You need a Privacy Action Plan. Start here.

Need a handy acronym to keep on track with privacy planning? Try this: your policy needs to be Adequate, Accurate, and Authentic. Customize, implement, and revisit as necessary.

If you own or manage a business of any kind or size, you have almost certainly realized by now that you need to be responsive to privacy concerns. Your employees, customers, and investors all want and deserve assurance that you are treating their personal information with due care and respect, and that you aren’t using or selling their information in ways they wouldn’t expect or approve of. You need a privacy policy (internally) and a privacy notice (externally) that really capture and communicate your organization’s values.

But where to start? Is it enough to go to your competitor’s website, copy their privacy notice, and cut-and-paste your company name in place of theirs? Uh, no. For one thing, copying material from someone else’s website is probably a copyright violation. Also, realizing that this notice operates as a contract between you and your customers, are you absolutely certain that you want to, and can, be bound to the obligations in this unexamined pilfered document? (And really, if this other business is so similar to yours that you can rely on the same, exact terms that they do, should you be running this business in the first place?)

Maybe you can avoid the issue by not posting a privacy notice at all. You run a clean and respectable business, and you do take reasonable care managing the personal data that you hold, so why make trouble for yourself by publishing a privacy notice?

Unfortunately, the old ostrich approach doesn’t work if you are in regulated industry like healthcare, education or finance; if you sell to customers in California; if you sell some kinds of apps through the Apple iTunes Store; or if you want to buy cyber insurance. All these playing fields have a published privacy policy as a cost of entry. And given that 89% of consumers in a recent survey agreed with the statement “I avoid doing business with companies who I believe do not protect my privacy online,” do you want potential customers to walk away when they discover that you don’t offer any information about your privacy practices — or worse, don’t have any privacy practices at all?

It’s important to note that we’re not just talking about privacy notices here — those unwieldy, outdated, and unread word salads buried at the bottom of websites. Privacy notices are incredibly important, because they form a kind of contract between you and your customers that can create all kinds of legal and regulatory obligations. But these notices represent only the external components of your organization’s core privacy values and operations – for example, you wouldn’t put your employee privacy protection policies, or your building security measures, in your outward privacy notice, but they are important components of your overall privacy policy.

Rather, your privacy policy is an internal manifesto, memorialized in document form and widely shared in your organization, that captures your core values around privacy in a manner that can be shared across functions and respond dynamically to changing business conditions. From the earliest stages of product brainstorming to daily front-line customer service, a privacy consensus lets everyone in the organization — and by extension your customers and partners — make independent decisions that reflect these core values. When you know your goals and beliefs internally, it’s a lot easier to carve out the customer-facing portion of the document and present it to the world as your privacy notice.

So, let’s start crafting a privacy policy that works for your organization. When complete, your policy will capture your company’s core values, educate your employees, and communicate with your customers as the basis for your privacy notice. It will be Adequate for the kind of business you are in; Accurate as to how you carry that business out; and Authentic so that it can be acted on by everyone who works with you and your customers. You’ll need to work with internal stakeholders, and possibly outside legal and security consultants, so give yourself some space to work and a reasonable schedule to work through the steps!

1. Is your privacy policy Adequate? Does it meet the minimum requirements for the marketplace where you operate?

Adequacy is primarily a legal question, and can be broken down into two main analyses:

Sectors: what commercial sectors do you operate in, and are they subject to state and/or federal regulation? Is your sector additionally subject to self-regulation? Examples of regulated sectors include finance, healthcare, utility, education, and products for kids. Self-regulatory bodies include PCI, DAA/NAI and certification programs like TRUSTe. All of these sectors and regulators offer baseline privacy and security requirements that you must meet in order to maintain compliance.

Geographies: where is your company located, and where do you sell your products? Most US states have data breach notification laws for companies located in their boundaries, and many have comprehensive regulation requiring companies to implement controls that protect their customers against data breach in the first place.

Additionally, you must consider the regulations of the states where your customers are located. If you sell to customers who reside in California (and it’s hard to imagine the online business that doesn’t) you are subject to the California Online Privacy Protection Act (CalOPPA) and possibly several other state-specific rules. The penalties for noncompliance are significant (at $2500 per download, for example, a good first day selling your new app could cost you a couple million dollars).

Similarly, sales, marketing, and data transfer operations conducted outside the US may be subject to very different regulations and likewise incur significant penalties for noncompliance.

2. Is your privacy policy Accurate?

Accuracy is primarily a design and operations question, looking at how your products and marketing activities implement your business model.

If you tell users “we don’t share your personal information with third parties,” but you use free tools like Flurry or Google Analytics, your privacy policy isn’t accurate. If you accept credit cards, online or in person, and don’t keep up to date on your PCI compliance, your privacy policy isn’t accurate. If your registration process offers a method for users to opt out of data collection, and you collect and share users’ information regardless of user choice, your privacy policy isn’t accurate. If your privacy policy says that you rigorously control employee access to customer data, and your employees are keeping track of customers’ one-night-stands, your privacy policy definitely isn’t accurate!

An inaccurate privacy policy can lead to brand catastrophe and user lawsuits. Worse, it can attract the attention of the Federal Trade Commission, which has broad enforcement powers when it finds “unfair or deceptive” tactics used in commerce. You didn’t really mean to invite the FTC to stop by the office for a friendly audit, every year for the next 20 years, did you?

3. Is your privacy policy Authentic?

Authenticity is a cultural  and communications question. Authenticity means that your company’s privacy policy is pervasive throughout the organization, accessible and frequently discussed. An authentic privacy policy can be applied cross-functionally, wherever people come in contact with personal or sensitive information, or design or implement processes that will collect, retain, analyze, or disclose such information.

This is where the rubber really meets the road. Do you view and monetize customer transactions as quid-pro-quo economic exchanges, or solely as information-gathering opportunities? Either way, the privacy policy discussion is your opportunity to make sure that your privacy ethos pervades your organization.

And remember, privacy can’t be outsourced. Even when you work with vendors and third-party processors, the buck always stops with you. It’s your brand, reputation, and insurance policy on the line!

Once your privacy policy is complete, you will want to revisit it regularly, and particularly when planning a new product, entering a new market or geography, or contemplating a sale or acquisition (more on that in an upcoming post). Having an adequate, accurate and authentic privacy policy is more than good corporate citizenship, it is a fundamental cost of doing business – get started on yours today!