«

»

Jul
27
2010

When a shortsighted privacy policy could cost your company millions

John Gamble, CIPP
Marketing & Communications Associate
TRUSTe

iStock_000007271353Small

If you have an online business and there’s the possibility of an acquisition or bankruptcy in your company’s future you would be wise to review your privacy policy. What kind of promises does your policy make about your use of personal information and are those promises realistic in the event that your company is acquired or goes bankrupt and must sell its assets? Personal information is the new digital currency and for many online companies it’s their most valuable asset. If your privacy policy claims that you will never share a specific type of personal information such as email addresses with third parties you may find yourself unable to transfer or sell information assets as part of an acquisition or bankruptcy proceeding.

Earlier this month a bankrupt, youth-oriented website found itself in this very position when the Federal Trade Commission (FTC) warned them that selling their former subscribers’ information would violate the company’s privacy policy and risk enforcement action. David Vladeck, the director of the FTC’s Bureau of Consumer Protection, was very clear on this point.

“The XY privacy policy is simple, explicit, and clear,” Vladeck wrote. “Subscribers and members were told that their personal information would not be sold, shared, or given away to ‘anybody.’ Therefore, any sale or transfer of the data to a new company, new owner, or other third party would directly contravene the privacy representations and could constitute a deceptive practice by the original company or its principals.”

In June, privacy lawyers Lisa J. Sotto, Scott H. Bernstein and Boris Segalis of Hunton & Williams wrote an excellent article on this subject entitled “Emerging Privacy Issues in Bankruptcy“, which you can read here. They conclude:

“While it is critical to address consumers’ privacy expectations in preparing privacy notices, it is also important for companies to avoid excessive privacy commitments that may adversely affect strategic business interests now and in the future, including the value of the company’s personal information assets.”

If you’re a large company your privacy policy should be subject to regular review and revision as it adapts to your evolving business. Privacy policies need not only accurately reflect current information practices, but should also be forward-looking documents that anticipate future information needs. So word your privacy policy appropriately and as always, provide your customers with transparency, accountability and choice surrounding the collection and use of their personal information. Be sure to check out our page providing additional best practices for businesses to build trust with consumers.

Comments