Setting Corporate Privacy Policy


In addition to questions of choice of law, there is frequently a considerable dilemma when a lawyer or chief privacy officer must confront a first draft or revision to a corporate privacy policy. In addition to the work involved in first identifying applicable privacy laws, most practitioners are quickly confronted with drafting choices that highlight the tension of both trying to be a good corporate citizen and also satisfying marketing, sales, and legal department guidelines. This tension is further exacerbated by either the absence of any specific privacy law requirements - which can cause marketing and sales staff to exert undue or unhealthful influence in the privacy policy drafting process - or by the imposition of significantly burdensome privacy law requirements, a fact that can impose cumbersome and costly procedures on data collection and sharing processes. This tension, not surprisingly, is at the heart of the legislative debate concerning privacy regulation. Federal and state legislators are grappling with the tension between freedom of speech and the public outcry over unseemly corporate data sharing and collection methods. In the United States, for example, federal legislators are struggling with whether to require opt-in or opt-out privacy schemes. In an opt-in framework, a person's information cannot be shared unless he has expressly authorized disclosure. In an opt-out regime, collected personal data may be shared unless the data subject opts out of collecting and sharing practices. In the absence of formal legal requirements, a corporate privacy officer faces the dilemma of making these and other policy choices on her own.

In creating a privacy policy, one of the worst things a company can do is to develop a policy that is not well thought out or that the company doesn't have the capability to properly implement. It is a dangerous misconception that a privacy policy can be drafted with much forethought but no follow-up. In truth, it is better for companies to avoid creating voluntary privacy policies if they have no intention or ability to self-police compliance.

To resolve these issues, most privacy officers would welcome, in the first instance, clear guidelines on what privacy laws are applicable to any given transaction. More specifically, where two inconsistent legal frameworks could arguably apply, it would be most helpful to easily determine which laws are preempted or how inconsistent laws are to be harmonized. In the absence of clear statutory rules, the highest courts must provide greater guidance. While recent decisions on choice of law have been encouraging, there is still no clear legal test to apply to every case. Most companies, large and small, want to do the right thing regarding customer privacy. The absence of clear rules governing choice and conflicts of law severely complicates compliance efforts.

In addition, there has to be a greater education effort on privacy law issues. Trade associations, federal and state regulators, corporate law departments, and outside counsel all have to be proactive. In our experience, fast-growing technology companies are eager to learn and apply privacy laws, and as a matter of course, we are constantly educating clients on privacy developments. There is no doubt that privacy is a rapidly changing field, and for that reason more than any other it is critical to have a chief privacy officer and perhaps other individuals tasked with staying current on legal and privacy policy developments, although a chief privacy officer himself cannot ensure compliance. Human resources, marketing, sales, legal, and other staff need to be educated - not only about legal requirements, but also about the company's own internal policies and guidelines. Further, one person alone cannot be held responsible for all corporate privacy compliance requirements. Compliance must be a decentralized, shared responsibility and should be given to various departments, disciplines, and geographic locations.

Furthermore, it is critical that companies think holistically about privacy and privacy policies: Corporate privacy practices are not just legal contracts; they are public relations statements, marketing documents, legal guidelines, statements of business practices, and corporate culture. In this regard it is critical to understand several overarching principles when drafting privacy policies.

First, it is critical to acknowledge that privacy policies are not just consumer marketing documents. Privacy policies affect not only interactions with retail customers, but also relationships with third-party vendors and suppliers, as well as other corporate customers. For example, many corporations and government buyers will refuse to do business with vendors or suppliers that do not abide by fair information practices. In this context, the failure to create, understand, implement, and enforce privacy principles will adversely affect individual purchasing decisions and may also have an impact on millions of dollars of government or corporate buying. In some industries, such as healthcare and financial services, vendors and suppliers may be required to have privacy policies; in other cases where legal requirements are not directly applicable, industries may be subject to such scrutiny that they place a substantial premium on information practices. In the final analysis, it is important to acknowledge that privacy principles affect buying decisions.

Second, it is critical to understand that a privacy policy is not just a set of binding legal guidelines for information sharing and disclosure. The policies are also statements of corporate image, governance, and identity. As a result, these policies must be viewed as more than legal documents; they should also be forward-looking and should clearly contemplate future developments, as well as present data collection and sharing requirements. The failure to carefully contemplate current and future information-sharing practices can result in legal complications when companies confront the difficulty of obtaining retroactive consent to share data. Moreover, companies may find that they face public outcry when they make retroactive changes to their privacy policies. Often, these situations could have been prevented with some forethought. Companies have to carefully consider their business reputation and marketing practices when developing or changing policies.




The CTO Handbook. The Indispensable Technology Leadership Resource for Chief Technology Officers
The CTO Handbook/Job Manual: A Wealth of Reference Material and Thought Leadership on What Every Manager Needs to Know to Lead Their Technology Team
ISBN: 1587623676
EAN: 2147483647
Year: 2003
Pages: 213

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net