Francoise Gilbert
Many companies post on their websites a statement indicating that they care about the privacy of their customers or users, and then describe in general terms their policies with respect to certain categories of personal information. The golden rule for these privacy statements is “Say what you do, and do what you say you do.” Let’s assume that the company actually “said what it does;” that the disclosures in its privacy statement are accurate, complete, and up-to date; and that they clearly describe the company’s commitment to protect personal information. How, then, does it ensure that it “does what it said it does”?
How can CEOs and Board of Directors ensure that the company in their custody actually does what its privacy statement provides? Indeed, failure to act in accordance with this privacy statement could cause the company to be investigated by one or several of the Federal or State enforcement agencies. These enforcement actions have often resulted in the investigated entity agreeing to be supervised by the enforcement agency for 20 years, as was the case recently in the Google case. Fines in the millions may have to be paid, as was the case for Sony, Choice Point, and others. The company could also become the target of a suit for fraud and misrepresentation, breach of contract, negligence and much more. There, again, the disruption, damages and lawyers fees could be crippling.
To ensure that it acts in accordance with its public commitment to protect the privacy of its users and customers, a company must have a “Privacy Program” that addresses as appropriate the different aspects of privacy protection that attach to the personal information that it collects, processes, or shares with third parties. In the recent settlement of the Federal Trade Commission investigation of Google, Inc., the FTC has provided its views and requirements for a “Privacy Program.” This excellent and concise description can serve as a blueprint for companies that understand that they must build a Privacy Program to implement and support their privacy statements.
According to the Federal Trade Commission, a Privacy Program intended to protect customer and third party information must meet the following requirements:
Design and Analysis
The Privacy Program must be reasonably designed to:
- Address the privacy risks related to the development and management of new and existing products and services for consumers; and
- Protect the privacy and confidentiality of personal information
Meeting the Needs of the Company
The Program must contain privacy controls and procedures appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information that it has committed to protect, or that it is required by law to protect.
Components of the Privacy Program
The Privacy Program must include at least the following:
- A responsible person
The company must designate one or several individuals to coordinate and be responsible for the Privacy Program.
- An analysis of needs
The Program must identify what personal information is to be protected according to the promises made in its Privacy Statement(s) and its other legal obligations. It must then identify the reasonably foreseeable, material risks, both internal and external, that could result in the company’s unauthorized collection, use, or disclosure of personal information.
- An assessment of the risks
The program must include an assessment of the sufficiency of any safeguards in place to control the risks of unauthorized collection, use, or disclosure of personal information. This assessment should include consideration of risks in each area of relevant operation. At a minimum, this assessment should include an assessment of the design and development of products, and the management and training of employees.
- Privacy Controls and Procedures
Reasonable privacy controls and procedures should be designed and implemented to address the risks identified through the privacy risk assessment.
- Testing and Monitoring
The effectiveness of these privacy controls and procedures should be regularly tested and monitored. Infringers should be disciplined.
- Control of Service Providers and Third Parties
Reasonable steps and measures should be developed and used to select and retain service providers capable of appropriately protecting the privacy of personal information that these third parties receive from the company. Written contracts should require these service providers to implement and maintain appropriate privacy protections.
- Evaluation and Adjustment
The Privacy Program should include a process that ensures that the Program is periodically evaluated and adjusted in light of the results of the testing and monitoring and of any material changes to the company’s operations or business arrangements, and any other circumstances that the company knows or has reason to know may have a material impact on the effectiveness of its Privacy Program.
Documentation
The content and implementation of the Program must be documented in writing.
The program described above is intended to address the protection of customers, clients, and other individuals with whom a company interacts. A slightly different guidance would apply in the case of the collection and processing of employee personal information, since this information is usually collected in a different manner, held and used by different people, and is subject to different laws. However, all companies do have a legal obligation to protect the personal information of their employees, and they would equally benefit from taking the steps described above to ensure the proper protection of their employee personal information.
Action Item
It is not enough to make statements and representations in a document. A company or other entity that wants, or is required by law, to have a privacy policy must also adopt a plan or Privacy Program, that identifies and implements the appropriate policies, procedures, processes and measures – including discipline – that are needed to ensure that there is substance behind their privacy statement, and that they policy that these statements describe is actually implemented and followed.