Need a handy acronym to keep on track with privacy planning? Try this: your policy needs to be Adequate, Accurate, and Authentic. Customize, implement, and revisit as necessary.
But where to start? Is it enough to go to your competitor’s website, copy their privacy notice, and cut-and-paste your company name in place of theirs? Uh, no. For one thing, copying material from someone else’s website is probably a copyright violation. Also, realizing that this notice operates as a contract between you and your customers, are you absolutely certain that you want to, and can, be bound to the obligations in this unexamined pilfered document? (And really, if this other business is so similar to yours that you can rely on the same, exact terms that they do, should you be running this business in the first place?)
Maybe you can avoid the issue by not posting a privacy notice at all. You run a clean and respectable business, and you do take reasonable care managing the personal data that you hold, so why make trouble for yourself by publishing a privacy notice?
Adequacy is primarily a legal question, and can be broken down into two main analyses:
Sectors: what commercial sectors do you operate in, and are they subject to state and/or federal regulation? Is your sector additionally subject to self-regulation? Examples of regulated sectors include finance, healthcare, utility, education, and products for kids. Self-regulatory bodies include PCI, DAA/NAI and certification programs like TRUSTe. All of these sectors and regulators offer baseline privacy and security requirements that you must meet in order to maintain compliance.
Geographies: where is your company located, and where do you sell your products? Most US states have data breach notification laws for companies located in their boundaries, and many have comprehensive regulation requiring companies to implement controls that protect their customers against data breach in the first place.
Additionally, you must consider the regulations of the states where your customers are located. If you sell to customers who reside in California (and it’s hard to imagine the online business that doesn’t) you are subject to the California Online Privacy Protection Act (CalOPPA) and possibly several other state-specific rules. The penalties for noncompliance are significant (at $2500 per download, for example, a good first day selling your new app could cost you a couple million dollars).
Similarly, sales, marketing, and data transfer operations conducted outside the US may be subject to very different regulations and likewise incur significant penalties for noncompliance.
Accuracy is primarily a design and operations question, looking at how your products and marketing activities implement your business model.
And remember, privacy can’t be outsourced. Even when you work with vendors and third-party processors, the buck always stops with you. It’s your brand, reputation, and insurance policy on the line!