How to Avoid a Legal 500 Error with your Privacy Policy


Note: A version of this article originally appeared on the Security Catalyst Blog

Avoid a Legal 500 Error. Debug your privacy policy.

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Imagine that your boss tells you, “I need a widget. I’m sure other people in the open source community have done similar things. Just go grab some code and slap it together by the end of the day.” Of course, that’s crazy. You can’t just slap code together. In what language is the code written? Will it play well with existing code? How complete is the API? What are the requirements? What about security? What about debugging?

Yet this is exactly how we treat privacy policies. We go grab some “open source” or “boilerplate” privacy policy, slap it together with a boilerplate Terms of Service, and think we’re good to go. But unlike poorly-written code which will cause an error as soon as it is compiled, you won’t know whether you’ve created a Legal 500 error for months or years—long after it’s too late to fix.

Privacy Policy Principles

The purposes of a privacy policy are to: 1. Help inform and train your employees about your privacy practices, 2. Inform your customers about your privacy practices, and 3. Avoid liability and FTC action. As I explained previously, adhering to the following principles will allow you to accomplish all three goals:

  • Be Honest. Your mamma was right: Honesty is the best (privacy) policy.
    • Don’t Over-Promise. Statements like “privacy is our top priority” may be enforced by the FTC as a privacy promise. Don’t box yourself into a corner.
    • Don’t Under-Promise. Under-promising can violate regulations and more importantly, scare off customers.
    • Tell the Whole Truth. Failure to talk about less-desirable privacy practices may be a misleading business practice.
  • Be Complete and Conspicuous.
  • Adapt to Changing Business Practices. A privacy policy which was accurate six months ago may not be today.
  • Get it Right the First Time. Allowing yourself room to change will save headaches long-term, as material changes to privacy policies require additional consent.
  • If you Say it, Do it. Generally no magic words are required in privacy policies. The best approach to avoid liability is to stick to your policy.
  • It’s Your Business. As an executive, it’s your responsibility to make sure that your privacy policy is accurate and complete.

Custom Programming Your Privacy Policy

Nobody, especially the legislature, has solved your problems for you. If you create an innovative product or service, then it will raise new questions of law, ethics, and privacy which have never been asked or answered. You can’t expect that somebody else’s recycled privacy policy will meet your needs, any more than you can expect that recycling old code will yield innovation. Imagine for a moment that you have just developed an iPhone app. The app communicates with a smart scale using Bluetooth technology, then interfaces with the Google Health API to transfer a user’s weight history to the Weight Watchers website, then optionally posts the summarized results of the user’s weight loss to his Facebook page and Twitter account. Which of the following is true:

  1. You can adopt HIPAA as your privacy policy. HIPAA privacy rules apply.
  2. The FTC is interested in your privacy policy and practices.
  3. You can later use the weight & contact information to market your next iPhone app, “Smart Dieter.”

The answers may surprise you:

  1. False on both accounts: 1. HIPAA is not a privacy policy. Nobody, especially Congress has written your privacy policy for you. 2. Your customers are not protected by HIPAA regulations, because they probably don’t apply to you.
  2. True. The FTC is always interested in your privacy policies and practices, and even passing assurances of privacy like “Privacy is our Number 1 Priority” may be enforced as a privacy promise.
  3. Probably Not. Unless you have written a clear privacy policy that puts your customers on notice, you may be prohibited from reusing their personal information for any reason, even if they would have consented to such a use.

Your privacy policy must reflect your unique business processes, your unique business model, and your unique user needs. If you think that Congress (or anybody, for that matter) have answered the new questions of privacy raised by your iPhone app, then I have a bridge in Brooklyn I’d like to sell you. Even if HIPAA privacy regulations applied (which they don’t), I can guarantee that they were not written with your app in mind. Likewise, if you are doing anything truly innovative, any canned privacy will fail to meet your needs.

Boilerplate legal documents can get people and companies in trouble. Although sometimes there are magic words from a statute or regulation that should be quoted to order to protect your rights, most boilerplate is not magic—it’s lazy. Lawyers do a lot of legal debugging, because improper boilerplate language can be downright harmful. Unless you do your own legal programming to meet your individual needs, you are sure to accidentally waive a right, break the law, incur the ire of the FTC, or create a contradiction and cause a “Legal 500 Error.”

A Living Document

Because technology, business needs, and information demands constantly change, you must consistently update your privacy policy to reflect those changes. Fortunately, privacy policies are extremely flexible documents, with very few formal legal language or “magic words” requirements, so updating them is easy… if you remember to do it. CEOs often find that adapting a business plan to changing market conditions is time-consuming, and privacy policies can fall by the way side.

Before you update your privacy policy, though, keep in mind that there may be consequences to making material changes. When you revise a policy, information collected under the former policy must still be treated according to the terms of the original Privacy Policy, unless you get some sort of assent from your customers, or face the potential ire of the FTC. It is always better to get it right the first time.

Take Charge

As an executive, do these three things:

  1. Read Your Privacy Policy. First, do you understand what the policy means? Second, how does the privacy policy translate to concrete business practices in each of your departments? Third, does the policy match actual practice? Fourth, what is missing from your privacy policy that a reasonable customer would want to know about? Fifth, what changes must you make to your business practices (or the privacy policy) to make them the same?
  2. Regularly Update Your Privacy Policy. Many companies have internal processes to regularly review and update business plans, department objectives, security, and compliance. Make sure that your privacy policy is on your list of documents to review.
  3. Do a Privacy Policy Legal Review. Avoid a “Legal 500 Error” by making sure that your privacy policy is complete and compliant.

  1. No comments yet.
(will not be published)