Over the past few years I’ve done a lot of research and reviewed a lot of privacy policies, and it’s really been amazing to see how the wording in many of them are not providing any privacy protections to website visitors or customers at all! In fact, some of them are downright tricking people into agreeing to share their personally identifiable information (PII) having software installed on their computers that they probably really do not want to have…
Do you review the privacy policies at the sites where you do business? Do you know what types of privacy protections they are REALLY promising?
Do you know what your own organization’s privacy policy says? Do you know if the privacy promises within it are being supported by documented procedures?
My second article within my Sepember issue of IT Compliance in Realtime Journal is “3 Things to Know About Privacy Policies and Legal Contracts.”
Here is the unformatted first section of that article; down load the full article to see a much nicer version…
___________________________________
3 Things to Know About Privacy Policies and Legal Contracts
It has never been easier for your personnel to download copies of software at the click of a button. And it has never been easier for your organization to offer software and other types of electronic documents to your Web site visitors. How do you protect your organization against the bad things that could occur through these downloads?
Legitimate software and electronic documents typically have a licensing contract to which visitors must agree via the “click” of the mouse at the appropriate location. If you allow your personnel to download software at will, do you know what they are agreeing to? Do you know what they are obligating your business to do? Do you know the risks that these types of agreements present to your business? Do you know how these types of agreements impact privacy? What if your organization is providing these click wrap agreements, often called End User License Agreements (EULAs), to your customers? Do you know what you should and should not do with regard to addressing related privacy concerns?
This article explores three questions about using Web site legal contracts for which business leaders should know the answer. As with any legal issue, take these to your legal counsel and discuss how they impact your organization.
Do Your Legal Contracts Trick Web Site Visitors into Installing Spyware?
Recently, I spoke with a CISO who said he was concerned about a “Terms and Conditions of Using This Site” or “Terms of Service”-type of legal contract his lawyer wanted him to post on the company Web site. He had good reason to be concerned.
The proposed Terms of Service included a statement similar to “By using this site, the site user understands and agrees to have certain types of personal information collected as a requirement of using the site’s applications and interactive services.” It didn’t stop there. It also included a statement similar to “The site user agrees to allow the site programs to download other programs, and communicate with other programs, in order to make the programs work correctly.” Some of the personally identifiable information (PII) the site collected included such things as name, personal interests, demographic data, profession, education, marital status, gender, age, income, and so on. The marketing area also wanted to take that information and sell it to marketing organizations as a new revenue path for the company.
Does this seem deceptive to you? It very well could to the U.S. Federal Trade Commission (FTC); they have been actively pursuing businesses that are practicing unfair and deceptive business practices through the wording in Web site legal contracts. Consider that in October 2005, the FTC brought a civil action against Odysseus Marketing, Inc. in New Hampshire for a similar type of action. Odysseus was loading spyware onto people’s computers when the Web site users thought they were actually installing a peer-to-peer (P2P)-type software program.
Be sure that the wording within any legal contract you provide to your Website visitors is clear, straightforward, and could not be considered, by prosecuting lawyers or by the FTC or others, as being deceptive. It could put your organization at risk of fines, penalties, and civil suits.
___________________________________
Tags: awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy policy, privacy training, risk management, security training, spyware