Many startup founders, in particular, might believe they can share policy agreements with a friend who owns a similar business. The temptation to save time and money in launching a new business is understandable but ill-advised.
The policy clearly communicates how you may or may not use the information, and it explains your limitations in handling that information.
There are many discussions online defining privacy rights of consumers.
In a 2007 statement from the U.S. Office of Management and Budget, the U.S. government used the term "personally identifiable" in identifying the type of information an entity must take extraordinary measures to protect.
That letter defined personally identifiable information this way:
Since then, the term has been widely adopted throughout the United States, the European Union and around the world.
For example, in Switzerland, the rules on privacy are particularly strict.
The 1992 Federal Act on Data Protection expressly prohibits any processing of personal data which is not expressly authorized by the individual. Additionally, any individual may request the correction or deletion of any personal data, and the request must be addressed by the company within 30 days.
There's no doubt the definitions of what constitutes personally identifiable data and the methods your business may use to collect and handle that information is long and broad.
You might be collecting both personally identifiable information and trackable non-personally identifiable information from website visitors, customers, employees, social media followers and other stakeholders.
The U.S. Department of Defense offers a broad definition of the types of information it considers to be personally identifiable information (at page 9) in its 2014 document, DoD 5400.11-R, Department of Defense Privacy Program:
The National Institute of Standards and Technology defines it this way (at page 7) in Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information:
"Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
These broad definitions help explain just how much information your business may be collecting by design or by default from visitors, prospects, customers, employees, vendors and other stakeholders, but it is not comprehensive.
It's important to remember that personal information comes to your business in many different ways.
Examples of personally identifiable information include but are not limited to:
- First and Last Name
- Date of Birth
- Mailing Address
- Prior Address(es)
- Email Address(es)
- Phone Numbers
- Social Security Number
- Past Employer(s)
- Health information
- Driver's or other operator license number(s)
- Passport number
- Genetic information
- Mother's maiden name
- Next of kin
- Credit card information
- Bank account information
- Other account information
- Iris scan
- Facial impression
- Website cookies
- Criminal record
- Social media accounts
- Website chat threads and content
Non-personally identifiable information which could be trackable to an individual also may need to be addressed in order to fully limit your liability in how you use it to conduct business.
Examples of information that might be trackable or assignable to personal data include but aren't limited to:
- IP address(es)
- Browser activity
- Websites visited
- Product descriptions viewed
- Forms submitted
- Videos watched
- Security questions and answers
- Shopping cart data
- Point of sale data
- User preferences
- Location data
As you can see, the potential list of the information you collect during the course of running your business is not only quite long, but its misuse or theft could cause serious liability and privacy concerns.
You built your brand around your unique ideas. Your business offers solutions no other business offers quite like you do. Whether you have a new invention or a certain way of doing things better than anyone else does, you're not exactly like that business down the street or across the globe.
You have valuable intellectual, physical and human collateral no other business has. Your customers and website visitors voluntarily give you their private information in order to do business with you.
You and your customers require specific legal protections written expressly for these unique circumstances.
In order to attract, engage, convert and retain your customers, your website, landing pages, live chat tools, emails, sales funnels and social platform pages directly and indirectly gather information about your visitors and your workforce.
You may own a service organization and collect information over your website, phone and contact form to provide a valuable service in your community. The information you collect is completely different from the information a healthcare business collects, and different still from an e-commerce business or software provider or any other business.
You may conduct business regionally, nationally or even globally, while your competition may serve the local community only.
Regardless of how similar your business might be to the competition, you have a legal obligation to inform your visitors of exactly how you gather, store and use their information. You also have a responsibility to your business to limit your liability with regard to your management and use of that information.
Further, if you have employees, they voluntarily give you information in the course of working for you. Information such as social security numbers, demographic data, family, education and healthcare information about your employees likely resides on your servers.
How you handle that information is as important as how you handle customer and visitor information.
In 2009, the U.S. Federal Government defined the various methods for collecting personal health information that are subject to privacy rules:
In addition to identifying a comprehensive list of the types of personal data you collect, it also is important to identify the methods for collecting, storing, using, sharing and disseminating that data.
In fact, you might be surprised at just how many methods there are for collecting and handling data subject to privacy protections.
- Educational Activities: Does your company sell education material, or conduct certifications? The information you collect to do so is very likely subject to privacy protections.
You might choose to include a separate clause for each method your business uses to collect private information, or combine multiple scenarios into one or a few clauses.
Here's one example which specifically addresses the use of information collected or shared in company email:
It's also acceptable to combine data collection and handling methods into a single clause.
Here's an example addressing one law firm's use of email and cellular phones in its use of protected information:
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.