Thursday, July 23, 2009

Recommended Reading: Privacy Policies for Web Sites You Visit

Most web sites have privacy policies that generally identify what the site does with your personal information once it is submitted to them. Depending on the purpose of the web site, these policies can be very involved (on sites that collect and retain your credit card information and/or Social Security Numbers) to very simple (on sites that collect very little of your personal data).

There are no hard-and-fast rules for what must be included in a privacy policy, and there is no minimum list of terms that must be included. In certain industries, however, federal law imposes disclosure requirements that require certain types of businesses to identify what they do with your personal information. For instance, financial institutions may be governed by the Gramm-Leach-Bliley Act (GLB), which generally places restrictions on the use of personal financial information, such as credit cards. Similarly, health care providers may be governed by Health Insurance Portability Accountability Act (HIPAA), which provides very detailed rules about the use of personal medical information. Web sites that are directed to children or could reasonably foresee a younger audience are required to comply with the Childrens’ Online Privacy Protection Act (COPPA), which significantly limits what personal information web site operators are permitted to collect and/or retain.

If an organization covered by federal laws such as these also provides a web site, their treatment of your personal information should be described in the privacy policy associated with the web site (or in the case of health care providers, they may hand you a hard-copy Notice of Privacy Practices when you visit their offices for treatment, which has a different purpose than online privacy policies).

In addition, the Federal Trade Commission (FTC) recently updated its guidelines identifying best practices for online advertising – which includes statements made in online privacy policies. FTC Staff Revises Online Behavioral Advertising Principles (2/2/09). It also provides a summary of best practices to be considered by web site operators. Privacy Policies: Say What You Mean and Mean What You Say (2/08). Among these guidelines is a simple instruction: if a web site posts a privacy policy, it must not violate the terms.

Violations of privacy policies have resulted in investigations initiated by the FTC, sometimes resulting in fines against the company for saying one thing in its privacy policy and then doing something completely different. See, for example, these summaries about FTC investigations and settlements: Sony BMG Music Settles Charges Its Music Fan Websites Violated the Children’s Online Privacy Protection Act (12/11/08); Online Apparel Retailer Settles FTC Charges That It Failed to Safeguard Consumers’ Sensitive Information, in Violation of Federal Law (1/17/08). In essence, privacy policies are considered to be a form of advertising, and therefore, must be truthful.

Evaluating Privacy Policies

You should understand that in some circumstances, the moment you visit a web site information about you (although perhaps not personally identifiable) can be collected automatically by the web site, including your computer’s IP address, the date and time of your visit, the number of times you have visited this particular site, and (sometimes) where else on the Internet you have visited. Then, you may be in a position to submit personal information to the site – perhaps your credit card in order to complete an online purchase, a home phone number, a mailing address, a birth date, updates to a wishlist or baby gift registry, etc.

At the very least, when you are faced with sending personal information about yourself to a web site, take a few minutes to find the privacy policy associated with that site and read it to find out what they will be doing with the information that you are about to give them. If you cannot understand the policy, or if you do not like what you are reading, perhaps reconsider whether you should give them your personal information. In an age where identity theft is common, it pays to be careful with such information.

You can also check to see whether the privacy policy has an “opt out” procedure that you can invoke if you do not want to permit that particular use of your information.

Selected Privacy Policies for Comparison*

BANKING SITES
Citibank; Republic First Bank; TD Bank; Wachovia Bank; WellsFargo

DRUG STORES (Prescriptions, Rebates)
CVS; Duane Reade; Rite Aid; Safeway

GOVERNMENT
Federal Trade Commission (FTC); Internal Revenue System (IRS); The White House; US Department of Commerce; US Department of Justice; US Patent & Trademark Office

MEDICAL SITES
Johns Hopkins Medicine; LabCorp; Mayo Clinic; Quest Diagnostics; WebMD

NEWS ORGANIZATIONS
ABC News; CNN; Fox News; MSNBC; NY Times; Wall Street Journal; Washington Post

SEARCH ENGINES
Ask.com; Bing; Google; Yahoo

SHOPPING SITES
Amazon; Barnes & Noble; LL Bean; Sears; Starbucks; Target; Wal-mart (a new policy will go into effect Aug. 23, 2009 – the link points to a series of privacy policies available through Wal-mart)

SOCIAL NETWORKING SITES
Facebook; LinkedIn; MySpace; Twitter

USER-GENERATED CONTENT (Photos, Videos)
Kodak EasyShare; Shutterfly; Snapfish; YouTube; Zazzle

FOREIGN SITES (with different legal requirements)
Agence-France Presse; BBC (see also Targeted Advertising Update (for users outside the UK only); The Economist; The Financial Times; World Intellectual Property Organization

* Note: By posting links to the privacy policies of the web sites identified above, I am not making any representations or endorsements about the value of the products or services provided by these sites or about the validity or enforceability of their privacy policies. These links were chosen somewhat randomly and are intended to serve as examples to show various ways to explain a site’s treatment of data collected from its visitors.

No comments:

Post a Comment

Please note that all comments are moderated, so there may be some delay between when you post a comment and when it appears here. If you are concerned that your comment has been misdirected, please e-mail me for confirmation. Thanks for your patience!

Non-English language comments and comments bearing embedded URLs will be rejected. All apologies for the inconvenience.