Archive for January, 2010

6 Things Every CEO Should Know About Privacy Policies

Note: This post originally appeared on The Security Catalyst Blog

Writing a privacy policy is a careful balance: Being realistic about what you can perform, protecting and instilling confidence in your customers, facilitating business growth and adaptation, complying with law, and above all, being honest.

Your privacy policy and security practices are the subject of federal, state and international laws, as well as FTC regulation. The FTC regulates unfair and deceptive consumer practices, and has a history of privacy policy enforcement actions. In fact, it is currently hosting a series of “Privacy Roundtable” discussions, focusing on behavioral advertising, social networking, mobile marketing, data aggregation and correlation, data brokering, cloud computing, and other now-common practices.

With increasing scrutiny on privacy policies and practices, here are six things every CEO should know about their company’s privacy policy.

Be Honest

Your mamma was right: Honesty is the best (privacy) policy. Be up front about what you do (or may do in the future) with your customer’s personal information. Many privacy policies make one of three “honesty” mistakes: 1. Over-Promising, 2. Under-Promising, 3. Omission. Each carries liability, so it is better to avoid any of the three.

Don’t over-promise. Your company may be held responsible for the representations in your privacy policy. Look out for phrases like “state-of-the-art,” “everything in our power,” or “our highest priority.” If your company really does use “state-of-the-art” technology to protect privacy, good for you. But you probably don’t, so be honest about it. While you may think that such phrases are just feel-good fluff, the FTC has brought actions against companies who fail to provide the state-of-the-art consumer protections they promised, even though they used otherwise reasonable practices.

Don’t under-promise. FTC guidelines and many state laws require that your company takes reasonable and appropriate measures on a case-by-case basis. It may be tempting to try and disclaim all duties to protect your customers, especially if you’ve had a breach. But this approach has pitfalls. First, it is impossible to disclaim all duties to your customers’ privacy. Second, you may scare away potential customers, or invite scrutiny (as Facebook well knows). Third, FTC actions have indicated that businesses cannot take a “wait-and-see” approach to consumer privacy. Instead, companies have a duty to act reasonably and detect problems before they cause loss, particularly if the they have made privacy promises to their employees or customers.

Tell the whole truth. Another temptation is to remain conveniently silent on a privacy issue you’d rather not talk about. This is also a risky strategy, because state laws (such as California, Texas, and soon-to-be Massachusetts, to name a few) impose specific disclosure requirements. Whether or not required by law, failure to disclose important privacy practices can spark FTC enforcement action as a deceptive consumer practice.

Be Complete & Conspicuous

Aside from potential FTC action, California law requires any company which holds personal information about a Californian to identify the types of information it collects about customers, explain how the consumer may change or update the personal information, and identify an effective date. The law also imposes an affirmative duty to disclose whether information will be disclosed to third parties for marketing purposes. California law also requires that a link to your company’s privacy policy be conspicuous. Most of the time, a link from the home page or in the footer will be sufficient.

A privacy policy is legally compliant when it addresses all of the various legal and regulatory requirements, but it is only complete when it addresses the full range of your unique business practices. For some organizations, that may be broader than you think. For example, a typical University engages in educational, financial, healthcare, network provider, non-profit, and goods and services activities on behalf of their students. That’s why there can be no such thing as a “boilerplate” privacy policy.

Privacy Policy Must Reflect (Changing) Practices

Like Ying and Yang, privacy Policy and Practice are complementary and inseparable. One consistent pattern of FTC actions is that updated information security practices are necessary to protect consumers’ privacy. As FTC guidelines indicate, “Good security is an ongoing process of assessing risks and vulnerabilities… Your business practices and privacy policy must be consistently updated to reflect current best practices and available technology.”

Get it Right the First Time

Even though your privacy policy must adapt to changing business needs, privacy policies cannot be retroactively modified. This issue is important in the following scenario: Suppose that your company decides it wants to sell customer personal information to marketers, but your privacy policy states that personal information “will not be shared with third parties without [customers’] explicit consent.” Changing the policy to allow you to sell personal information may apply prospectively, but new policy provisions will not apply to existing customers, without their consent. This can even apply to a transfer of personal information in a bankruptcy proceeding.

