Employer Privacy Policies: A How-To Guide

Employer Privacy Policies: A How-To Guide

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees. New York adopted a similar statute. Several other states – Connecticut, Massachusetts, and Texas – have statutes mandating the establishment of privacy policies that could also apply in the employer-employee context. …EPP

Guidelines for Online Behavioral Advertising

Guidelines for Online Behavioral Advertising

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the site, so that those individuals can be monitored across a behavioral advertising network. …

guidelines-for-online-behavioral-advertising

Op-ed: Don’t Blame Companies for Convoluted Privacy Policies

It’s a myth that consumers read privacy policies. They don’t. I know that because I like privacy policies more than almost anyone – I’ve written them, I’ve defended them, I’ve analyzed them – and yet I can’t remember the last time that I went to purchase something online for myself and read the company’s privacy policy. If privacy lawyers don’t pause to read them, I’m confident that average consumers do not.

It’s no surprise why consumers don’t read them. Assuming that a consumer cares about privacy and assuming that they think about reading a policy before submitting information online, privacy policies read like mini legal treatises. They refer to technology that may be hard to understand (e.g., what is a clear gif?), and subtle but significant differences that might not be obvious to some consumers (e.g., what does it mean to share data for “joint marketing with a third party,” but not for a third party to market themselves?).

About a year ago, I was asked to moderate a panel discussion on “best practices” when drafting privacy policies. We had a great panel of regulators, noted privacy officers, and general counsel, and I was excited to hear some new perspectives. I turned the discussion to a topic that has been on my mind for years – is it possible to draft a truly simple privacy policy that would be quick and easy for a consumer to read and understand? We talked about various companies that had attempted this by trying to use plain language, reducing word counts, or using matrices, graphics, tables, hyperlinks, roll overs, or cross-references. At the end of the day, despite some commendable efforts nobody could think of a truly successful attempt at making a privacy policy digestible.

There was some agreement as to the reason policies tend toward being long, convoluted, and legalistic. Privacy practices are complex and plaintiffs’ attorneys and regulators can be unforgiving. For example, a company that does not intend to sell, rent, or share information, may want to simply say that to consumers using those eight words “we do not sell, rent or share information.” The truth is, however, that there are no definitives when it comes to information. If the company has service providers (as most companies do), it inevitably shares information with consultants, lawyers, product fulfillment companies, etc. If a company receives a subpoena (which any company could), it may have to share information with the government. If the company is acquired (which many companies are), it will sell the information to the acquirer. If the company is sued, it may have to share the information with a plaintiff. The eight word statement, suddenly becomes a 100 word list of exceptions and exclusions to ensure that a company is not accused of deception by carrying out normal (and in most cases unavoidable) sharing practices.

The net result is that the precision that the plaintiff’s bar and some regulators have demanded, forces companies away from brevity and toward legalese. The end result is a precise policy that no consumer has the time (or attention span) to read.

What to Consider When Drafting or Reviewing a Privacy Policy

Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not.  In 2003, California became the first state to impose a general requirement that most websites post a privacy policy.  Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household purposes.1 Since the passage of the CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy….

prvacypolicy

The Top Three Privacy Takeaways of the New Delaware Online Privacy and Protection Act

Delaware’s New Privacy Policy Requirements

Effective January 1, 2016, Delaware became the second state in the U.S., joining California, to require operators of commercial websites that collect personally identifiable information to post online privacy policies. The Delaware Online Privacy and Protection Act (DOPPA) applies to anyone who operates a “commercial internet website, online or cloud computing service, online application, or mobile application.”…

doppa

Understanding Social Security Number Privacy Policies (2016)

Social Security Numbers (“SSN”) were originally established by the Social Security Administration to track earnings and eligibility for Social Security benefits. Because a SSN is a unique personal identifier that rarely changes, federal agencies use SSN for purposes other than Social Security eligibility (e.g., taxes, food stamps, etc.). In 1974, Congress passed legislation requiring federal agencies that collect SSN to provide individuals with notice regarding whether the collection was mandatory and how the agency intended to use the SSN.1  Congress later barred agencies from disclosing SSN to third parties. Federal law does not, however, regulate private-sector use of SSN….

socialsecurity

How to Obtain EU Binding Corporate Rules (BCR) Approval (2016)

The following provides background concerning the approved Binding Corporate Rules (“BCR”) procedure. BCRs are in-kind privacy rules and standards that allow multinational groups of companies to transfer personal data within their group of companies, including to corporate affiliates outside of the EU. In order to obtain approval at a BCR, a company’s privacy policy has to demonstrate that it ensures an adequate level of data protection and respective safeguards under EU law. BCR are an internal tool only and do not allow for any data transfers outside of a corporate group…bcr

Best Practices For Drafting Employee Privacy Policies (2016)

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees . . .PrivacyPolicyDraftingThumbnail

Webinar: An In-House Attorney’s Guide to Creating an Effective Privacy Policy

June 28, 2016 at 12 p.m. EDT

Almost every company now has an online presence and, with it, an online privacy policy. While privacy policies are not new, attorneys need to keep current with the laws and regulations and to draft the policies effectively so that consumers can understand them. Boulder Partner David Zetoony and Associate Christopher Achatz discuss the legal issues involved with drafting privacy policies and explore best practices on how to create effective policies. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Webinar: Life After the Safe Harbor Under the “Privacy Shield”

March 3, 2016 at 12 p.m. EST

Companies of all types were caught off guard when the EU-U.S. Safe Harbor data transfer framework was invalidated in October 2015. In the months following the invalidation, many companies anxiously awaited a replacement for the original Safe Harbor framework. That replacement has now been announced in the form of the newly-negotiated “Privacy Shield” framework. Join Jana Fuchs and Jason Haislmaier as they discuss the details of the Privacy Shield framework, provide an update on the current status and timeline for the formal adoption of the Privacy Shield, and provide strategies for compliance in EU-U.S. cross border data transfers both now and following adoption of the Privacy Shield. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Mobile App Privacy Policies At A Glance (2015)

Many of the most popular mobile apps collect personally identifiable information.  Although most app developers are not required to display a privacy polucy under federal law, they are contractually required to do so pursuant to the terms and conditions of the platform for which the app will be marketed. . . Mobile App Privacy Policies

Behavioral Advertising At A Glance (2015)

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer.  Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers . . . Behavioral Advertising_At A Glance_1