ZwillGen Privacy Policy Check Up

Does your company use technology to track and link consumers’ behavior across multiple Internet-connected devices? If so, you should evaluate whether your company’s privacy policy accurately and clearly discloses such cross-device tracking as well as any choices you offer, and consider whether you track sensitive topics across devices.

Are you overpromising on security? Only some types of businesses might increase sales by making strong security promises in their privacy policy, but every business will have their privacy policy scrutinized for misrepresentations in the event of a security breach.

Does your privacy policy explain the circumstances necessitating disclosure of information to the government pursuant to legal process and whether you are going to inform users when such demands are received?

Do you participate in a privacy or data security seal program? Were you once Safe Harbor certified? If “yes” (and probably even if “no”), then you will want to review your privacy policy and your site to confirm that statements about your memberships and distinctions are accurate and current.

Has your company created a branded mobile app? Did you update your privacy policy to include the mobile data you collect, and how you share and use that data? We’ve provided a brief outline of some key points to keep in mind as you update your privacy policy when you become an “app developer.”

Does your privacy policy contain a provision reserving the right to share all data collected in the event of a corporate sale or transaction?

1. CROSS-DEVICE TRACKING

2. LAW ENFORCEMENT REQUESTS

3. MEMBERSHIPS AND DISTINCTIONS

4. MOBILE APP DATA

5. SHARING DATA

6. OVERPROMISING

Read More

CROSS-DEVICE TRACKING Recently, the Federal Trade Commission issued recommendations for entities engaged in cross-device tracking. First and foremost, all companies conducting cross-device tracking—both companies that have relationships with consumers and those that provide third-party services—should truthfully disclose their practices to consumers and business partners. Failure to do so could violate the FTC Act and expose a company to class action law suits. If your company conducts cross-device tracking, your privacy policy should accurately explain the data and devices that you are linking and the purposes of such tracking. Throughout your privacy policy, be cautious about referring to data as “anonymous” or saying you do not share “personal information.” Certain cross-device tracking and sharing practices could undercut such representations. Be honest about any choices consumers have to prevent cross-device tracking or to prevent a particular device from being included in cross-device tracking, and honor those choices. The FTC also indicated that for cross-device tracking of sensitive information such as health, financial, children’s information, or precise geolocation information, it is insufficient to only provide a privacy policy notice about such practices. Instead, the agency said companies should get affirmative express consent before engaging in cross-device tracking of sensitive topics. FTC recommendations are often followed by enforcement. You can help avoid being a cross-device tracking example by ensuring your company’s promises accurately reflect its practices.

Read More

Law Enforcement Requests Law Enforcement in the United States and abroad is seeking an increasing amount of information from technology companies. Your privacy policy should set forth the circumstances under which you will disclose information in response to those requests and obtain consent for disclosures where you believe (in good faith) that such compliance is required by law or in an emergency. Getting such consent will help you where you have made a production in circumstances in which the law is unclear or it is later ruled that law enforcement did not have proper authority to make the demand. Also, you should use the opportunity to be clear about what country’s law governs your ability to produce data and consider whether you want to make any promises to your users about giving them notice of such demands or challenging gag orders issued by the government. Both may be helpful in order to receive a positive rating from the EFF in their annual report on company practices and are generally well received by users.

Read More

Memberships and Distinctions Consumers rely on statements about self-certification and other types of memberships as an indication of regulatory compliance and best practices. Accordingly, the Federal Trade Commission has brought cases against companies for misstating their membership in the Safe Harbor and Privacy Shield programs, including by allowing their certifications to lapse without updating the statements on their site. Although it may seem like common sense to update these representations, these kinds of details are easily overlooked. Confirming that statements in the privacy policy accurately reflect your memberships or participation in seal programs should be part of your routine privacy policy hygiene. Additionally, you will want to review your site generally to ensure that the way this information is presented is not unintentionally misleading, especially as it becomes dated. For example, if your site received a seal program’s stamp of approval or distinction two years ago, then you will want to add a qualifying date, as the average user likely would understand that representation as referring to a current approval. Taking these few basic steps should reduce your exposure for potentially straightforward deception claims.