That’s why it’s important to get it right the first time. Your company’s privacy policy must allow you enough wiggle-room to adapt to future conditions, be complete, and still protect your customers. If you need to materially change your policy, make sure that you have the infrastructure to determine which version of your policy applies to which customer. It matters.

If You Say it, Do it

We’re all familiar with the Miranda phrase, “anything you say can and will be used against you …” by the FTC. If you make a representation in your privacy or security policy, you’d better be able to live up to it. FTC enforcement actions demonstrate that website owners must adhere to any statements of privacy or security, whether the statement is made online or offline.

Each representation about privacy or security is treated as a “privacy promise.” Feel-good marketing fluff does not belong in a privacy policy, because even “fluff” can create duties or liability, even if the duty is not required by law. Explicit security-related promises (such as a promise to use “state-of-the-art technology”) requires that the company take affirmative and ongoing steps to ensure that sufficient security is provided.

For example, in 2004 Gateway Learning Corp found itself the target of an FTC Deceptive Practice enforcement action for renting its customer list to marketers, even though their privacy policy said they wouldn’t. In recent years the FTC has taken similar action against Eli Lilly & Co., Microsoft, Guess, Inc., Tower Records, and to name a few.

If your privacy policy says it, then do it.

It’s Your Business

As a soon-to-be attorney, I can say that you should have a lawyer review your privacy policy. Lawyers help the privacy policy comply with legal and regulatory requirements, but it’s your responsibility to make sure that the policy is complete. In fact, I would go so far as to say that 30% of a privacy policy is compliance, and the other 70% is completeness.

If those numbers are any indication, they mean that your privacy policy should have 70% of its input from the Customer Service Department, the Accounting Department, Sales, Marketing, and perhaps even R&D. Without their feedback it will be impossible to document your important privacy practices and create a complete privacy policy. Privacy policies are not legalese and magic words. They are a blueprint of vital business processes. There is one sure way to get in trouble: Relegate your privacy policy to the legal department, and fail to get cross-departmental participation in its drafting. Banishing your privacy policy just to the lawyers may get you in trouble because the end result may be compliant, but incomplete And ironically, an incomplete privacy policy is a non-compliant policy.

Take Charge

As a CEO, COO, or Managing Director, you should do three things:

  1. First, read your privacy and security policy. If it confuses you, it will confuse your customers. If it confuses your customers, it might be interpreted as deceptive by the FTC.
  2. Second, make sure you can live up to your privacy policy. Watch out for buzzwords like “state-of-the-art,” “everything within our power,” “always,” and “never.” Make sure that you haven’t painted yourself, your customers, or your employees into a corner.
  3. Third, update your privacy policy to reflect your business practices, or update your business practices to match your policy. Being honest and complete about your business practices is tough work, but will pay dividends long-term.

No Comments

Privacy Commons for Government

Note: This article originally appeared on the The Security Catalyst Blog

Unconferences” (hat tip to identitywoman) are great opportunities to network, gather and share information. They attract bleeding-edge leaders on emerging problems and technologies. My most recent unconference was Congress Camp 2009, organized by the Open Forum Foundation. The gathering focused (broadly) on social networking tools and Web 2.0 for government. It was well attended by advocates who want to reach Congress, and over-worked hill staffers who use IE6 and must cope with information overload. We also got a preview of If you have an interest in social networking and government, I highly recommend looking at some of the blog articles.

Here’s my report: Don’t hold your breath for Congress to go Social-Web crazy in the immediate future.

I hosted a discussion on developing a Privacy Commons framework for government. In short, Privacy Commons will be a series of Privacy Policy Frameworks: A list of required, optional, and prohibited subject matter for privacy policies. Each framework will be tailored to particular industries (i.e., medical, financial, goods and services, social media, government, etc.). Adoption of a Privacy Commons Framework will require that your Privacy Policy address all subject matter in the framework, and make certain high-level disclosures in the form of iconography (i.e., a “$” symbol to indicate that you sell personal information to third parties).

