they do it, you’re usually aware of it. Imagine giving your IP address—or, for that matter, your broad window-shopping history—to your local Foot Locker.

Companies make several common mistakes with their privacy policies, says James Snell, co-chair of the privacy and security group at the Bingham McCutchen law firm. Startups, in particular, often make grandiose statements: “We’re never going to use your information,” for example. Down the line, they change their minds.

“I really counsel business to take a life-cycle approach—not what you’re doing today, but what you think you might be doing five or 10 years from now,” Snell says. A company’s marketing team, for example, may eventually want to use individual shopping histories to offer customers ads or discounts for products they’ve looked at in the past.

Another mistake: making promises that are impossible to keep. Companies may boast of having such tight security that no hacker will ever steal customer information. In fact, Snell says, in this day and age, no computer system is completely safe. Companies should instead say they take reasonable steps to secure data, and leave it at that, Snell says.

Then there are the companies that simply cut and paste privacy policies from competitors, maybe changing a few words to avoid copyright infringement. Bad idea, says Snell. Technology inevitably varies between companies, which would make borrowed policies wrong more often than not.

The other challenge: As long as a company keeps adding new products, technologies, or partners, its privacy policy needs to change, too. New laws and evolving data collection practices come up all the time. Companies can make minor tweaks to a policy, as long as they previously disclosed the possibility of revisions. If the change is “material,” or substantial, companies must alert users and give them the chance to opt out.

“A privacy policy has to be viewed as a living document,” says Snell. “Just as consumers don’t often read policies, sometimes the folks who promulgate them don’t revisit them. I really think it’s an important thing to make sure that the practice matches what the policy says.”

With the increased adoption of mobile devices, the debate over privacy has intensified. Phones and tablets can precisely and persistently track a user’s location, which raises extra privacy concerns. Mobile app developers must follow the usual set of laws in terms of privacy. But the nascent industry is rife with companies that fail to comply, according to regulators.

An FTC survey last year of hundreds of mobile apps targeted to children found that the vast majority failed to disclose anything about their privacy practices. Meanwhile, California’s attorney general filed suit against Delta Air Lines in December for failing to post a privacy policy for its mobile app.

Between rule violations, bad press, and customer concerns, privacy policies often come under fire. In general, they’re far too complicated, says Jeff Chester, executive director at the Center for Digital Democracy, a digital rights group that advocates tougher privacy laws. This may be strategic, he says: Companies are deliberately vague about how much information they collect and what they do with it.

To get users to engage, some companies have gone so far as to make their privacy policies as whimsical as possible. Zynga, the online gaming company based in San Francisco, for example, has created a game called PrivacyVille to supplement its privacy policy. In it, users can take a brief tour of the policy by clicking on colorful icons, take a privacy quiz, and become a certified PrivacyVille tour guide.

A more traditional process—and policy—takes months, and results in a document, not a game. At Barracuda Networks, a computer security company based in Campbell, Calif., the work on a privacy policy for its new online storage service started long before it was introduced to the public last month. Copy, as the service is called, lets users store and share files online, much like Dropbox, a widely used competitor.

To get started, Diane Honda, Barracuda’s general counsel, used the service herself so she could understand the privacy implications. Once up to speed, she interviewed the lead engineer and product manger about the kinds of customer data collected, how it would be used, and how the product may evolve in the future. She also read the privacy policies of competitors and other technology companies she respected, like Apple. All the while, she created a checklist of what customers expected and what the law required.

Honda decided to write the privacy policy “in clear English.” It is a fairly common goal for companies, although few actually achieve it. Furthermore, Honda explained that she wanted to give examples in the policy about how data would be used. Leaving it up to customers to figure out could be confusing or make them worry unnecessarily.

Honda says she went through several drafts. Near the end of the process, she had colleagues from sales, marketing, and an administrative assistant review the policy to make sure it was readable. “They’re the average users,” she says. A description of why data is shared with third parties raised concerns as being overly broad. In response, Honda specified in the policy that there was “no other use” for the data besides marketing or providing and enhancing the product.

That doesn’t mean users will stumble across a clever turn of phrase, Honda says. It’s not intended to be poetry. “Philosophically, I just wanted people who read it to understand,” she says.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE