Like Phones, Privacy Policies Should be Easy to Use, with a Complex Infrastructure

Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.

Consider the telephone—an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a “necessary evil,” it’s just necessary.

Creative Commons is the legal equivalent of the telephone. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Surely the work of a lawyer who needed to justify his existence, right?

Not so fast. The full license covers a range of essential topics that people don’t usually take time to think about.  These include media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, limitation on author’s liability, and termination, just to name a few. Creative Commons is simple on the surface, but the elegance is supported by a complex legal framework. Saying that the legalese version of a Creative Commons License is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

Privacy Policies: Not a “Necessary Evil,” Just Necessary

Like telephony infrastructure and the Creative Commons licenses, Privacy Policies aren’t a “necessary evil,” they’re just a necessary part of running a business. If your business has customers or employees, then you need to safeguard and use personal information. Your business must develop privacy practices unique to your business. Laws mandate that you protect personal information, but they do not usually establish privacy practices. That’s why you need a privacy policy.

Writing a privacy policy is a tall order because it must address the broad range of activities in which your company engages, and be as simple to use as a telephone.

Privacy policies should cover online as well as offline uses of personal information, because each use carries unique challenges.  As you establish Privacy Practices and your Privacy Policy, consider the following activities:

• Goods and Services Activities: Does your privacy policy cover the information collected at point-of-sale, your iPhone app, online store, and through PayPal? Does your software periodically send licensing, version, or other information to your centralized servers? Do you collect or share purchase history, preferences, and demographic information with employees, other people, users, or other companies?
• Employer Activities: Does your company have employees? How do you protect health, financial, employment, and personnel information? What contractual and technical protections do you offer employees?  Where is the information stored, and do you have physical and legal control over the servers?
• Customer Feedback Activities: Does your company conduct surveys, or invite customers to “Contact Us?” What might you do with that information?
• Financial Activities: Do you accept online payments? Do your retail outlets comply with all industry standards? Do you store credit card information?
• Education Activities: Does your company sell education material, or conduct certifications?
• Social Networking Activities: Does your company have a corporate blog that accepts user comments? Do you post to Twitter and YouTube? Does your company have a Facebook page? Do you gather aggregate usage information?  What information about your users, fans, commenters and online guests might you collect, and what inferences do you draw from the information?
• Network Provider Activities: Do you offer internet access to employees? Do you monitor your network activity or restrict access to certain sites?  Do your employees understand what they should consider private and what is accessible to the company?
• Government Activities: Companies which accept government contracts may be required to comply with a wide range of requirements, including background checks and increased security. What impact to these regulations have on your consumer and employee privacy policies?
• Healthcare Activities: Whether your company creates medical technology or devices, or merely provides healthcare insurance for employees, consider what types of information pass through your systems, and how it is protected?
• Non-Networked Activites: Even if your company is a locally owned Mom-and-Pop restaurant, a mechanic, or corner grocery store with no internet connectivity, what customer information do you collect and use? How do you store and safeguard your paper records? Do you properly shred or destroy old records?

You should cover each of these topics in a customer-facing Privacy Policy or an employee-facing Privacy Policy in your employee handbook.

Beyond the Basics

Once you’ve brainstormed the possible uses of personal information, you must be aware of some little-known US and EU regulations which can affect your privacy practices and policies.

Privacy in the Cloud. Cloud computing gives small companies instant access to Fortune-500 quality infrastructure at a fraction of the cost. Just like any sort of out-sourcing, Cloud computing may simplify your business model, but unless you’re careful, it may also seriously complicate your handle on intellectual property and personal information. You should determine what, if any, contractual obligations downstream service providers have to you. Also consider that the service providers may be located in a jurisdiction which has additional privacy regulations.

State Laws. A few state laws give specific guidance on what you should include in your privacy policy. For example, California law requires any company which collects personally identifying information over the Internet to conspicuously post a privacy policy. The privacy policy must identify the categories of personal information collected, how consumers will be notified of changes, and how to update personal information. Texas has similar requirements for any company which requires the disclosure of a social security number. Massachusetts requires encryption of personal information in certain circumstances.

