One of the items on the startup’s to-do list is posting a privacy policy on its web site.  Often they think that this is one item that won’t cost them anything if they take the do-it-yourself approach, meaning (i) finding a privacy policy that looks good on a website, (ii) copying it, (iii) searching and replacing the company name, and (iv) voila! privacy policy complete!  Yes? No, absolutely not.  Privacy policies must first and foremost be truthful statements of a company’s data practices.  Untruthful statements can lead to class action or other lawsuits, and enforcement actions from the Federal Trade Commission (the FTC) and state attorneys general, not to mention the adverse publicity that typically accompanies legal action against the company. 

Recent examples of companies that experienced significant legal problems based on their inadequate or improper privacy policy include the following:

  • Nomi Technologies, whose technology allowed retailers to track consumers’ movements through stores, was investigated for misleading consumers by stating that consumers would receive notifications when they were being tracked and be offered opt-out opportunities, despite the fact that no such mechanisms were available. Perhaps their privacy policy was a statement of functionality the company had planned for but not yet fully released, but the conflict between the stated and actual policies was problematic.
  • In 2015 six companies are alleged to have violated the FTC Act because their privacy policies stated the companies were certified under a safe harbor program when those companies never applied for membership in the safe harbor. The exact facts that caused the companies to make flatly untrue statements in their privacy policy are not known, but this has all the earmarks of companies that took the “quick and easy” path of copying and pasting of another’s policy without careful review  – a path that turned out not to be easy at all.
  • The FTC entered into a settlement with SnapChat to ensure that it does not misrepresent the extent to which it protects users’ privacy and security.  The settlement includes Snapchat agreeing to twenty years of independent audits of their data practices. This case illustrates that apps, ever the darling of the startup, are held to the same standard as websites.
  • The FTC got involved when Facebook proposed to acquire WhatsApp.  The message to the companies was that if WhatsApp made statements to its users about the protection of their data upon or after an acquisition, those statements must be honored or else risk FTC enforcement actions, and in the case of Facebook, violation of its consent order.  Many startups hope to be acquired; data practices must be planned for and stated at the onset accordingly and not forgotten about or dismissed at the negotiation table.

We recommend starting with a blank page and a completed privacy policy questionnaire that addresses the client’s website/app functionality, audience and intended data practices, such as selling data to or sharing data with marketing partners. It is more efficient to craft the answers into a privacy policy than go in reverse; an attorney reviewing a policy submitted by a client does not know (without a meeting with senior executives and IT personnel) what statements are representative of the client's actual and intended practices and which may have been simply “borrowed” from another's policy.   Untrue statements can result in immediate violation of law. 

Even under California law (which has far-reaching implications in that it requires every company that collects personal information from a California resident to post and abide by a privacy policy), it is better to have no privacy policy at all than one that is untrue, as a company has thirty days after a notice of a violation to get into compliance before penalties attach.  There is no such grace period for an FTC enforcement action for an untrue statement that the FTC deems a deceptive trade practice.

This is also not a ‘set it and forget it’ exercise. As companies and business models change, all policies and terms of use should be reconsidered. A few hours a year is likely to be invaluable at allowing policy language to ‘catch up’ with business practice and prevent expensive legal proceedings.