Avoid these mistakes with your Privacy Policy

Avoid these mistakes with your Privacy Policy

Practically every website and mobile app collect some form of personal information from those who use or visit websites and mobile apps.

The Federal Trade Commission ("FTC") dictates requirements of how personal data must be handled, and how people must be notified of data collection practices in place on a website or mobile app. This information must be described thoroughly and accurately in a website or mobile app's Privacy Policy agreement.

While constructing an adequate Privacy Policy isn't a challenge, there are a few common and crucial mistakes that can lead to legal troubles if made.

A few years ago, Compete.com made a costly mistake with their legal agreement. One that teaches a very important lesson to business owners about how to draft their legal agreement to be correct.

Logo of Compete

Compete, a user data tracking entity, licensed its technology to multiple vendors who were able to integrate their own tracking toolbars. Compete had a Privacy Policy agreement in place, but their agreement was not an accurate reflection of their practices.

Their agreement stated that they would make reasonable efforts to remove any personally identifying information collected about its users before transmitting the data, and purge this data from their servers.

In practice, Compete was collecting more personal data than they were disclosing, including sensitive data, and was not making efforts to erase at once this data before transmitting. The transmission of data was found to be done in a very insecure way.

Not only was Compete violating Federal Trade Commission ("FTC") requirements of how personal data must be handled, but they were also misrepresenting how they did collect and handle it.

Compete should have handled personal data much more securely, only collected the minimal amount of personal data that was actually needed, and should have made their Privacy Policy accurately reflect their actual practices.

There are five main lessons that can be learned from this case and from others to help prevent issues such as these.

  1. Fully understand and disclose data collection practices.

    Make sure you understand exactly what personal data you are collecting about your users, and what any third parties are collecting through your website or mobile app. Once you know what data is being collected, make sure you disclose this accurately in your Privacy Policy.

    Being vague or general isn't good enough.

    Asana mentions what they collect from users in their Privacy Policy agreement:

    Asana Privacy Policy - Information We Collect

    Don't forget to update your agreement immediately if any changes in your data collection practices occur. Many businesses can run into legal issues by failing to keep an up to date Privacy Policy, which leads to unintentional deception according to the FTC.

    It can't be stressed enough how important it is to be accurate in your agreement. If you aren't sure exactly what data is being collected on your website or mobile app and how it is being used, you must figure this out and be certain of it.

    If you update the Privacy Policy, provide notice of the changes to users.

  2. Don't over-collect data.

    Don't collect more data than is necessary for the purposes you want it for, or other than what you say you are collecting. If you say you only collect certain data, such as email addresses, that is the only data you must then collect. You cannot then also collect zip code information without disclosing it.

    You should take precautions to avoid collecting unintended or undisclosed extra data.

  3. Treat data securely.

    The FTC is very strict about protecting the privacy of individuals while using websites or mobile apps.

    Use algorithms, filters, secured servers, anonymization tools, and other available resources to keep user data safe while collecting, storing and transmitting it. A good standard practice is to use levels of security appropriate for the level of harm or damage that would be caused if the data were to be compromised.

    Another good practice is to enable SSL across all your website pages:

    Use SSL

    For example, social security number information or bank account information must be highly secured, while the anonymous collection of birth date data is not so sensitive and would not need the same level of security in order to shelter it.

    Describe the security you have in place within your Privacy Policy. Make sure you are actually following the security procedures you officially state you are following.

  4. Monitor and disclose any third party data access.

    Make sure that if any third parties collect data from visitors and users of your website or mobile app, this data collection is spelled out in the terms between you and the third party.

    Add a section to your Privacy Policy that talks about this data collection and uses by third parties.

    Here's how SurveyMonkey mentions that de-identified information from users is shared with third parties in their agreement:

    Aggregated or de-identified information to third parties to improve or promote our services. No individuals can reasonably be identified or linked to any part of the information we share with third parties to improve or promote our services.

    Require the same level of accuracy, detail, and disclosure of the third-party data collection and use practices as you do with your own practices.

  5. Always keep privacy in mind.

    Make sure that every aspect of your business is serious about privacy. If you have a small business, this is easier to manage. If your business is larger, make sure that key departments are involved in your strive for good privacy practices, including HR, IT, Marketing, and other important departments that work with personal information data.

    By keeping your Privacy Policy thorough and accurate, you can avoid many legal issues and problems either from users of your website or mobile app or by the FTC.

Sara P.

Sara P.

Law school graduate, B.A. in English/Writing. In-house writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.