25 June 2019
Practically every website and mobile app collect some form of personal information from those who use or visit websites and mobile apps.
A few years ago, Compete.com made a costly mistake with their legal agreement. One that teaches a very important lesson to business owners about how to draft their legal agreement to be correct.
Their agreement stated that they would make reasonable efforts to remove any personally identifying information collected about its users before transmitting the data, and purge this data from their servers.
In practice, Compete was collecting more personal data than they were disclosing, including sensitive data, and was not making efforts to erase at once this data before transmitting. The transmission of data was found to be done in a very insecure way.
Not only was Compete violating Federal Trade Commission ("FTC") requirements of how personal data must be handled, but they were also misrepresenting how they did collect and handle it.
There are five main lessons that can be learned from this case and from others to help prevent issues such as these.
Being vague or general isn't good enough.
It can't be stressed enough how important it is to be accurate in your agreement. If you aren't sure exactly what data is being collected on your website or mobile app and how it is being used, you must figure this out and be certain of it.
Don't collect more data than is necessary for the purposes you want it for, or other than what you say you are collecting. If you say you only collect certain data, such as email addresses, that is the only data you must then collect. You cannot then also collect zip code information without disclosing it.
You should take precautions to avoid collecting unintended or undisclosed extra data.
The FTC is very strict about protecting the privacy of individuals while using websites or mobile apps.
Use algorithms, filters, secured servers, anonymization tools, and other available resources to keep user data safe while collecting, storing and transmitting it. A good standard practice is to use levels of security appropriate for the level of harm or damage that would be caused if the data were to be compromised.
Another good practice is to enable SSL across all your website pages:
For example, social security number information or bank account information must be highly secured, while the anonymous collection of birth date data is not so sensitive and would not need the same level of security in order to shelter it.
Make sure that if any third parties collect data from visitors and users of your website or mobile app, this data collection is spelled out in the terms between you and the third party.
Here's how SurveyMonkey mentions that de-identified information from users is shared with third parties in their agreement:
Aggregated or de-identified information to third parties to improve or promote our services. No individuals can reasonably be identified or linked to any part of the information we share with third parties to improve or promote our services.
Require the same level of accuracy, detail, and disclosure of the third-party data collection and use practices as you do with your own practices.
Make sure that every aspect of your business is serious about privacy. If you have a small business, this is easier to manage. If your business is larger, make sure that key departments are involved in your strive for good privacy practices, including HR, IT, Marketing, and other important departments that work with personal information data.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.