The development of a website privacy policy is much more complicated than “we do not share your information”. In fact, it is highly likely that if this your the privacy policy, you are already out of compliance with your own policy.

Why is developing a privacy policy so complicated?

Personally identifiable information (also known as “PII”) comes to a business from many sources. Unless the only individuals that have access to personally identifiable information are employees of the business, the simple than “we do not share your information” cannot possibly be true. If the website is hosted by another company, that company and some or all its employees have access to your customer’s personally identifiable information. If you utilize an independent contractor or a temp from an agency who processes or has access to any personally identifiable information, again, you are not in compliance with your own privacy policy.

In order to develop a realistic privacy policy that you will be able to comply with, it is important to review all points of contact with personally identifiable information that the business receives. Once this is done, it is important to analyze each contract with the other business or independent contractor to insure that the contract requires compliance with your privacy policy. It is also important understand the data and physical security measures that you and each business or independent contractor that touches the personally identifiable information has in place. After these tasks have been completed, it is possible to develop a privacy policy that you will likely be able to comply with.

The Federal Trade Commission has recently been active in policing privacy breaches where personally identifiable information has been compromised. In addition, in the event you do not comply with your own privacy policy, you may be subject to a lawsuit from an injured private individual.

Do you intend to take personally identifiable data into the United States from a European Union member country? The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personally identifiable data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. Unlike the European Union, which relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal identifiable data may be utilized, the United States uses a less comprehensive approach that relies on a mix of legislation, regulation, and self-regulation. In order to bridge-the-gap between the different approaches and to permit personally identifiable data to be transferred from a European Union country to the United States, the United States Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. I can assist you with the Safe Harbor filing and certification as well as implementing the procedures necessary to qualify for Safe Harbor status.

I can perform a privacy audit for your business so that you can understand what steps you must take in order to be in compliance with applicable law and your own privacy policy.

Questions about privacy? Please contact me.