I already knew that a government Privacy Commons policy would have to include disclosures about how personal information may be transmitted to other federal agencies, for example. But I was surprised to hear from staffers that Congressional privacy policies should also disclose how personal anecdotes may be used. Many constituents e-mail their elected representatives with poignant personal stories that often support draft legislation. Staffers must decide whether they can or should use the stories in a press release, on the House or Senate floor, or whether they can use the story and change the names.

A government Privacy Commons framework will also need to address the different rules that elected officials and their campaigns must follow. Elected officials must follow strict rules governing sharing personal and contact information. In contrast, campaigns (which may run full-time, even after an official is elected) can do almost anything with personal information. The distinction between “Congressman Jones” and “Congressman Jones’ Campaign” may be lost on the average constituent; but the effects on privacy might be substantial.

As I make the transition to full-time attorney (after I pass the bar… wish me luck), I’ll be able to continue developing Privacy Commons. In fact, at Congress Camp I hooked up with the ECitizen Foundation, which might help host Privacy Commons working groups. Stay tuned.

No Comments

FTC Says Bloggers Must Disclose Freebies

Note: This article originally appeared on the The Security Catalyst Blog

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

  1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
  2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
  3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
  4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

  1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
  2. Tell Your Bloggers: See above.
  3. Watch Your Bloggers: See above.

Tips for Bloggers:

  1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
  2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
  3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

No Comments

Is Your Tascam US-144 mkII Noisy? Just Sit on it.

The TASCAM US-144 mkII gets noisy when the temperature drops.

The TASCAM US-144 mkII's Phantom Power gets very noisy when the temperature drops below 65

I recently purchased two sets of podcasting gear to record podcasts with someone in another state. The gear included two TASCAM US-144 mkII interfaces, two Audio-Technica AT 2020 condenser microphones, two mic cables, two stands, two pop filters, two sets of headphones, etc. As I recorded I noticed an inconsistent whine in the audio. Sometimes the wine was little more than a vinyl-record-like scratch, other times it was a scream, and still others it disappeared altogether.

To track down the source, I started by changing out the AC power for battery power, switching USB cords, switching mic cords, switching microphones, switching interfaces, turning on and off the wireless network, unplugging my wireless router, changing rooms, and even moving to a location several miles away. None of these things had any consistent effect on the whine. After a lot of trial and error, I have narrowed the problem down to two three variables: Temperature, Phantom Power and the MIC/LINE-GUITAR select switch.

The whine appears with the phantom power on, while the interface is cold (ie, less than about 65 degrees Fahrenheit). It gets worse when the MIC/LINE-GUITAR select switch is set to “Guitar.” Setting the MIC/LINE-GUITAR select switch to “Guitar” makes it act as an unbalanced input jack, which probably explains the noise. But turning on the phantom power while the interface is cold produces a lot of noise.

The solution: Sit on the interface to warm it up. My home “studio” is in a very cold room with two exterior walls, and it’s the middle of winter. So in order to warm up the interface—no joke—I actually put it under my thigh for a good 10-15 minutes. I didn’t read that helpful work-around in the manual. I thought about using an electric blanket, but I was afraid that might cause some induction damage.

The Test

I conducted a test to demonstrate the whine, which I have included here. For the test I had the following setup: I plugged an Audio-Technica AT 2020 condenser mic into the MIC IN L XLR balanced jack. I also plugged a crappy old dynamic mic into the LINE IN R/GUITAR IN jack TRS 1/4″ jack. For the “Cold” test, I left the interface in a box in my car for 30 minutes, where the outside temperature is around 25° Fahrenheit. For the “Warm” test, I basically sat on the interface for about 15 minutes until the interface housing was noticeably warmer than room temperature.

I then recorded a systematic test of the phantom power, left and right input levels, and the MIC/LINE-GUITAR select switch in 10-second intervals. I included the results in a table below, with each numbered setting corresponding to a period of time on the non-normalized .mp3 file. You can skip around to compare the different settings if you’d like. Please ignore the ambient noise of the HVAC system, as well as the lousy line quality for my crappy dynamic mic.

