Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).
Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.
Your company can face potential liability your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:
- Investigations by appropriate regulatory authorities.
- Orders prohibiting further misrepresentations;
- Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.
- Claims based on negligence for failing to follow enumerated policies.
- Civil fines.
- Officer and director liability.
It is vital that companies use customized privacy policies prepared after carefully considering their ability to deliver on their promises. For that reason, it is not advisable to copy policies from the internet, or promise more than is legally required.