California Office of Privacy Protection - Recommended ...

Recommended Practices on California Information-Sharing Disclosures

and Privacy Policy Statements

April 2008

This document is for informational purposes and should not be construed as legal advice or as policy of the State of California. If you want advice in a particular case, you should consult an attorney-at-law or other expert. The brochure may be copied, if (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the California Office of Privacy Protection, and (3) all copies are distributed free of charge.

November 2004 Rev. April 2008

California Office of Privacy Protection privacy. 866-785-9663

Contents

California Office of Privacy Protection

Introduction...............................................5 Privacy Notice Laws.................................................5 Privacy and Customer Trust...................................5 Benchmark Study.......................................................6

Recommended Practices.........................7

Information-Sharing Disclosures............8 Disclosure Document..............................................8 Customer Choice Notice........................................9 Notice of Information-Sharing Disclosure....10

Privacy Policy Statements...................12

Notes.........................................................15

Appendices..............................................19 Appendix 1: Advisory Group Members.........19 Appendix 2: "Shine the Light" Law..................20 Appendix 3: Online Privacy Protection Act....28

California Information-Sharing Disclosures & Privacy Policy Statements

3

4

Introduction

California Office of Privacy Protection

Privacy Notice Laws

As was the case for each prior set of recommended practices issued by the California Office of Privacy Protection, these recommendations address practical issues raised by new California privacy laws. The "shine the light" law, known as SB 27 of 2003, imposes specific privacy notice requirements on certain businesses that share customer personal information with others for marketing purposes.1 This law is unique in requiring disclosure of the details of a business's sharing of customer personal information. The "shine the light" law was a response to growing consumer concern about such information sharing. This document also addresses the broader topic of privacy policy statements, including the requirements of the California Online Privacy Protection Act.2

Over the past three decades, an international consensus has developed regarding general guidelines for collecting and managing personal information, expressed as the Fair Information Practice Principles.3 The United States of America, as a member of the Organisation for Economic Co-operation and Development, participated in the development of these principles and reaffirmed their viability as recently as 1998, in the Declaration on the Protection of Privacy in Global Networks.4 In that work, the U.S. committed to respecting individual privacy rights as an essential component to building and retaining public confidence in a marketplace that is increasingly global and increasingly online. The Principles form the foundation of most privacy laws in the U.S. and elsewhere.

The issue of giving meaningful notice of privacy policies and practices concerns the most basic Fair Information Practice Principle: Openness. The issue has received considerable legisla-

tive attention. In developing the present recommendations, the Office of Privacy Protection considered several major laws in this area. The laws whose notice provisions we reviewed included, in addition to the California Online Privacy Protection Act, the California Financial Information Privacy Act; the federal privacy regulations and guidance on the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Safe Harbor framework; Canada's Personal Information Protection and Electronic Documents Act; and the European Union's Data Protection Directive.5 We note that the notice provisions of these different laws appear to be complementary. Nonetheless, meeting the requirements of several of them at once, as some companies must do, may present challenges in certain instances.

Privacy and Customer Trust

Recent research in the U.S. confirms the need for organizations to earn consumer confidence in the way they manage personal information. A national survey conducted in June 2004 by Privacy and American Business (P&AB) with Harris Interactive found that more Americans are acting on their privacy concerns today than five years ago.6 Consumers are particularly unhappy about the unauthorized use of their personal information for marketing, whether the use is by a company with which the consumer has a business relationship or by other companies with which the information was shared. The P&AB survey found that 87 percent of consumers had asked a company to remove their name and address from marketing lists, an increase of 29 percent since 1999. An equally striking 81 percent had asked a company not to sell or give their name and address to another company, up 28 percent since

California Information-Sharing Disclosures & Privacy Policy Statements

5

1999. The P&AB survey also found that 65 percent of consumers online ? more than 94 million people ? decided not to register at a Web site because they deemed the privacy policy too complicated or unclear. Thus, an effective privacy policy statement is a critical element in winning customers online.

According to Dr. Alan Westin, a national expert on information privacy and the president of P&AB, the survey results confirm, "not just consumer resistance to what they see as intrusive marketing probes, but a clear desire to be given and to be able to exercise rational personal choices in how marketing to them is conducted by the companies those consumers already patronize."7

Another national study conducted in June 2004 by the Ponemon Institute (a think tank on privacy and information security policy) found that consumers gauge a company's privacy trustworthiness by three criteria. The most important factor is the company's overall reputation for product and service quality, followed by the company's limits on collection of its customers' personal information. The third factor is the use of advertisements and solicitations that respect consumer privacy.8

Other studies by the Ponemon Institute have found that organizations that achieve higher privacy trust ratings experience tangible positive outcomes.9 Examples of positive outcomes include higher consumer data accuracy, higher customer participation in online activities, lower customer churn rates, and much higher product or brand loyalty. The following key activities were common among companies with high scores:

? Providing clear and concise privacy policy statements and notices, including explaining the distinction between Web and nonWeb privacy practices.

? Offering customers the ability to participate in data collection and use decisions, with well defined steps for opting in or out.

? Setting limits on data sharing and providing clear information on how shared data will be used.

? Providing well defined steps for redress and for making general inquiries about privacy issues.

