Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« You Will Be Judged By The Company You Keep: 4 Good Reasons (And More) To Ensure Your Business Partners Have Good Information Security Programs | Main | Trick or Treat for Poll Clicks, Please! :) »

Avoid Being Sued And Losing Customers: Don't Go Changing Your Privacy Policy Willy-Nilly!

Many organizations dangerously change their posted privacy policies often, and often without giving notice to their customers. It is important to always keep in mind that your posted privacy policy is a legally binding contract with your customers. You cannot agree to do one thing with your customers' personally identifiable information (PII) when they start doing business with you and then change that agreement without notifying and allowing your customers to agree to that change.

Can you imagine if other types of contracts were changed so easily? "Yes, you bought a car with a 1% interest rate on a 60-month contract, but we decided that we wanted to change it to 10% with a 12-month term. We're happy to have your business!"

No. That would not work.

Changing your contractually binding website privacy policy without giving proper notice and obtaining consent from your customers doesn't work either. In fact a recent judgment supports this.

On July 18 the U.S. Court of Appeals for the Ninth Circuit ruled that Talk America, Inc. did not effectively communicate the change in its terms of service when it posted a revised contract on its website and did not give customers any type of further notice.

This judgment supports the need for organizations to establish effective ways of communicating changes in their website privacy policies to their customers, and shows that just giving a nondescript notice on the website is not sufficient to be considered as providing effective communication.

The judgment should make organizations realize that they must find ways to emphasize and highlight any changes they are making to their privacy policies.

There must be a way to provide conspicuous notice of the change, and an effective form of consent by the customers to the change should be obtained.

This brings up the possibility that some companies may choose to continue to apply previous privacy policies to their existing customers from whom they have already collected PII, and then apply the new policies to their newly obtained customers' PII from that point forward. I have seen some lawyers promote this.

However, think about the problems with trying to maintain two different policies for two different sets of PII.

* You'd have to flag in some way within your data files the newly obtained PII and then have different procedures for those to match the new policy.

* IT data files would need to be changed, along with possibly the access authorizations, depending upon what the change was.

* You'd be treating your two groups of customers differently; a potential powder keg with explosive public relations impact.

* It is likely your marketing and call centers would need to treat the two sets differently.

* And the list goes on...

No, thinking about all the logistics involved, trying to keep an old privacy policy to apply to "old" customer PII, and a different privacy policy for new customer PII would likely be a nightmare.

Instead it is important that the privacy policy you post to begin with is a good one that will stand the test of time, accurately reflects how you protect customers' PII, while meeting the basic privacy principles.

But for most organizations, the privacy policy horse is already out of the barn; many privacy policies that were posted in haste are not good and need to be changed; but with caution.

This means that if you really need to make a change to your website privacy policy you need to carefully plan how to communicate those changes to your customers and obtain some type of consent from them for the changes. Consider using a combination of the following; whatever works best for your organization.

* Display a prominant banner on your home page with notice about the change. Ask your website visitors to click a link that goes to an explanation of the new policy, along with a description of the changes to the policy and how it impacts customers.

* Provide a "consent to policy change" notice on your customer's online account. Ask them to click to agree to the change, and communicate what they need to do if they do NOT consent to the change.

* Send an email providing notification of the change to your customers. NOTE: This could be blocked by a spam filter, so it may not be considered effective notice on its own.

* Send a postal mailing to your customers notifying them of the change, along with consent information.

* Provide a very conspicuous notice on your new policy indicating that the policy has changed, and that customers should go to their accounts to consent to the changes.

There are several other possibilities, but this should give you a good start in considering your possibilities.

Very importantly, *TALK WITH YOUR LAWYER ABOUT THE OPTIONS*!! You want to make sure that your legal folks know the consequences the change they may want to make will have upon the IT, Information Security, Privacy, Marketing, Customer Service and Public Relations areas.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 10, 2007 4:00 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/484

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.