A check-up for the privacy policy (or “privacy statement,” which is the increasingly popular industry term) posted on your company’s website is a good way to start evaluating your company’s digital advertising and privacy practices.  The online privacy statement is the primary means by which website operators (also known as “publishers”) communicate their privacy practices to users. 

These Four steps can help you successfully evaluate your company’s privacy statement:

First, find out if your company’s marketing strategy includes advertising based on consumer information collected through cookies or other tracking technology.  Even if this type of advertising is not part of current plans, your company’s website still may have third-party tracking activities occurring on it, and these activities must be disclosed in the privacy statement as of January 1, 2014.

Second, review the privacy statement displayed on your company’s website(s) and/or mobile application(s) and make sure it accurately, clearly and completely discloses the information collected from users, how it is collected (e.g., by your company or by third parties), how your company uses the information, and whether and how the information is disclosed to third parties.  If you use information that you collected from consumers for targeted advertising, make sure the privacy statement says so.  A federal judge in the Northern District of California recently reviewed a company’s online privacy policy to evaluate whether users reading the privacy policy would understand that they were agreeing to allow user profiles and targeted advertising based on the contents of their e-mails.  The court found that the lack of specificity in the company’s privacy policy about e-mail interception meant that users could not and did not consent to the practices described in the online privacy policy.

Third, find out when and how the privacy statement is or was presented to users who provide personal information through the company website(s) and/or mobile application(s).  Is the privacy statement presented as a persistent link in the footer of each webpage?  Are users required to agree to the privacy statement?  If not, consider implementing a mechanism that requires users to do so before providing their personal information.

Finally, if your privacy statement needs to be updated, make sure you notify all consumers in advance and ensure that the changes you propose are reasonable.  Unreasonable and overbroad changes made after the fact can cause reputational harm.  Instagram learned this at the end of 2012 when it tried to change its terms of service so that users’ photos could be used “in connection with paid or sponsored content or promotions, without any compensation to [the user].”  After a hail of consumer complaints, Instagram withdrew the revised terms and publicized new, more reasonable ones