Navigating Privacy Policies With the Help of PrivacyCheck

In my previous blog post, I discussed the fact that the United States has no comprehensive laws, regulations or guidelines regarding data privacy, instead relying on an ever-expanding patchwork system.

When it comes to privacy policies, a piecemeal arrangement exists here as well—there is no single, national statute requiring all businesses to post one. The major determinants in whether legal requirements obligate a company to post a privacy policy include:

• Type of industry or activity

• Geographic location of customers

• Sensitivity of data collected

• How a company uses data

International laws, such as the European Commission’s Directive on Data Protection, require a privacy policy of all businesses that collect PII.

Additionally, federal laws—such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm–Leach–Bliley Act (GLBA), and the Children's Online Privacy Protection Act of 1998 (COPPA)—apply to particular industries or children. HIPAA’s Privacy Rule states that patients must be notified about their privacy rights and how their information may be used. GLBA’s Financial Privacy Rule holds that the company must have a privacy notice that is "a clear, conspicuous, and accurate statement of the company's privacy policies." COPPA explicitly states items that must be included in the text of the privacy policy.

Lastly, certain state laws (e.g., CalOPPA) require any company collecting data from residents of that state to post a privacy policy. So, de facto as well as de jure, a vast majority of businesses are subject to these requirements. Examples include:

  • If you collect PII from any EU member state, The European Commission’s Directive on Data Protection requires you to post a privacy policy and to abide by strict guidelines.
  • Financial institutions, including businesses that extend credit to their customers. Federal law (GLBA) requires you to post a privacy policy.
  • Health care or insurance plans. Federal law (HIPAA) requires you to post a privacy policy.
  • Websites aimed at children under the age of 13 or collecting their personal data, both federal (COPPA) and state law (CalOPPA) require a posted privacy policy and prescribe specific restrictions against collecting certain types of data.
  • If you are collecting personal information from any California residents, California state law requires you to post a privacy policy.
  • Pennsylvania law makes it an offense for a person to knowingly make a false or misleading statement in a privacy policy.
  • If you collect payment card information from a Nevada resident, the state of Nevada requires the operator to comply with the Payment Card Industry Data Security Standard (PCI DSS) in its entirety except for the type of encryption. For encryption, Nevada requires compliance with the standards established by the National Institute of Standards and Technology (NIST).

Providing information regarding how customer data gets used is not only demanded by many laws and regulations, it is an absolutely necessary requirement, given the complicated state of online business transactions. For instance, any company that processes payment transactions online has a merchant agreement with their credit card processor that requires them to post a privacy policy. Similarly, if they use Google AdSense advertising on their website, they are compelled to post a “transparent” privacy policy as part of their contract. As might be expected, this information is often lengthy and technical.

To help consumers understand what privacy policies actually say, IDWise, powered by the Center for Identity, has created an online tool called PrivacyCheck.

With a few clicks to install, the browser add-on shows you how a company handles your personal data, from email address and credit card information to sharing with advertisers and law enforcement. On your computer, find any company’s privacy policy webpage and click the PrivacyCheck icon in the top right area of the window. Then click Start in the pop-up box.

Using a research-based design and data-mining technology, PrivacyCheck breaks down treatment of your personal information in categories that officials agree you need to protect. This overview is then organizes into a simple "at a glance" format with red, yellow, and green icons indicating the level of risk.

Plenty of people are riding the wave of identity theft and sailing off with your data. That’s why we need tools like PrivacyCheck to help consumers understand the risks they take when they share their personal information and make informed decisions about which companies to trust. Providing consumers with the tools and resources to protect their PII is a first step in reducing the occurrence of identity theft and the severe consequences that often follow.