No Such Thing as a "Standard" Privacy Policy

As tempting as it may be to copy another's business's online Privacy Policy, don't do it. There's simply no such thing as a "standard" Privacy Policy.

Whether your business is new or well-established, you must have a comprehensive Privacy Policy in place that addresses your unique business structure, communication tools, website(s), mobile apps, landing pages, social media platforms, shopping carts, and even your workforce.

Many startup founders, in particular, might believe they can share policy agreements with a friend who owns a similar business. The temptation to save time and money in launching a new business is understandable but ill-advised.

The fact is, there is no "standard" Privacy Policy, and the risks to your business for failing to adequately communicate your policies and limitations of liability could be a very costly mistake.

Investing the time and resources to thoroughly craft a comprehensive Privacy Policy unique to your business is critical to protecting your business and limiting your legal liabilities.

What is a Privacy Policy?

A Privacy Policy acknowledges all of the various types of personally identifiable information you collect, store, use, share, sell and disseminate, and each platform where those activities take place.

The policy clearly communicates how you may or may not use the information, and it explains your limitations in handling that information.

A Privacy Policy also informs your users about their participation in making their personally identifiable information available to you, both directly such as by entering it into a form, and indirectly, such as through website cookies, browser histories and other means.

Google organizes its Privacy Policy into a number of different pages and sections, including information Google collects and how, information users voluntarily give, and how that information is shared and used.

While this information is standard in most Privacy Policies, you can't copy and paste Google's Privacy Policy for your own business because the way you personally do things may be - and likely is - very different than the way Google does. You can use its framework as a guide for the many important components of an effective Privacy Policy, but you shouldn't copy and paste it as your own.

There are many discussions online defining privacy rights of consumers.

In a 2007 statement from the U.S. Office of Management and Budget, the U.S. government used the term "personally identifiable" in identifying the type of information an entity must take extraordinary measures to protect.

That letter defined personally identifiable information this way:

Since then, the term has been widely adopted throughout the United States, the European Union and around the world.

For example, in Switzerland, the rules on privacy are particularly strict.

The 1992 Federal Act on Data Protection expressly prohibits any processing of personal data which is not expressly authorized by the individual. Additionally, any individual may request the correction or deletion of any personal data, and the request must be addressed by the company within 30 days.

There's no doubt the definitions of what constitutes personally identifiable data and the methods your business may use to collect and handle that information is long and broad.

Thoroughly understanding and defining your rights and limitations of liability in a professionally prepared Privacy Policy unique to your business is critical to protecting your interests at home and abroad.

What Does a Privacy Policy Cover?

It's important to determine the complete list of the types of information you currently collect, or may collect in the future, and thoroughly itemize it in your company's Privacy Policy.

You might be collecting both personally identifiable information and trackable non-personally identifiable information from website visitors, customers, employees, social media followers and other stakeholders.

This is why your Privacy Policy cannot be standard in any way. Your business is unique.

The U.S. Department of Defense offers a broad definition of the types of information it considers to be personally identifiable information (at page 9) in its 2014 document, DoD 5400.11-R, Department of Defense Privacy Program:

The National Institute of Standards and Technology defines it this way (at page 7) in Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information:

"Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."

These broad definitions help explain just how much information your business may be collecting by design or by default from visitors, prospects, customers, employees, vendors and other stakeholders, but it is not comprehensive.

It's important to remember that personal information comes to your business in many different ways.

Whether you ask for it directly, such as a name, email address and phone number on a contact form, or collect it indirectly such as through web crawlers, cookies and other technical tools, all information that could expose the identity of your stakeholders should be considered when crafting your Privacy Policy.

Examples of personally identifiable information include but are not limited to:

• First and Last Name
• Gender
• Date of Birth
• Mailing Address
• Prior Address(es)
• Email Address(es)
• Phone Numbers
• Social Security Number
• Employer(s)
• Past Employer(s)
• Education
• Health information
• Certifications
• Driver's or other operator license number(s)
• Passport number
• Genetic information
• Mother's maiden name
• Next of kin
• Credit card information
• Bank account information
• Other account information
• Handwriting
• Fingerprints
• Iris scan
• Facial impression
• Website cookies
• Criminal record
• Social media accounts
• Website chat threads and content

However, the list of information your Privacy Policy should address is not necessarily limited to personally identifiable information.

