The ins and outs of privacy policies
Many people complain that websites’ privacy policies are difficult to understand, sometimes because they’re vague and other times because they’re full of legalese. In fact, privacy was already an issue important enough to be discussed before the Reform Advisory Group (RAG) of the International Telecommunication Union (ITU), the United Nations agency governing world telecommunications. The RAG was a 22-member group created by former ITU Secretary General Yoshio Utsumi from among the delegates to the ITU. I was privileged to have been chosen to serve in the RAG in 1997, and I remember that privacy had been discussed in connection with the fast-tracking computer phenomenon, though not yet in connection with websites as we know it today.
Partially as a result of the difficulty to understand websites’ privacy policies, the World Wide Web Consortium (W3C) developed something called the “Platform for Privacy Preference,” commonly known as P3P, a technological approach to interpreting and applying privacy policies.
As stated by the W3C, at its most basic level, P3P is a standardized set of multiple-choice questions covering all the major aspects of a website’s privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled websites make this information available in a standard, machine-readable format. P3P-enabled browsers can “read” this snapshot automatically and compare it to the consumer’s own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and most importantly, enabling users to act on what they see.
Any website may choose to implement P3P, but no law requires any site to do so.
In theory, P3P should help consumers protect their privacy online. In practice, however, the impact of P3P is unclear until now. Although, in early 2002, six of the top 10 websites had adopted P3P, and the other four sites were considering it, the technology has not yet been widely implemented and it is not certain that consumers can really understand it.
In one article criticizing Microsoft’s adoption of P3P in version 6 of its Internet browser, two lawyers said that the technology is expensive to implement and maintain; lacks enforcement and security; confuses consumers; and could create unclear legal consequences, such as if the P3P technology cannot accurately convey a subtle legal distinction in a site’s privacy policy.
Ultimately, until the acceptability of P3P becomes better known, consumers and businesses should not ignore it. In particular, consumers should understand the limits of P3P, how their web browsers interpret it, and how to respond to the messages P3P can provide. And businesses should pay particular attention to whether consumers are demanding that the sites they visit implement P3P; if this privacy technology takes off, drafting a P3P-complaint privacy policy could become very important for a website’s success.
The best way to understand what a typical privacy policy contains is to review the policies on websites you frequently visit. You’ll probably notice that the policies have many things in common, but you’ll also notice — if you read carefully — that they contain subtle differences, too. Interestingly, many policies may at first appear to be very protective but ultimately allow the company to do just about anything with its visitors’ personal information.
As far as my studies go, the following, to my mind, are the most common issues covered in a privacy policy: a) what personally identifiable information is collected from visitors to the website; b) who collects the information; c) how the information is used; d) with whom the information may be shared; e) what choices visitors have about collection, use, and distribution of the information; f) the kind of security procedures that are in place to protect the loss, misuse, or alteration of information; g) how visitors can access and correct any inaccuracies in the information collected; h) contact information so visitors can ask questions about the policy or voice complaints about it.
Probably the most important item on this list is with whom you intend to share your visitors’ personal information. Because the information you collect can be very valuable, you surely will be tempted, at one time or another, to sell, or, as it is called in the world of marketing, “rent” your customer information to someone else.
Certainly, a statement in your privacy policy such as “We may share personal information collected from visitors with other parties from time to time,” is very broad and could allow you to rent your lists to just about anyone. Also, if you fail to say anything in your privacy policy, for instance, as regards with whom you will share personal information, you also will have no self-imposed restrictions.
But the most difficult issues arise when you decide whether to limit the other companies with whom you will share your visitors’ personal information. That’s when quite a number of companies get into trouble. Examples of these limiting statements are: a) “We will not release personal information about you as an individual to third parties”; b) “As a matter of policy, we do not sell or rent any personally identifiable information about you to any third party”; c) “We will share your e-mail address with pre-screened third parties only if you request to receive offers of interest from these companies when you register as a new user.”
Drafting a good privacy statement — one that reassures your customers yet leaves you with the flexibility you need to make money — is no easy task and should be handled by a lawyer.
However, a number of online tools can help you create a privacy policy for your website. One of them is available from the OECD (Organization for Economic Cooperation and Development) established by a group of 30 countries to provide governments with a setting in which to discuss, develop, and perfect economic and social policy. The OECD offers a “privacy statement generator” that allows users to respond to a questionnaire to create a privacy policy.
But you should be very careful about using any automatically created policies or form policies available on the web, because your needs may be very different from web-generated stereotypes.
Have you heard about the debate a couple of years ago over “opt-out” versus “opt-in,” and perhaps found this rather confusing? For one thing, the concept itself can be difficult to grasp. For another thing, it’s mostly an academic debate since a lot of countries have no general Internet privacy law.
The issue boils down to this: What should a company be able to do with a user’s personal information by default, that is, if the user does not communicate any restrictions on the use of his or her personal information? Under the framework known as “opt-out,” a company can do whatever it wants with that information (subject to any applicable laws), unless the user has opted out by informing the company of some restrictions. Thus, for example, if a user registers at a website, the website operator can send e-mail advertisements to the user unless, during the registration process or elsewhere, the user has somehow indicated (such as by checking an appropriately labeled box) that he or she does not want to receive e-mail advertisements.
On the other hand, under the framework known as “opt-in,” the company cannot send any advertisements unless the user specifically indicated that he or she did want to receive them.
While some lawmakers around the world want to change the system, most subscribe to the opt-out system for Internet privacy issues. Of course it makes good business sense or practice to let customers make the choice.
In ending, let me mention the letter I received from Atty. Elena C. Marasigan, a practicing lawyer from Romblon who asked me why I was giving Internet legal advice pro bono through my articles when I could be charging a fee for this.
While the entire e-mail of Atty. Marasigan was extremely flattering and very complimentary, for which I am grateful, I’d like to inform her that since Internet law is still evolving throughout the global telecommunity, perhaps my articles can contribute, in some small measure, to the global effort to formulate the necessary legislation, including in my own country. And, of course, I derive a great deal of satisfaction from my readers throughout the world, even from two classmates of mine from Yale Law School who rediscovered me through my writing, and provided valuable insights.
By the way, Atty. Marasigan, this is not “a naïve — nay, stupid — effort,” as you called it; it is sublime, immeasurable compensation, for which I am deeply grateful.
* * *
Thanks for your e-mails sent to jtlichauco@gmail.com.