What Is a Privacy Policy and What Does It Do?

December 22, 2014

Titles can be misleading.  There are many lists and articles online pointing out how audiences can be misled  by movie titles, book titles, headlines and even short titles for legislation.  Which brings me to privacy policies.  According to a recent Pew Research Center survey, 52% of polled internet users responded incorrectly to the following:

True or False: When a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users.

The correct response to this statement is “False”.

A privacy policy is a statement that notifies users about the website operator’s practices concerning the collection, storage, use and disclosure of information, including personal information. While a privacy policy may state that the company keeps all of a user’s information confidential, the language of the policy itself will govern what an entity may or may not do with the collected information.

In Pennsylvania, there could be criminal repercussions for entities that publish false or misleading statements in their privacy policies. 18 Pa.C.S. Section 4107(a)(10) makes it a crime when an entity in the course of business “knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public” with certain limited exceptions.

Depending on the type of business or its target audience, certain federal laws could require certain privacy notices, restrictions and requirements in addition to typical privacy policy terms. For example:

  • The Health Insurance Portability and Accountability Act (“HIPAA”) requires certain health care and related organizations to include specific privacy notices for online services.
  • The Gramm-Leach-Bliley Act governs certain financial institutions regarding their information-sharing practices.
  • The Children’s Online Privacy Protection Act (“COPPA”) imposes certain requirements upon websites that knowingly collect information about or target children under the age of 13.

The terms of a privacy policy also come into play upon an acquisition of a business. In Borders Group, Inc.’s 2011 bankruptcy sale and acquisition of its customer information by rival bookseller Barnes & Noble, a term in Borders’ privacy policy became an issue because it had promised that customer information would not be sold without customer’s consent. Barnes & Noble almost withdrew from the deal because they had believed that they were receiving complete, unfettered access to Borders’ database of customer information.  As an eventual compromise as a result of Federal Trade Commission intervention, the bankruptcy court ordered that Borders customers be notified of the transfer and have the opportunity to withhold their personal buying history and contact information from Barnes & Noble.

There is no one-size-fits all solution for a privacy policy. Does your website need a privacy policy? If so, do you have one that accurately describes how your business collects, stores and uses information? Has it been reviewed by counsel recently?

Matt Landis is an attorney at Russell, Krafft & Gruber, LLP, in Lancaster, Pennsylvania. He received his law degree from Widener University and practices in a variety of areas.