We've all become accustomed to clicking through privacy policies (or terms of use agreements, acceptable use policies, etc.) without thinking much about them, but for tech businesses, privacy policies are an important way to protect their rights and inform their customers about what data will be collected and how it will be used.
TRUSTe, a data privacy company, surveyed 1,700 small and medium businesses and found that a majority failed to take important privacy measures, including having a privacy policy and informing their users about the use of private data. If you want to avoid major liability expenses for your business, it’s important to avoid that mistake.
To help protect your liabilities, TechInsurnace has made available for free download this privacy policy template, which you can adapt to fit the specifics of your business. So how does a policy like this work? And what you need to do to protect your business?
To get to the answer, let’s take a look at these two questions.
- What should a privacy policy do?
- What are my legal obligations to users?
Privacy Policy Basics: What Should a Privacy Policy Do?
Privacy policies are about disclosures. Through this document, you explain to customers how you use their data and what services they can opt out of. Typically, a privacy policy will disclose the following:
- What data you collect. Be specific. Explain what information you will take, including names, addresses, phone numbers, email, credit cards, financial information, etc.
- How you use data. Inform users if you plan to add them to an email list or share their information with marketers.
- With whom you share it. You may not think you "share" customer data, but think more closely. If your business uses Google AdSense or other advertising on its page, you may have to disclose that these businesses use cookies to track user information. Do you use PayPal or another vendor to manage payments? Do you share user addresses with third-party companies to process or ship orders?
- What a user can opt out of. Explain the user's rights to manage their data. Tell them how to opt out of certain features, emails, or other services.
- What security measures you take. Explain your general security protocol. Tell users what data is encrypted, how you limit access to it, what your data loss prevention plan is, and how you will contact them about a data breach.
What Are Your Legal Obligations to Users?
If your business handles private data, you need to understand the various regulations that govern its use, storage, and management. Our article "Cyber Law Essentials" details some of the most important regulations that might apply to you. Here's a rundown of four cyber security laws you need to know:
- Children Online Privacy Protection Act. Did you know it is illegal to store children’s private data on your networks? This year, the startup social networking company Path had to pay an $800,000 fine after failing to delete the temporary data it had on its servers. For more on this law, visit the FTC's frequently asked questions about the Children Online Privacy Protection Act (COPPA).
- State data security laws. There is no federal law that standardizes how business should protect data and respond to security breaches (with the exception of HIPAA and HITECH, which are discussed below). Instead, states determine your legal duty to respond to a data breach, how quickly you should contact users, and what agencies you need to report it to.
- HIPAA and HITECH medical data regulations. If your business works with medical data (or financial data for medical payments), you'll need to follow these strict guidelines. Under HIPAA and HITECH laws, IT firms must take extra steps to encrypt, protect, and limit access to data. For a detailed explanation, see "HITECH: The Strictest Data Protection Law."
- Data Protection Act of 1988. This European Union law governs the use of data for its citizens. The E.U. and U.S. Department of Commerce have set up a series of guidelines for U.S. companies to follow while handling the data of E.U. citizens.
Understanding these laws and how privacy policies work is vital for any IT professional, regardless of whether you're working on your own projects or a client's. If you're a computer programmer designing a web app or a computer consultant helping a client, as you customize your privacy policy, make sure your policies fulfill the business's legal obligations to protect user data.