More companies today recognize that respect for privacy is an essential component of customer trust and that privacy statements are, as a Canadian privacy official puts it, relationship builders rather than legal disclaimers.10 We offer these recommendations to encourage the provision of meaningful and understandable statements of a company's privacy practices. Such openness enables consumers to play their proper role in a robust free market.

Benchmark Study

In June 2004, the Ponemon Institute conducted a preliminary benchmark study on corporate preparations for California's "shine the light" law. Based on interviews with 32 mostly large companies, the study results show that some are striving to do more to track and control data sharing with direct marketers, including using data-tracking technology. A majority of the companies, however, see the requirement as a fairly simple revision to their existing privacy disclosure and notice process. The major changes being implemented included Web site redesign, printing and distributing customer information on the new law, and awareness training for customer contact personnel. Several respondents mentioned that the new requirement gave them an opportunity to build trust and confidence with customers. More information on the survey results is available from the Ponemon Institute.11

6

California Office of Privacy Protection

Recommended Practices

The Office of Privacy Protection's

Recommended Practices

California law obligates the Office of Privacy Protection to protect the privacy of individuals' personal information by "identifying consumer problems in the privacy area and facilitating [the] development of fair information practices."12 One of the ways that the Office of Privacy Protection is directed to fulfill this mandate is by making "recommendations to organizations for privacy policies and practices that promote and protect the interests of California consumers."13

The recommendations offered here are neither regulations, nor statutory mandates, nor legal opinions. Rather, they are a contribution to the development of "best practices" for businesses and other organizations to follow in managing personal information in ways that promote and protect individual privacy interests, while fostering economic development.

The Fair Information Practice Principles underlie these recommendations. Following the common path marked out by the Principles can make it easier for businesses to harmonize sometimes various privacy requirements. This approach resembles that of the U.S. Department of Commerce's "Safe Harbor" framework, which is intended to "bridge different privacy approaches and provide a streamlined means for U.S. organizations to comply with the European Union's

Directive on Data Protection."14 This approach also benefits consumers by encouraging a reduction in the number and complexity of privacy statements provided by a single business.15

The Office of Privacy Protection is extremely grateful for the generous work of the advisory group that assisted us on this project. The 22-member group included representatives of the banking, securities, insurance, health care, technology, telecommunications, retail, manufacturing, marketing and entertainment industries, along with consumer and privacy advocates. A list of the members of the advisory group is included as Appendix 1.

Recommendations on Information-Sharing

Disclosures and Privacy Policy Statements

These recommendations focus on the disclosure of the details of a business's practices in sharing personal information for marketing purposes. This is but one aspect of a larger issue: the importance of providing individuals with meaningful notice of all of a business's policies and practices for managing personal information. These recommendations begin with the new California requirement that businesses disclose the details of their sharing of personal information. The recommendations address how to notify customers of their right to obtain this disclosure or the alternative customer choice opportunity. Finally the recommendations address the broader statement of a business's privacy polices and practices, including the requirements for online privacy statements.

California Information-Sharing Disclosures & Privacy Policy Statements

7

Information-Sharing Disclosures

The key terms used in this document are defined specifically for that use in the box at right.

Recommendations on the California Informa-

tion-Sharing Disclosure

Provide your Information-Sharing Disclosure promptly.

? Respond to a customer's request for an Information-Sharing Disclosure as soon as possible after receiving it, but no later than within 30 days for a request made to the contact point designated in the Notice of Information-Sharing Disclosure.16

Make your Information-Sharing Disclosure specific and comprehensive.

? List all categories of customer personal information that you disclosed, during the past calendar year, to other companies17 for their direct marketing purposes.

Consider giving examples of the types of personal information in a category. For example, contact information such as name, mailing address, phone number and e-mail address; financial information such as billing address, banking information, credit card information; and profile information such as interests, marital status, gender, age, or household income level.

Scenario: Acme Widgets collects personal information from its customers in the following categories: Contact Information, including name, mailing address, and e-mail address; and Billing Information, including credit card account number

and billing address. In 2004 Acme Widgets disclosed its customers' Contact In-

Privacy Policies and Practices: An organization's rules and procedures for collecting, using, disclosing, protecting, and managing personal information.

Privacy Policy Statement or Privacy Statement: A written statement of an organization's Privacy Policies and Practices provided or made available to individuals whose personal information is involved.

California Customer Choice Notice: A component of a company's Privacy Policy Statement that allows a customer to choose to prevent the sharing of the customer's personal information with other companies for their direct marketing purposes, as provided by California Civil Code section 1798.83.

California Information-Sharing Disclosure: A company's list of categories of customer personal information shared with other companies for direct marketing purposes and a list of companies with whom the information is shared, as required by California Civil Code section 1798.83.

California Notice of Information-Sharing Disclosure: A notice of consumers' right, under California Civil Code section 1798.83, to request and receive a copy of a company's Information-Sharing Disclosure or a cost-free means of preventing such information sharing (see Customer Choice Notice). It includes the mailing address, e-mail address, toll-free telephone number or toll-free fax number to which customers may submit a request for a company's Information-Sharing Disclosure.

Key terms are defined for use in this document.

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download