Drafting Privacy Policies

Posted on 11-14-2016 by
Tags: IP , Lexis Practice Advisor , technology , privacy policies

Privacy policies are designed to inform customers and users about a company’s use and sharing of consumer data. Typically this applies to companies operating websites, mobile apps and social media platforms, although any company may have a privacy policy. Elizabeth C. Rogers, Shareholder in Greenberg Traurig’s Cybersecurity, Privacy and Crisis Management practice group offers these suggestions about what information should be included in a privacy policy:

In drafting a privacy policy, you may need to balance the completeness of the information conveyed in the policy with conciseness so that the result is approachable and is more likely to be read and understood. Jargon and legalese should be kept to a minimum, and hyperlinks to definitions or terms of art (e.g., cookies or data controller) should be included.

The policy should contain at least the following information:

  • What personal data is collected
  • How the data is collected (e.g., is the data collected directly from the consumer or from third party sources?)
  • How the data will be used and protected (e.g., are there reasonable security safeguards in place?)
  • Whether the data will be shared with any affiliates or unrelated third parties for marketing (or other) purposes
  • The consumer’s rights and choices (e.g., any right to access the data and make corrections; rights and/or choices regarding data collection, use, and sharing)
  • Any opt-out or opt-in procedures
  • How cookies are used (cookies are small text files that a website transfers to a consumer’s hard drive or web browser and that are used to track user preferences, often for analytics and marketing purposes)
  • The organization’s contact information (e.g., an e-mail or postal address)
  • The effective date of the policy

Other information may be required depending on the states or countries where your client does business, the laws and regulations governing your client’s industry sector, and whether your client’s website targets children under the age of 13.

The policy should be flexible enough so that it will not need frequent changes. To this end, you should consider how the organization collects and uses data, not only presently, but in the future. For example, a company may not currently share information with affiliates for marketing purposes but may decide to do so at some later time. To account for this possibility, the privacy policy should state that information that a customer provides in connection with completing a transaction may be shared for marketing purposes with affiliated entities and unrelated third parties. Other potentially foreseeable collection and use should also be stated in the policy, which will help keep the document flexible and relevant.

For complete privacy policy guidance concerning the types of information collected, legal and regulatory considerations, federal and state privacy laws, policy disclosure and adherence view the Lexis practice Advisor Journal website or click here to visit the Lexis Practice Advisor IP & Technology module.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close