Security Experts:

Privacy Statements: Where Size Matters

When it Comes to Privacy Policies, Size Does Matter.

A couple of weeks ago, I spoke on a panel titled, “The Role of Customer Privacy and Trust in Innovation.” Joining me, the token lawyer, on the panel was a venture capitalist, the editor of a computer security magazine, and a CEO of a high tech start-up. An impressive bunch, but even better, we were giving our presentation in the lecture hall of the Stata Center at MIT, the home of really wicked smart people.

So we have this lecture hall brimming with brainiacs and an A-list panel and the panel moderator asks for a show of hands of everyone who reads the privacy statement on the sites or apps they give their personal information to.

I raised my hand…No one else did…Hmmmm.

Privacy PoliciesAfter, I asked a twenty something young woman from the audience why she thought no one reads privacy statements. She said she figured there wasn’t much she could do about it. She wanted to buy this stuff or get that app and the company could pretty much do whatever they liked. Besides, what did she have to protect? Her privacy headed for the hills when she joined Facebook in high school anyway.

Privacy statements don’t have to be a mystery. There are some differences between them that make it worth the read. Let’s take a look at some of those differences.

First off, size matters. As a general rule, the longer it is, the more you’re hosed. If a privacy statement simply said, “We don’t track or collect anything about you,” then you’d know you’re golden from a privacy standpoint. But they don’t. They go on and on and on, starting with a cheerful, “We respect your privacy.”

The typical privacy statement will cover:

-What information the company collects

-How the information is used

-How they secure your information

-Who they can share it with, and

-How you can complain about what they’re doing with your info

What information the company collects

Companies collect all the stuff you give them and you know about—name, address, credit card number, passwords, etc. They also collect a lot of stuff you don’t know about—your IP address, stuff about your computer, what web site you were just browsing and where you go when you leave the site. Companies can list anything they want just to cover their bases because a company only gets in trouble with their privacy statements when they say they do something and they don’t. This is important so I’ll say it another way. The FTC goes after companies when they say they do X and Y in their privacy statements but leave out Z. Then the company does Z and gets a wrath of the FTC descending upon them.

How the information is used:

This section covers all the mundane uses like processing your order, registering your license and sending you product updates. But it also covers much more interesting uses. Some say they will use your information by combining with other data to serve you up special ads. So they get a little info from you, combine with a Big Data provider, and viola, an intimate profile cocktail. Beware of the words “combine” and “personalized content” in privacy statements.

How they secure your information:

Remember when I said the FTC drops the hammer on companies that don’t live up to their privacy statement? Well this is where it matters the most. Companies say they will use adequate security measures to protect your personal information. But the reality is that there is no security adequate to protect personal information 100% of the time. So when a breach occurs, the FTC says to the company that the privacy statement was essentially false advertising. Score one for privacy advocates.

Who they can share it with:

This is where the floodgates can open. Companies can’t just keep your information to themselves. Sure, there are plenty of benign reasons to share your information, such as with a “trusted vendor” that processes your credit card or the shipping agents so you can get your package. But there are other less appealing folks often listed as well, such as “subsidiaries, partners and affiliates.” If you put the word “marketing” in front of “partners” and “affiliates” the picture becomes clearer.

How you can complain about what they’re doing with your info:

Privacy-oriented companies give you a place to remove your information from marketing databases, modify your personal data, opt-out of certain forms of communication, and provide feedback on the privacy statement. Most don’t. This part comes at the very end of the privacy statement so if you can just scroll to the bottom, you can see if you have a way of getting out of the sharing relationship you’re about to get into.

Congratulations! You are now officially ahead of the pack—more informed and empowered. Now get out there and use this knowledge. The next time you provide your information online, go to the footer of the website and click on the privacy policy. And make sure it’s not the last one you look at.

view counter
Gant Redmon, Esq., is General Counsel & Vice President of Business Development at Co3 Systems. Gant has practiced law for nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to Co3, Gant was General Counsel of Arbor Networks. In 1997, he was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption. He holds a Juris Doctorate degree from Wake Forest University School of Law and a BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification.