Over the years I’ve found while doing website privacy policy reviews and gap analyses that a large portion of organizations make promises within their posted web site privacy policies that they do not support by internal procedures, and that they do not provide internal personnel training and awareness communications for; a huge risk!
I’ve also found that many organizations have online contracts for their web site customers that are in conflict with their posted privacy policies.
Do you know if your licensing, and other types of, contracts are in sync with your posted privacy policies?
As with any legal matter, be sure to discuss these questions and issues with your legal counsel.
My second article within my Sepember issue of IT Compliance in Realtime Journal is “3 Things to Know About Privacy Policies and Legal Contracts” and it covers this issue in the third section of that article; down load the full article to see a much nicer version…
___________________________________
Do Your Legal Contracts Conflict with Your Web Site Privacy Policy?
Have you performed a comparison between the proposed EULA, Terms of Use statement, Legal Disclaimer, License Agreement, or any other type of contract and your Web site Privacy Policy, which is a legally binding contract? You’ve already made those privacy promises to your customers and consumers. Generally, you cannot now invalidate those legally binding promises through statements you’ve made within your EULA.
I’ve come across many Web sites that promised they would never share any PII with anyone outside their organization within their posted Privacy Policy, but then stated in their Terms of Use statement that they reserve the right to share with “any party as determined is necessary to fulfill business processing.” I’ve also seen Licensing Agreements on sites that provide downloads blatantly contradict their posted Privacy Policy.
Let’s look at a real-life example. Consider the following full Privacy Policy from an un-named Web site that provides free downloads of search tools.COMPANY X Privacy PolicyWe do not sell, rent or trade any personally identifiable information you provide when using the COMPANY X website (“COMPANY X”).
We do not collect any personally identifiable information about you (such as your name or email address) when you use COMPANY X unless you specifically decide to provide such information in order to enhance your COMPANY X experience.
If you choose to provide us with an email address, we will not send an email to you unless you specifically request an email response to a customer service inquiry or contact is required in order to protect someone’s safety or to enforce our Terms of Service. You are not required to provide an email address to personalize COMPANY X.
When you visit COMPANY X, we place a small text file — called a “cookie” — on your computer that allows us to identify your Web browser. We use cookies to improve the quality of our service, and store your preferences and settings. Importantly, a cookie does not allow us to obtain any personally identifiable information (such as your real name and address) unless you have specifically provided such information when using COMPANY X.
If COMPANY X is ever sold or all or substantially all of the assets relating to the COMPANY X website and software are transferred to another entity, we will transfer the information you have provided (such as any stored preferences or toolbar settings) to the acquiring entity in order to ensure continuity of your personalized service.
We recognize and welcome our obligation to comply with the law and this policy is subject to that obligation. We will, therefore, disclose information, including cookies, in response to a request from law enforcement officials or as otherwise required by law, or if we believe it is necessary to protect someone’s safety, or enforce our Terms of Service. If we decide to materially change this Privacy Policy, we will prominently post those changes on this page.This very poorly written Privacy Policy is the company’s legally binding promise to their Web site visitors. For example, of course a cookie can be used to obtain and store PII! It is up to the company to make sure a cookie is not implemented in such a way that it actually does contain PII. This is a very misleading statement.
Now let’s look at just a few of the statements from their Terms of Service, which is a much longer document, and contains a huge amount of legal jargon:
If at our request you send content (e.g., postings, contest submissions, polling questions) or you send us creative suggestions, ideas, notes, drawings, or other information (collectively, the “Submissions”), such Submissions shall be deemed, and shall remain, the property of COMPANY X. None of the Submissions shall be subject to any obligation of confidence on the part of COMPANY X, and COMPANY X shall not be liable for any use or disclosure of any Submissions. Without limitation of the foregoing, COMPANY X shall exclusively own all now known or hereafter existing rights to the Submissions of every kind and nature throughout the universe and shall be entitled to unrestricted use of the Submissions for any purpose whatsoever, commercial or otherwise, without compensation to the provider of the Submissions.
Wait, they said in their Privacy Policy that they “…do not sell, rent or trade any personally identifiable information you provide…” but now they are saying that they are not obligated to keep any of the information given to them in confidence? As written, this could arguably apply to your PII. I also found the statement, “…COMPANY X shall exclusively own all now known or hereafter existing rights to the Submissions of every kind and nature throughout the universe and shall be entitled to unrestricted use of the Submissions for any purpose whatsoever…” quite interesting. They certainly are trying to cover all their bases by applying their Terms of Service to all types of information “throughout the universe”!WITHOUT LIMITATION, COMPANY X MAKES NO WARRANTY THAT THE COMPANY X SERVICE WILL MEET YOUR REQUIREMENTS, THAT IT WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, THAT THE RESULTS OBTAINED FROM THE USE OF THE COMPANY X SERVICE WILL BE ACCURATE OR RELIABLE, OR THAT THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL OBTAINED THROUGH THE COMPANY X SERVICE WILL MEET YOUR EXPECTATIONS.
And here is another winner of a statement! This company is coming right out and saying that they are not providing any type of assurance that their site is secure. They didn’t even mention security within their Privacy Policy, so this is one place where there is no conflict. Basically, their Web site visitors should expect their information will not be secured.
YOU EXPRESSLY UNDERSTAND AND AGREE THAT COMPANY X SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF COMPANY X HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM: (i) THE USE OR THE INABILITY TO USE THE COMPANY X SERVICE; (ii) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES RESULTING FROM ANY GOODS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO THROUGH OR FROM THE COMPANY X SERVICE; (iii) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA; (iv) STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON THE COMPANY X SERVICE; OR (v) ANY OTHER MATTER RELATING TO THE COMPANY X SERVICE. IN NO EVENT SHALL COMPANY X’S TOTAL LIABILITY TO YOU FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION (WHETHER IN CONTRACT, TORT (INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE), OR OTHERWISE EXCEED THE AMOUNT PAID BY YOU, IF ANY, FOR ACCESSING THIS SITE.
Thus, if Company X has a data breach involving your PII, they are trying to say that they will not be liable to you for any more damage than the amount of money, if any, you have paid them to that point? It would be interesting to see how this would actually hold up under a class action suit following a data breach. It would also be interesting to see what the FTC thinks of this company’s statements.
Perform a similar exercise comparing your organization’s posted Privacy Policy and your other posted legal statements to determine if there are any conflicts. As mentioned earlier, be sure to discuss your findings with your legal counsel, as well as your compliance officer, information security officer, and privacy officer.
___________________________________
Tags: awareness and training, EULA, Information Security, IT compliance, IT training, legal contracts, policies and procedures, privacy policy, privacy training, risk management, security training