Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« SEC Regulation S-P Proposals To Improve The Security Of Customer Information Within Brokerage Shops | Main | 43 U.S. Breach Notice Laws...And Counting »

Do Your Terms Of Use Try To Gut Your Privacy Policy Promises?

I see a growing trend in organizations trying to gut the promises made in their website privacy policies through sneaky wording they place in their rarely read "Terms of Use" statements.

Over the past few months I have heard from some CISOs and CPOs who are concerned at some of the wording that their legal counsels are suggesting they put on their web sites. And rightly so. Why? Because the considered "Terms of Use" statements seem to be, 1) trying to eliminate all liability to the organization for anything bad that happens to the personally identifiable information (PII) submitted to or accessed from the site; 2) basically nullifying the posted privacy policy; and 3) trying to require the website user to agree to these terms just by using the site...no active acknowledgment or agreement necessary.

Here is a composite from around half of a dozen of these worrisome passages from the considered drafted Terms of Use statements that I've seen...

  • "By accessing or using any of the Company X websites you agree that you will comply with, and that your access/use will be governed by, the following Terms of Use."

This is a form of an "implied consent" contract. Using these types of statements is not typically looked upon favorably by regulatory oversight agencies, such as the U.S. Federal Trade Commission (FTC).



  • "You are permitted to access and make personal use of the Company X Sites. This use, however, does not include the use of data mining or similar data gathering and extraction tools."


The term "data mining" is not defined anywhere in the documents I've reviewed, and so is open to widely subjective interpretation. The terms "similar data gathering and extraction tools" are also undefined. Most of your customers would consider getting access to their own account information as a type of "data extraction tool."

  • "Although Company X has used reasonable precautions to safeguard the confidentiality of information received and sent over the Internet or by electronic mail (e-mail), Company X cannot guarantee the confidentiality of such information. If you correspond with us via the Internet or by electronic mail (e-mail) you agree to waive claims against Company X and its suppliers regarding any third party's access to or use of information that you provide to Company X or information that you receive from Company X."

Whoa!

Some of the content of this "terms of use" document are very worrisome. Quite frankly, I think the FTC would use passages from these documents as examples of what organizations should NOT post on their websites!

Organizations cannot remove their liability and responsibility for any security incidents or privacy breaches through these types of implied consent statements. Especially since many people using email may never actually have visited your website. The FTC has been very clear about this issue within numerous statements they've released over the years. For example, as Ellen Finn, an attorney in the FTC's Bureau of Consumer Protection stated on April 6, 2004, when discussing website privacy policies "What you promise in the headline you cannot take away in the fine print."

It is pretty common to put a "Terms of Use" statement on web sites. Putting a "Terms of Use" document on a web site is a good thing to do, but only if worded appropriately, and not in conflict with other policies on your site. However, they need to support, and not conflict, with your posted privacy and/or security policy.

Posting these composite excerpted passages, as worded, would be a very dangerous thing to do, along with being a red flag to regulatory oversite groups. When I have seen wording such as exists within these documents, it has typically been when the FTC has talked about unfair and deceptive business practices involved with such "implied consent" contracts. This has often led to significant fines and long term (such as 20 years) penalties under the FTC Act.

The main issue is that your site would be forcing any website visitors/users into an agreement without getting their active and clearly supplied consent, and often without their knowledge.

Remember, privacy promises can, and often are, made in many different locations on a website, not just in the website privacy policy.

Compare your privacy policy to what you say in your...

  • Legal notice
  • Terms of use
  • FAQs
  • Information collection points
  • Any other areas where you might discuss information collection, use, maintenance, security, or disclosure


What did you find? Conflicting promises? These are legal problems ready to hatch!

Now and on an ongoing basis, review the privacy and security promises you are making throughout all your website. Resolve any conflicts. For example, don't tell your website users in the privacy policy that you have implemented strong security measures to protect their PII, and then in your terms of use state that your organization is not responsible for anything security incidents that could occur involving PII.

Also consider and carefully plan:

  • How to correctly make changes to the privacy promises on your site; you cannot just make changes on the fly to this legally-binding contract.
  • How to address third-party issues when your organization acquires other organizations with websites, or actually websites themselves.
  • How to address purchasing customer (PII) databases from other companies that collected the PII via their websites; what privacy promises did they make to those individuals?

Schedule a time to speak with you legal counsel about these issues.

Tags:                          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on May 18, 2008 3:37 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/723

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.