When adopting a privacy policy for your business, it can be tempting to simply cut-and-paste a privacy policy you find on someone else’s website. But, that poses two problems. First, it’s considered copyright infringement, since someone else has published their policy and you are taking it, presumably without consent, for your own business’s use. Second, it’s just a bad idea, as your business needs a privacy policy tailored to your business.
Businesses need a good privacy policy that tells the public which information the business is capturing, how that information is being used, whether the information is being shared, and how the customer can control the use and sharing of that data. Having such a privacy policy may be legally required for your business, and it can also protect your business from a spillover effect when there’s a data breach in your business’s industry.
Disclosures to the public about privacy practices must be completely accurate and must be clear and conspicuous, as demonstrated by the Federal Trade Commission’s recent settlement with PayPal. In that matter, as set out in the FTC complaint, PayPal allegedly described its protection of customers’ financial information as subject to “bank-grade security systems and data encryption.” According to the FTC, that was false, since PayPal failed to provide security notices of account changes, allowing hacking to take over some consumer accounts. PayPal also allegedly failed to have a written information security program, failed to assess reasonably foreseeable risks, and failed to provide adequate customer support to investigate consumer reports of the compromise of their accounts. In addition, the FTC charged that PayPal’s privacy notices were not in clear and conspicuous places, being accessible in a dark grey typeface against a light grey background, were inaccurate with regard to default settings, and were not delivered reasonably. The FTC brought its case against PayPal as a violation of the Gramm-Leach-Bliley Act, but the FTC’s message that privacy policies must be accurate and clear and conspicuous transcends the financial services industry.
When you take what’s legally required and couple that with giving your customers control over their data, your privacy policy can become a tool to solidify your customer relationships. For instance, data breaches in an industry often reputationally impact other companies in that same industry, but a good privacy policy works to shield a business from that spillover effect. According to a recent study by Harvard Business Review, HBR found documented proof that a transparent privacy policy that gives customers control over data uses protects companies from data breach spillover effects. HBR found, “In our studies, customers did not punish breached firms that provided both transparency and control. Empowered customers are more willing to share information and are more forgiving of data privacy breaches, remaining loyal after the fact, as we learned.”
Don’t take your business’s privacy policy for granted. It serves an important function for your business’s customers and can go a long way to creating a “sticky” customer relationship. And, if not done right, it can become a source of liability for your business.