Business owners deal with customer information every day -- from shopping preferences to purchase history and personal information including credit card numbers and home addresses. We spoke with two privacy experts to find out what you need to know to develop a privacy policy for your online business.
"Every business should protect Personally Identifiable Information (PII)," says
S. Jenell Trigg, chair of the New Technology and Media Practice Group at Washington, D.C.-based law firm Lerman Senter.
PII is any customer information that a business collects such as a customer's name, home address, phone number, e-mail address, or social security number. Trigg says privacy policies are especially important for online businesses because information is easier to collect and can be abused more readily.
Joanne McNabb, director of Privacy Education and Policy with the California attorney general's office, says companies should develop a privacy policy for several reasons. If your company has customers in California, it's the law to disclose what information is being collected and how the information will be used. It's also a trust-building practice with customers who are concerned about how their information is being used.
Related: Customer Privacy: What You Need to Know About Social Media, Passwords and Transparency
Here are six tips to consider when developing your privacy policy:
1. Decide how long you will keep customer information.
McNabb recommends businesses disclose how long they will keep information in their policy. For sensitive information, such as credit card numbers, data breach notification laws in many states require businesses to contact consumers and state regulatory agencies if computer systems are hacked or disrupted. The longer you hold on to customer data the greater the risk consumer information will be compromised.
2. Make your policy easy to read.
Privacy policies used to be lengthy and hard to understand. Trigg notes that companies are now encouraged to provide shorter, concise, user-friendly privacy policies that describe what information is gathered and whether it's shared with other companies.
3. Craft clear and conspicuous disclosures.
Your website should have an easy-to-find link to your privacy policy. Apps should have a link on the app platform so customers can know what information will be collected and how it will be used before they download.
4. Don't copy another company's policy.
Trigg cautions against using another company's privacy policy to write yours. "It is very important that a business accurately reflect its actual business and security practices in its privacy policy," Trigg says. If a business copies another company's privacy policy, the Federal Trade Commission (FTC) or state law enforcement groups may find that a business has engaged in deceptive trade practices.
5. Consider hiring an expert.
Lawyers specializing in privacy and data security know the law in various jurisdictions and have experience advising clients, from small to large businesses, regarding privacy matters.
6. Look for resources to help develop your policy.
In addition to seeking out professional guidance, many states provide "best practices" handbooks, available on state government websites. The FTC recently released a list of recommendations to businesses and advertisers, such as providing easy-to-read consumer disclosures and obtaining user consent before collecting sensitive information.