October 6, 2021Published Article

Privacy Policies: Drafting a Policy

This practice note discusses the key issues that a practitioner should consider when drafting or reviewing a client's privacy policy, including: the types of personal information collected by the client, relevant legal and regulatory requirements, what information to include in the policy, the importance of adhering to the policy in practice.

While there is no universal legal requirement that every company have a published privacy policy, consumers have become increasingly sensitized to the data collection practices of companies with which they do business. Often, they expect to be able to examine a company's privacy policy to learn how their data will be handled, which could impact their decision to do business with that company. Consequently, if your client collects consumer data via the Internet or otherwise (e.g., by accepting credit card payments, operating a website, or having an online marketing presence), it should create a privacy policy that it can maintain and which contains universally recognized privacy principles.

Privacy Policy Basics

A privacy policy is an external-facing statement that specifies a company's practices regarding the collection, use, and sharing of customer or consumer data (in most cases, such companies own or operate websites, mobile applications, social media platforms, or the like, though any company may have  a privacy policy). It is distinct from a company's overall enterprise-wide program for processing personally identifiable information (PII) or any other information regulated by law.

A privacy policy should be viewed as a binding, enforceable agreement. While breach of contract claims based on privacy policy violations have been largely unsuccessful (either because the policies were not contractual in nature or the plaintiffs failed to adequately allege the requisite harm), the Federal Trade Commission (FTC) regularly brings enforcement actions against companies that misrepresent their privacy practices (in privacy policies or otherwise). For more on FTC enforcement, see Privacy Policies: Drafting a Policy below.

It is therefore crucial to not only have a well-crafted policy that addresses any legal or regulatory requirements, but also to ensure that the organization adheres to the policy in practice.

To read the full article, click here
back to top