Federal Law. The Children’s Online Privacy Protection Act (COPPA) puts stringent burdens on companies which knowingly collect personal information about children under 13. In order to avoid COPPA liability, companies must take active steps to avoid collecting personal information from kids. This means, for example, that if you ask for your users’ date of birth, you must deny access to those who indicate that they are under 13 years old. Your company should have procedures for preventing users from signing up using a different birth year, if the company finds out they are under 13.

European Union. Unlike the United States, which has adopted narrow privacy regulations aimed at mitigating specific threats, the European Union regulates privacy on a much broader basis. If your company transfers information from the EU to the United States, you must either comply with EU law or the EU “safe harbor” principles. The U.S. Commerce Department promulgates guidance on what to include in your privacy policy, to comply with the EU safe harbor provisions.

Copyright Law. Believe it or not, even copyright law can have an impact on privacy. The Digital Millennium Copyright Act (DMCA) includes a takedown procedure which can require site owners and service providers to report information about infringers to copyright holders, under certain circumstances. Even though the DMCA does not require companies to disclose their DMCA practices, it’s a good idea nonetheless.

This is by no means an exhaustive list of privacy statutes or regulations, but it should remind you that a privacy policy is more than just a formality.

7 Reasons

So to summarize, here are the 7 reasons you need a privacy policy:

1. If you have customers or employees, you need to safeguard personal information.
2. Laws do not usually establish Privacy Practices.  Privacy Policies create Privacy Practices.
3. Privacy Policies are often required by law or regulation.
4. Your business faces privacy challenges which nobody else faces.
5. Cloud Computing, Social Media, Goods and Services, Employer, and other activities pose unique challenges to handling personal information.
6. You must comply with specific regulations if you have customers or employees in specific states or the EU, or if your servers (or the servers of a subcontractor) reside in the EU.
7. Your company has affirmative privacy obligations with respect to minors under 13 years old.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy.
2. Brainstorm. Using the list above, brainstorm all the activities, types of personal information your company collects (whether personally identifiable or not), and identify which jurisdictions through which the information may flow.
3. Evaluate and Update. Evaluate your privacy policy and employee manual to make sure that they cover the range of possible privacy implications.

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Imagine that your boss tells you, “I need a widget. I’m sure other people in the open source community have done similar things. Just go grab some code and slap it together by the end of the day.” Of course, that’s crazy. You can’t just slap code together. In what language is the code written? Will it play well with existing code? How complete is the API? What are the requirements? What about security? What about debugging?

Yet this is exactly how we treat privacy policies. We go grab some “open source” or “boilerplate” privacy policy, slap it together with a boilerplate Terms of Service, and think we’re good to go. But unlike poorly-written code which will cause an error as soon as it is compiled, you won’t know whether you’ve created a Legal 500 error for months or years—long after it’s too late to fix.

Privacy Policy Principles

The purposes of a privacy policy are to: 1. Help inform and train your employees about your privacy practices, 2. Inform your customers about your privacy practices, and 3. Avoid liability and FTC action. As I explained previously, adhering to the following principles will allow you to accomplish all three goals:

• Be Honest. Your mamma was right: Honesty is the best (privacy) policy.
  • Don’t Over-Promise. Statements like “privacy is our top priority” may be enforced by the FTC as a privacy promise. Don’t box yourself into a corner.
  • Don’t Under-Promise. Under-promising can violate regulations and more importantly, scare off customers.
  • Tell the Whole Truth. Failure to talk about less-desirable privacy practices may be a misleading business practice.
• Be Complete and Conspicuous.
• Adapt to Changing Business Practices. A privacy policy which was accurate six months ago may not be today.
• Get it Right the First Time. Allowing yourself room to change will save headaches long-term, as material changes to privacy policies require additional consent.
• If you Say it, Do it. Generally no magic words are required in privacy policies. The best approach to avoid liability is to stick to your policy.
• It’s Your Business. As an executive, it’s your responsibility to make sure that your privacy policy is accurate and complete.