Read More

Mobile App Data Many companies are fastidious about including in their privacy policies detailed descriptions of the data they collect through their website, and how they use and share it. Yet those same companies sometimes drop the ball when they release a branded mobile app—perhaps thinking that the app will only reach a discrete audience of “brand ambassadors.” But that’s a mistake, because data collected from mobile applications can be every bit as “material” as data collected through a website. With this in mind, we recommend that companies releasing a mobile app add to their privacy policies descriptions of:

• The mobile data collected, e.g., mobile ad identifiers, device information, usage data
• How the data is collected and whether third parties (or third party SDKs) are involved
• How the data is used, and what third party use cases you’re enabling. For instance, if you’re enabling cross-app advertising or cross-device graph creation, you should explain that—along with how users can opt-out, e.g., via device settings (and remember to respect those opt-out settings)
• And, if you’re collecting or helping third parties to collect precise location data, you should carefully consider how to make that transparent to users

Read More

Sharing Data There have been a number of FTC enforcement actions and State AG cases against companies with privacy policies that contain a blanket prohibition on sharing user data with third parties, but which then attempt to sell user data as an asset as part of a corporate transaction. In order to transfer data in the event of a future business transaction, companies should ensure that their privacy policies contain a provision reserving the right to share data in these circumstances. Doing so will reduce regulatory hurdles involved in a transaction.

Read More

Overpromising Long ago, security fears kept many consumers from making online purchases. To win their business, companies made bold security representations like “Your security is guaranteed,” “Your data is safe with us” or “100% secure.” While these assurances contributed to the growth of e-commerce, they often were false. Companies that made these claims and then experienced data breaches began to find themselves in the crosshairs of class action lawsuits and regulatory investigations for deception. For example, many of the FTC’s privacy deception cases have targeted misleading security claims. Still, these claims remained popular, probably for two reasons: (1) business’s continuing desire to assure consumers and (2) rampant plagiarism of outdated privacy policies. Though data breaches are now more common and more severe, consumers have nonetheless overwhelmingly embraced the Internet. Making false security promises thus carries more risk while presenting less reward. So take stock of your security representations (e.g., in your privacy policy and marketing materials). Consider their legal necessity (often none) and whether they bring in enough additional business to justify their risks. For some companies, they’re worth it, but most companies can tone it down without any significant loss of business. Most importantly, if you use them, they have to be true.

Read More

Sharing Data There have been a number of FTC enforcement actions and State AG cases against companies with privacy policies that contain a blanket prohibition on sharing user data with third parties, but which then attempt to sell user data as an asset as part of a corporate transaction. In order to transfer data in the event of a future business transaction, companies should ensure that their privacy policies contain a provision reserving the right to share data in these circumstances. Doing so will reduce regulatory hurdles involved in a transaction.

Read More

Overpromising Long ago, security fears kept many consumers from making online purchases. To win their business, companies made bold security representations like “Your security is guaranteed,” “Your data is safe with us,” or “100% secure.” While these assurances contributed to the growth of e-commerce, they often were false. Companies that made these claims and then experienced data breaches began to find themselves in the crosshairs of class action lawsuits and regulatory investigations for deception. For example, many of the FTC’s privacy deception cases have targeted misleading security claims. Still, these claims remained popular, probably for two reasons: (1) business’ continuing desire to assure consumers and (2) rampant plagiarism of outdated privacy policies. Though data breaches are now more common and more severe, consumers have nonetheless overwhelmingly embraced the Internet. Making false security promises thus carries more risk while presenting less reward. So take stock of your security representations (e.g., in your privacy policy and marketing materials). Consider their legal necessity (often none) and whether they bring in enough additional business to justify their risks. For some companies, they’re worth it, but most companies can tone it down without any significant loss of business. Most importantly, if you use them, they have to be true.