Non-personally identifiable information which could be trackable to an individual also may need to be addressed in order to fully limit your liability in how you use it to conduct business.

Examples of information that might be trackable or assignable to personal data include but aren't limited to:

• IP address(es)
• Passwords
• Browser activity
• Websites visited
• Product descriptions viewed
• Forms submitted
• Videos watched
• Security questions and answers
• Shopping cart data
• Point of sale data
• User preferences
• Location data

As you can see, the potential list of the information you collect during the course of running your business is not only quite long, but its misuse or theft could cause serious liability and privacy concerns.

Taking the time to fully assess the many types of personally identifiable and trackable information you collect from everyone your business interacts with is an important first step in creating a bulletproof Privacy Policy.

You Need a Unique Privacy Policy, Not a Standard Privacy Policy

You built your brand around your unique ideas. Your business offers solutions no other business offers quite like you do. Whether you have a new invention or a certain way of doing things better than anyone else does, you're not exactly like that business down the street or across the globe.

You have valuable intellectual, physical and human collateral no other business has. Your customers and website visitors voluntarily give you their private information in order to do business with you.

You and your customers require specific legal protections written expressly for these unique circumstances.

In order to attract, engage, convert and retain your customers, your website, landing pages, live chat tools, emails, sales funnels and social platform pages directly and indirectly gather information about your visitors and your workforce.

You may own a service organization and collect information over your website, phone and contact form to provide a valuable service in your community. The information you collect is completely different from the information a healthcare business collects, and different still from an e-commerce business or software provider or any other business.

You may conduct business regionally, nationally or even globally, while your competition may serve the local community only.

Regardless of how similar your business might be to the competition, you have a legal obligation to inform your visitors of exactly how you gather, store and use their information. You also have a responsibility to your business to limit your liability with regard to your management and use of that information.

Further, if you have employees, they voluntarily give you information in the course of working for you. Information such as social security numbers, demographic data, family, education and healthcare information about your employees likely resides on your servers.

How you handle that information is as important as how you handle customer and visitor information.

In 2009, the U.S. Federal Government defined the various methods for collecting personal health information that are subject to privacy rules:

In addition to identifying a comprehensive list of the types of personal data you collect, it also is important to identify the methods for collecting, storing, using, sharing and disseminating that data.

In fact, you might be surprised at just how many methods there are for collecting and handling data subject to privacy protections.

While there are varying schools of thought for whether to individually identify each method your business uses to collect and handle protected information, there is universal agreement that your Privacy Policy should identify all methods you use.

Consider this list of possible data collection points as you think about the scope of your own Privacy Policy:

• Financial Transactions: Your Privacy Policy should cover the information you collect to perform financial transactions such as at the point-of-sale, including online and at physical payment terminals, across mobile apps, at online shops, and through payment processing platforms such as PayPal, Apple Pay, Venmo and others.
• Customer Engagement: Does your Privacy Policy address how you handle information gathered from product or service surveys, contact and other opt-in forms, healthcare information, etc.?
• Educational Activities: Does your company sell education material, or conduct certifications? The information you collect to do so is very likely subject to privacy protections.
• Social Networking Platforms: Does your Privacy Policy cover your blog, Facebook, LinkedIn, Instagram, YouTube and other social platforms, including community discussion threads?
• Employees: Your Privacy Policy should address how you protect health, financial, employment, education, family and other personal information about your employees, and your requirements for how those employees handle customer information.

How your Privacy Policy identifies the many methods by which you collect and handle personally identifiable information is somewhat subjective.

You might choose to include a separate clause for each method your business uses to collect private information, or combine multiple scenarios into one or a few clauses.

Here's one example which specifically addresses the use of information collected or shared in company email:

It's also acceptable to combine data collection and handling methods into a single clause.

Here's an example addressing one law firm's use of email and cellular phones in its use of protected information:

Because your business has a unique industry, workforce, geographic reach, online platforms, social presence and many other factors, you need a unique Privacy Policy tailored expressly for your business.

Summary