What Do You Need to Consider When Preparing Your Startup's Privacy Policy?
If your startup has a website or mobile app, it almost certainly needs a privacy policy that describes your company’s privacy practices and includes other disclosures required by law. While less exciting than refining your search engine optimization, your privacy policy is a foundational element to doing business online.
The following are some suggestions that you should consider the next time you are preparing or updating the privacy policy for your startup.
1. Do What You Say and Say What You Do
The most difficult and most important part of preparing any online privacy policy is making sure that you have a solid understanding of how the online service will work, what information it will collect (including the collection of information by third parties), and how you anticipate using and disclosing the collected information. This is particularly difficult to ascertain if your online service or website is still under development and the final functionality is not yet set.
The policy should be an accurate reflection of how the website actually functions. Most of the time it will be advisable to set forth this description in accurate but general terms so that the privacy policy does not need to be modified every time the website is changed.
This means that you will need to look at not only how the website currently functions, but also how the website is reasonably expected to operate in the future. If the policy includes any affirmative or negative commitments, then those must be understood and fully incorporated into your company’s operations prior to the launch of the policy.
2. Policy Templates Are Only a Starting Place
While templates can be a helpful place to start, they cannot replace the individualized scrutiny needed to create an online privacy policy that is appropriate and legally defensible. Just like there are no one-size-fits-all websites, there are no “basic” or “standard” privacy policies that can be used without thoughtful examination. As with all legal matters, it may be necessary to consult with a trained privacy professional to help you create or update your privacy policy.
3. Never Say Never
Some people may think that absolute terms like “always” and “never” sound friendlier to your customers but they are also fertile grounds for problems. We frequently see policies use absolute terms to express sincerity, as in “of course we would not share your information in a way that you would not appreciate,” instead of as purely factual statements of what the company does or does not do.
It is rare that something is entirely one way or the other and absolute terms should be used sparingly. When you see absolute terms, it is a good opportunity to ask what exceptions, if any, would make the statement untrue.
Absolutes are also frequently found in internally inconsistent statements included within privacy policies. For example, “We never share your information with third parties, except as provided in this policy.” The policy then goes on to list all of the numerous ways that information is shared with third parties. While grammatically correct, these types of internally inconsistent statements are more likely to confuse the reader than clarify your privacy practices and should be avoided.
4. Finalizing the Policy Is Just the First Step
It is advisable to work within your company to develop a checklist that is based on the contents of your privacy policy. This checklist can be used by the applicable business teams to periodically check to ensure that the underlying business processes that are necessary to fully implement the privacy policy are in place.
For example, is the opt-out mechanism in place and functioning properly, are internal business rules in place to restrict the unauthorized sharing of information collected from the website and, even as simple as, is the contact email address that is listed in the policy being regularly checked. Because websites will change over time, there also must be an internal procedure to confirm the continued accuracy of the privacy policy when any material changes are made to the website.
5. It Is Not just Your Privacy Policy
Privacy representations are not just limited to the privacy policies. They can be included in marketing materials, on other areas of the website, in-store signage and even in the comments made by your employees. These ancillary representations are often included as abbreviated statements with no elaboration or reference back to more details in the privacy policy.
For example, a website designer may be looking to incentivize website visitors to submit their email addresses to sign up for your company’s newsletter. Under the entry field they might add, “We will never share your email address” thinking that it is a nice thing to say or that is consistent with the company’s practices. However, this type of statement is probably inaccurate at the outset because the email addresses are likely shared with a number of third-party service providers that help the company market its products or services.
These types of statements that are added in an ad hoc fashion to a website or tucked into a countertop sign are also less likely to undergo comprehensive review. Your company’s internal review procedures need to provide and your business teams need to be trained to make sure that any statements that implicates the organization’s privacy practices are reviewed and approved in advance. Once used, it may be difficult to claw back imprecise statements without setting aside and treating differently information that was collected while those statements were in place.
So Be Warned
Just like you wouldn’t launch your new business without a website, you shouldn’t launch your new website or mobile app without an accurate and up-to-date privacy policy that reflects your new company’s privacy practices. But don’t spare yourself the work of crafting a privacy policy tailored to fit your own company’s digital platforms, as an “off the rack” privacy statement from someone else’s business could end up taking you to the cleaners, as we will explore in a follow up to this article.
ABOUT THE AUTHOR – Christopher Avery is a practicing privacy and data security attorney who works with companies big and small to elevate their privacy programs and solve their data security challenges. Christopher is also the founder of his own startup, LastLtr.com.
This article was originally featured as a startup law advisory on DWT.com on September 01, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.