Privacy Policies and Notices

Every business, regardless of its size or line of business, should prepare, adopt, disseminate and follow appropriate policies and procedures with respect to protecting the privacy rights of its customers, employees and business partners.  One of the cornerstones of the privacy program is a comprehensive privacy policy or notice that is made available to customers and other parties from whom nonpublic personal information may be collected.  At a minimum a comprehensive policy or notice should include the following:

  • An explanation of the reasons that the company collects personal information from its customers and other parties;
  • A description of the specific types of personal information that the company regularly collects from its customers and other parties including examples of activities and transactions that will typically include information collection;
  • A description of how the personal information collected by the company may be used in the company’s day-to-day activities and in the course of providing products and services to its customers;
  • When applicable, a discussion of how personal information is collected and used when customers purchase gift cards and use other online services;
  • A statement that information that visitors to the company’s web site voluntarily disclose in a public fashion is public and not subject to the protection obligations assumed by the company;
  • A description of when and how the company discloses personal information and the steps that must be taken by customers and other parties to restrict such disclosures;
  • A description of the measures taken by the company to protect personal information collected from customers and other parties;
  • A description of the procedures which customers and other parties can follow to access their personal information to verify the accuracy of such information;
  • A statement regarding the suitability of website content for children and other information required by federal and state laws regulating online marketing of products and services to minors;
  • Instructions regarding how answers can be obtained to any further questions a customer or other party might have regarding the company’s privacy policy.

Statutes and related regulations play a significant role in the form and content of privacy policies and procedures and organizations must be mindful of the industry-specific requirements to which they may be subject.  For example, financial institutions publish their privacy principles in the form of a privacy notice that must be delivered to consumers that have a sufficient level of business contact with the institution.  The form of the privacy notice for a financial institution is determined in large part by the requirements of the federal Gramm-Leach-Bliley Act and financial institutions, such as a bank, will generally prepare a lengthy form of notice that includes additional information that may be of interest to consumers regarding the protection of the private information.  Health care providers and health plans should draft their privacy notices to conform to the requirements of the federal Health Insurance Portability and Accountability Act of 1996.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s