Custom Programming Your Privacy Policy

Nobody, especially the legislature, has solved your problems for you. If you create an innovative product or service, then it will raise new questions of law, ethics, and privacy which have never been asked or answered. You can’t expect that somebody else’s recycled privacy policy will meet your needs, any more than you can expect that recycling old code will yield innovation. Imagine for a moment that you have just developed an iPhone app. The app communicates with a smart scale using Bluetooth technology, then interfaces with the Google Health API to transfer a user’s weight history to the Weight Watchers website, then optionally posts the summarized results of the user’s weight loss to his Facebook page and Twitter account. Which of the following is true:

1. You can adopt HIPPA as your privacy policy. HIPPA privacy rules apply.
2. The FTC is interested in your privacy policy and practices.
3. You can later use the weight & contact information to market your next iPhone app, “Smart Dieter.”

The answers may surprise you:

1. False on both accounts: 1. HIPPA is not a privacy policy. Nobody, especially Congress has written your privacy policy for you. 2. Your customers are not protected by HIPPA regulations, because they probably don’t apply to you.
2. True. The FTC is always interested in your privacy policies and practices, and even passing assurances of privacy like “Privacy is our Number 1 Priority” may be enforced as a privacy promise.
3. Probably Not. Unless you have written a clear privacy policy that puts your customers on notice, you may be prohibited from reusing their personal information for any reason, even if they would have consented to such a use.

Your privacy policy must reflect your unique business processes, your unique business model, and your unique user needs. If you think that Congress (or anybody, for that matter) have answered the new questions of privacy raised by your iPhone app, then I have a bridge in Brooklyn I’d like to sell you. Even if HIPPA privacy regulations applied (which they don’t), I can guarantee that they were not written with your app in mind. Likewise, if you are doing anything truly innovative, any canned privacy will fail to meet your needs.

Boilerplate legal documents can get people and companies in trouble. Although sometimes there are magic words from a statute or regulation that should be quoted to order to protect your rights, most boilerplate is not magic—it’s lazy. Lawyers do a lot of legal debugging, because improper boilerplate language can be downright harmful. Unless you do your own legal programming to meet your individual needs, you are sure to accidentally waive a right, break the law, incur the ire of the FTC, or create a contradiction and cause a “Legal 500 Error.”

A Living Document

Because technology, business needs, and information demands constantly change, you must consistently update your privacy policy to reflect those changes. Fortunately, privacy policies are extremely flexible documents, with very few formal legal language or “magic words” requirements, so updating them is easy… if you remember to do it. CEOs often find that adapting a business plan to changing market conditions is time-consuming, and privacy policies can fall by the way side.

Before you update your privacy policy, though, keep in mind that there may be consequences to making material changes. When you revise a policy, information collected under the former policy must still be treated according to the terms of the original Privacy Policy, unless you get some sort of assent from your customers, or face the potential ire of the FTC. It is always better to get it right the first time.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy. First, do you understand what the policy means? Second, how does the privacy policy translate to concrete business practices in each of your departments? Third, does the policy match actual practice? Fourth, what is missing from your privacy policy that a reasonable customer would want to know about? Fifth, what changes must you make to your business practices (or the privacy policy) to make them the same?
2. Regularly Update Your Privacy Policy. Many companies have internal processes to regularly review and update business plans, department objectives, security, and compliance. Make sure that your privacy policy is on your list of documents to review.
3. Do a Privacy Policy Legal Review. Avoid a “Legal 500 Error” by making sure that your privacy policy is complete and compliant.

