The recently released reports from the U.S. Department of Commerce and the Federal Trade Commission have focused important, and much needed attention, on privacy policies and legal compliance. Unfortunately, much of the substance is aspirational, rather than immediately operational. So, with the benefit of our collective client experience, we offer the following “Naughty or Nice” Checklist to get your privacy disclosures and practices in good shape in the new year.

  1. Get serious about European Union directives and laws.
    1. Cross border data transfers – are you Safe Harbor certified or otherwise compliant? Is your certification backed up by real world auditable practices?
    2. If you have a large known base of EU-users, do you have an immediate/ready response as to how you are meeting seven Safe Harbor principles on the more controversial “hot button” practices? (i.e., social networking privacy settings and applications, informed opt-in consent for cookies and online behavioral advertising)
  2. Get smart about the new browser versions with “Do Not Track” features – how will consumer browsing, searching, shopping experiences be affected at your site? Do your online disclosures about the means to opt-out of cookies and tracking still make sense in light of these new features and versions?
  3. Do more to inform users about privacy practices! If anything is clear from the FTC’s enforcement and advocacy work in this area, it is this: Your privacy policy is the starting point, not the endpoint of transparency. Use email, pop-up’s, privacy centers, and for brick and mortar companies, in-person displays to educate and inform.
  4. Make your privacy disclosure interfaces attractive and simple: would a user of average sophistication (based upon your website analytics) be exposed to the four or five most important categories of data collection and use in some manner other than clicking on the master privacy policy at the bottom of the home page?
  5. Focus on the unexpected. What are you collecting that is not obvious from your online interfaces?
    1. Who else sees data (besides shippers and payment processors)?
    2. Are you combining online data with offline customer account data or third party aggregator data?
    3. Examine and describe behind-the-scenes tracking and how it is being monetized, if at all.
  6. Design your disclosures to create a body of analytics to support a claim that consumers are actually aware of the most important points, not merely ignoring an opportunity to become aware.
  7. For major e-commerce brands, test user interfaces and policies with actual users. You test your ads. The FTC expects to test whether you are getting your points across on privacy and data security as well!
  8. Know and act upon the differences between personally identifiable information (such as referring URL, search, or shopping histories) and personally identifying information (such as name, contact information, financial account data).
  9. Delete / destroy un-needed data. Now is the time to purge old data! Many a data breach involves outdated, and therefore unencrypted, account data that the client no longer needed as a business matter.
  10. The plaintiffs’ class action bar has “discovered” this area. Plan your motion to dismiss strategy right now – what are the risky areas of data collection/use/sharing, and how will your demonstrate consumer knowledge and assent to these practices at the motion to dismiss stage?