THE PRIVACY AUDIT CHECK LIST

IVAN HOFFMAN, B.A., J.D.


        If you own, operate, host, design or build web sites, you are potentially at legal risk if those web sites are operated in a manner that violates the ever-growing body of law dealing with privacy policies or the lack thereof.  There are a number of articles on my site under the link “Articles About Privacy” that deal with some of these issues and the reader is strongly encouraged to read those articles.  This article is intended merely as a check list of those and other issues that sites must be aware of if they are to try and stay out of legal trouble.  This article is limited to privacy issues as they pertain to the Internet and the operation of web sites and it deals primarily with the legal and business issues with regard to the same.

The Questions

        1. Does your business need a privacy policy?  There are some areas in which privacy policies are mandated, as discussed below.  However, there is a growing trend among legislatures that seems to indicate that at some point such policies will be required.  The real issue today is whether or not, from a marketing standpoint, such policies are something a business should have.  However, if your business elects to have a privacy policy, then that privacy policy is subject to review and regulation and violations of that policy, both with regard to children and others, can bring significant penalties.

        2. What is the nature of the business? Does the business sell goods or provide services and if so, does it collect information from site visitors?  Is the information that is collected marketable?  Is the information niche-specific or more broad-based?  Is there a value to seeking endorsement from organizations that your privacy policy complies with their standards?

        3. What sort of data is to be collected?  Is it limited to merely a collection of email addresses or does the data include “cookies” and other information?  What is the mechanism for a party either opting in or opting out of the pool of information? Is that mechanism followed with care, especially with regard to opt out procedures.  Many of the laws being proposed focus in on the mailer removing the names of those who opt out at the first request.

        4. From whom is the data to be collected?  Are “children” actual or potential visitors to the site?  The most important area in which privacy policies are required relate to sites that fall within the scope of the Children’s Online Privacy Protection Act (COPPA) and compliance with the intricacies of that act is essential.  What methods are in place for obtaining the necessary “verifiable parental consent?”  The penalties are severe for failure to so comply.  There are other laws regulating privacy issues such as health information, financial information and student data collected by schools, among others.

        5. How is the data to be used internally?  How is the data stored?  Who has access to that data?  What procedures are in place to prevent a party with access from taking that data when he or she leaves the organization?  Are there appropriate non-disclosure, non-compete and confidentiality agreements in place?

        6. Is the information sold or leased to third parties?  In your licenses, are the issues related to ownership of the data and rights to use the data covered with particularity?  Is any of the data considered confidential such as customer lists in the offline world?  Are there appropriate non-disclosure, non-compete and confidentiality agreements in place? What are the other rights and duties of the licensee with regard to the data including with regard to obligations to delete the data of parties who have provided the same but now wish to “opt out?”

        7. Is the privacy policy clearly visible and accessible from the home page and all other relevant pages of the site?  Does the policy set forth with particularity the nature of the data collected and how it is intended to be used?  Violations of one’s own privacy policy, even if it is not subject to COPPA, can bring heavy penalties.

Conclusion

These are merely a summation of some, but certainly not all, of the issues an online business has to face with regard to privacy.  Since privacy appears on the top of nearly every list of concerns that Internet users express about the medium, it seems to indicate that every online business or any offline business with a web site should conduct a privacy audit whether or not that online business has a privacy policy.  Such an audit can determine if such a policy should be implemented and if the decision is to have such a policy, make that policy comply with both the marketing needs of the business as well as the legal requirements.

© 2001 Ivan Hoffman

****************

This article is not intended as a substitute for legal advice.  The specific facts that apply to your matter may make the outcome different than would be anticipated by you.  You should consult with an attorney familiar with the issues and the laws.
****************
No portion of this article may be copied, retransmitted, reposted, duplicated or otherwise used without the express written approval of the author.

FOR MORE INFORMATION:


MAIL

Where Next? 





Ivan Hoffman Attorney At Law || |More Internet and Electronic Rights Articles || More Articles About Privacy ||  More Articles About e-THICS || Home