Many organizations dangerously change their posted privacy policies often, and often without giving notice to their customers. It is important to always keep in mind that your posted privacy policy is a legally binding contract with your customers. You cannot agree to do one thing with your customers’ personally identifiable information (PII) when they start doing business with you and then change that agreement without notifying and allowing your customers to agree to that change.
Can you imagine if other types of contracts were changed so easily? “Yes, you bought a car with a 1% interest rate on a 60-month contract, but we decided that we wanted to change it to 10% with a 12-month term. We’re happy to have your business!”
No. That would not work.
Changing your contractually binding website privacy policy without giving proper notice and obtaining consent from your customers doesn’t work either. In fact a recent judgment supports this.
On July 18 the U.S. Court of Appeals for the Ninth Circuit ruled that Talk America, Inc. did not effectively communicate the change in its terms of service when it posted a revised contract on its website and did not give customers any type of further notice.
This judgment supports the need for organizations to establish effective ways of communicating changes in their website privacy policies to their customers, and shows that just giving a nondescript notice on the website is not sufficient to be considered as providing effective communication.
The judgment should make organizations realize that they must find ways to emphasize and highlight any changes they are making to their privacy policies.
There must be a way to provide conspicuous notice of the change, and an effective form of consent by the customers to the change should be obtained.
This brings up the possibility that some companies may choose to continue to apply previous privacy policies to their existing customers from whom they have already collected PII, and then apply the new policies to their newly obtained customers’ PII from that point forward. I have seen some lawyers promote this.
However, think about the problems with trying to maintain two different policies for two different sets of PII.
* You’d have to flag in some way within your data files the newly obtained PII and then have different procedures for those to match the new policy.
* IT data files would need to be changed, along with possibly the access authorizations, depending upon what the change was.
* You’d be treating your two groups of customers differently; a potential powder keg with explosive public relations impact.
* It is likely your marketing and call centers would need to treat the two sets differently.
* And the list goes on…
No, thinking about all the logistics involved, trying to keep an old privacy policy to apply to “old” customer PII, and a different privacy policy for new customer PII would likely be a nightmare.
Instead it is important that the privacy policy you post to begin with is a good one that will stand the test of time, accurately reflects how you protect customers’ PII, while meeting the basic privacy principles.
But for most organizations, the privacy policy horse is already out of the barn; many privacy policies that were posted in haste are not good and need to be changed; but with caution.
This means that if you really need to make a change to your website privacy policy you need to carefully plan how to communicate those changes to your customers and obtain some type of consent from them for the changes. Consider using a combination of the following; whatever works best for your organization.
* Display a prominant banner on your home page with notice about the change. Ask your website visitors to click a link that goes to an explanation of the new policy, along with a description of the changes to the policy and how it impacts customers.
* Provide a “consent to policy change” notice on your customer’s online account. Ask them to click to agree to the change, and communicate what they need to do if they do NOT consent to the change.
* Send an email providing notification of the change to your customers. NOTE: This could be blocked by a spam filter, so it may not be considered effective notice on its own.
* Send a postal mailing to your customers notifying them of the change, along with consent information.
* Provide a very conspicuous notice on your new policy indicating that the policy has changed, and that customers should go to their accounts to consent to the changes.
There are several other possibilities, but this should give you a good start in considering your possibilities.
Very importantly, *TALK WITH YOUR LAWYER ABOUT THE OPTIONS*!! You want to make sure that your legal folks know the consequences the change they may want to make will have upon the IT, Information Security, Privacy, Marketing, Customer Service and Public Relations areas.
Tags: awareness and training, court decision, Information Security, IT compliance, policies and procedures, privacy, privacy policy, risk management, Talk America