Image based on Three Poppies by Federico Ferrari.

by Aaron Titus

In late June, 2009 I attended the Privacy Bar Camp DC (Twitter: @PrivacyCampDC) organized by Shaun Dakin with support from the Center for Democracy and Technology, and conducted at the Center for American Progress. I confess that I attended primarily to aid my job search (psst… that was a shameless, self-promoting plug), but ended up having a great time. Bar camps have an ingenious format which promotes a high degree of participation, interaction, and brainstorming. They have nothing to do with a state legal bar, nor camping. And the genius is, they don’t have an agenda.

About 50 people showed up Saturday morning, and after a brief round of introductions, everyone interested in leading a discussion pitched their ideas to the group. Then each discussion was placed on a grid schedule with four rooms, each with four sessions. The “camp” ran all day, and each attendee chose which combination of the 16 sessions they wanted to attend. Each session was highly interactive, spontaneous, and collaborative.  The topics ranged from Government and Web 2.0 to “Empowering Big Brother,” to Open ID, to lock-picking (my personal favorite). Thomas “cmdln” Gideon and I hosted a session on “Personal Information as Property and the Platform for Privacy Preferences (P3P).” During the discussion, the concept of “Privacy Commons” came up, and several of the session participants agreed to work on the idea.

Privacy Commons

We soon had a group interested in developing the idea, and have been working on it since. Modeled in the spirit of Creative Commons, Privacy Commons (PC) aims to help individuals and organizations clarify privacy expectations, practices, rights, and mutual responsibilities by providing a series of comprehensive model privacy policies.

I admire what the Creative Commons movement has done for copyright. With its easy-to-understand concepts and clear iconography, Creative Commons is successful because it embodies commonly held cultural notions of intellectual property and copyright, which are otherwise absent from the law itself. Creative Commons fills the gap between what the law is, and what many think the law should be. Likewise, Privacy Commons will be successful only when it can identify, articulate, and empower under-served cultural expectations of privacy with easy-to-understand concepts and clear messages.

The Need for Complete, Informative, and Enforceable Privacy Policies

Privacy policies in the United States suffer from several deficiencies. First, they are often unsophisticated and incomplete. They often fail to protect an appropriate scope of information or individuals. Second, many privacy policies waive, rather than confer, privacy rights. But most importantly, courts have consistently interpreted privacy policies as unbinding notices, rather than contracts. In other words, privacy policies are unenforceable, and a victim of a privacy policy breach usually has no enforceable rights. As a result, privacy policies can have the unfair effect of creating an expectation of confidentiality, privacy, special technological protections, or even fiduciary responsibility even where there is none.

Protecting Personal Information via Contract vs. Intellectual Property

Intellectual property (IP) law is not an appropriate legal framework to protect personal information because nobody owns personal information. Personal information are facts, which are not copyrightable. Unless a person is famous, a name or SSN can’t be trademarked. An address probably does not qualify for trade secret protection, and a date of birth is certainly not patentable. Even if some sort of property right accrued to personal information, it would most logically belong to the originators of the information. For example, parents would logically “own” a child’s name and date of birth, since they created them. The government creates social security numbers, and the credit card companies create credit card numbers. The post office creates addresses, and the phone company creates phone numbers. Even third parties create gossip (beneficial or harmful), and it would be difficult to draw a line distinguishing a person’s ownership interest in gossip or other third-party-created personal information.

In contrast to Creative Commons (which operates under IP licensing law), Privacy Commons is structured around principles of contract, where two parties can bind themselves to mutual obligations through offer and acceptance. Each model privacy policy would exist between a Data Steward (Steward), and a Data Subject (Subject). A PC Policy may be converted into a contract when the Steward and Subject formalize the policy through contract principles of offer, acceptance, and consideration.

What do you think?

There is an ad-hoc working group and a Privacy Commons Wiki, which is starting work on the project, and has already published a few articles on mission, scope, and approach. The wiki is closed (to prevent spam), but logins are liberally granted with a simple e-mail. I, for one, find the project pretty exciting.