INTERFACE TEMPERATURE: COLD (~30°- ~65° Fahrenheit)
Setting Time on Tape Phantom Power INPUT L Levels
(AT 2020)
INPUT R Levels
(Crappy Dynamic)
Select Switch
1 0:00-0:10 OFF Line (Low) Line (Low) Line/Mic None
2 0:10-0:20 Mic (High) Line/Mic None
3 0:20-0:30 Line Guitar None
4 0:30-0:40 Mic Guitar None
5 0:40-0:50 Mic (High) Line Line/Mic Scratch
6 0:50-1:00 Mic Line/Mic Scratch
7 1:00-1:10 Line Guitar Scratch
8 1:10-1:20 Mic Guitar Scratch
9 1:20-1:30 ON Line Line Line/Mic Whine-Low
10 1:30-1:40 Mic Line/Mic Whine-Med
11 1:40-1:50 Line Guitar Whine-Med
12 1:50-2:00 Mic Guitar Whine-Scream
13 2:00-2:10 Mic Line Line/Mic Whine-Loud
14 2:10-2:20 Mic Line/Mic Whine-Loud
15 2:20-2:30 Line Guitar Whine-Loud
16 2:30-2:40 Mic Guitar Whine-Scream

Setting Time on Tape Phantom Power INPUT L Levels
(AT 2020)
INPUT R Levels
(Crappy Dynamic)
Select Switch
1 2:40-2:50 OFF Line (Low) Line (Low) Line/Mic None
2 2:50-3:00 Mic (High) Line/Mic None
3 3:00-3:10 Line Guitar None
4 3:10-3:20 Mic Guitar Scratch
5 3:20-3:30 Mic (High) Line Line/Mic Scratch
6 3:30-3:40 Mic Line/Mic Scratch
7 3:40-3:50 Line Guitar Scratch
8 3:50-4:00 Mic Guitar Scratch
9 4:00-4:10 ON Line Line Line/Mic None
10 4:10-4:20 Mic Line/Mic None
11 4:20-4:30 Line Guitar None
12 4:30-4:40 Mic Guitar Whine-Loud
13 4:40-4:50 Mic Line Line/Mic None
14 4:50-5:00 Mic Line/Mic None
15 5:00-5:10 Line Guitar None
16 5:10-5:20 Mic Guitar Whine-Loud

My home studio is in the basement near an outside wall, so it’s usually around 65°. Every morning the whine reappears until I physically warm the unit to around 75°+.

At lower temps, the phantom power whines and bleeds over into the 1/4″ inputs, which surprises me because most electronics are happier when they’re cold. I’d chalk it up to a defective unit, except that I purchased two 144 mkII’s, and both units display the same behavior. Regardless, I’m not looking forward to the hassle of returning or exchanging the interface. It’s going to put me back several weeks.

I wonder if anyone else has experienced these same problems. The helpful guys at Sweetwater didn’t seem to have bumped into the problem before.

[Update Jan 14, 2010]

I have decided to return the mkII’s to Sweetwater in favor of another brand, perhaps an M-Audio. I haven’t decided. At first I was content to swap them out for non-defective mkIIs, but apparently TASCAM has temporarily stopped shipping the US-144 mkII. More precisely, they are taking orders without providing a firm ETA. This is apparently quite unusual, and in the estimation of the guy I talked to it likely indicates that they are doing some re-tooling.

I decided that I’m probably better off not being the guinea pig for the “fixed” version (if, in fact they are re-tooling). And even if they’re not re-tooling, I don’t want to wait indefinitely for TASCAM to fill the order.

I am so glad that I purchased from Sweetwater instead of Guitar Center. Sweetwater has much better support. Let me correct that: Sweetwater offers any type of support.

[Update Jan 25, 2010]

I decided to go with a Lexicon Omega instead. So far (in some preliminary recordings) I haven’t had any noise problems, thought the levels are significantly lower than the Tascam 144 mkII. I’ll just have to do more post-normalization. I hope the noise levels stay tolerable.

, ,