Privacy Policies

Privacy Policies - PeopleSmart

Privacy Policies

Digital technology has led to significant advancements in information sharing. While the Internet age has enhanced our access to information, it has also created privacy risks. The concept of "big data," for example, relies on the collection of millions or billions of records for statistical analysis and useful insights. As the costs of storing and transmitting data have decreased, it has become harder and harder to track who has data about you, and what they’re doing with it. This is why privacy policies are necessary: they protect the privacy rights of consumers and reduce the risk of fraud, misuse of personal information, and legal violations.

What is a privacy policy?

A privacy policy is a statement or document that outlines and discloses how an organization gathers, stores, manages, and discloses customer data. While many companies will copy-and-paste generic privacy policies that give them a wide range of discretion over how they could potentially use your data, a good privacy policy will give you a clear idea about exactly what information the company collects about you, and how it will be used. Because legal terminology around privacy can be complex and confusing at times, online communities like TOS;DR have been created, which assign ratings to companies based on the level of privacy they give you.

How do privacy policies impact my personal rights?

When you do business with a financial institution, interact with a website, receive treatment from a healthcare provider, or take classes at an educational institution, chances are good that you will be agreeing to some sort of privacy policy. In certain circumstances, like healthcare and education, your privacy rights are largely defined by law. In most other situations (e.g. visiting a website) a privacy policy is treated more like an agreement between you and the organization. Either way, a privacy policy is considered a legal document, and the FTC will take law enforcement action if a company violates their privacy promises. This is why it’s important to read privacy policies before providing personal information to a company. Otherwise, you may be unwittingly giving them permission to sell or otherwise distribute your data to third parties.

What does a good privacy policy look like?

While each privacy policy is going to be slightly different, as the main enforcer of privacy policies in the US, the FTC has adopted a set of universal principles known as the Fair Information Practice Principles (FIPP) as an overarching guide:

  • Notice/Awareness: consumers should know what data is collected, who will get access to it, and whether the requested information is optional or required
  • Choice/Consent: consumers should have a choice in how their information is used for secondary purposes, e.g. opting out of receiving marketing emails after purchasing a product online
  • Access/Participation: consumers should know what information a company has about them, and be able to correct it as necessary
  • Integrity/Security: any customer data held by a company should be protected from unauthorized access
  • Enforcement/Redress: if customer data privacy is breached, the company should work towards fixing the problem and notifying affected customers as soon as possible

Do blogs and other social networking sites impact privacy expectations?

Any information that you publish via a blog, Facebook, Twitter, or other social media account, could potentially be considered public, and thus not eligible for privacy protections. Recently, a federal judge ruled that Facebook posts that are only shared with a limited circle of friends are not considered public information. Still, there is no privacy policy to prevent your friends from re-publishing any information that you make available on your Facebook profile, so you should still be cautious about the nature of the information you post.

How does the government protect my privacy?

The Fourth Amendment to the Constitution is at the root of many privacy protections against unreasonable government intrusion into your private affairs. Unlike a corporation, the government can compel disclosure of your private information, so in general it must meet stricter standards before being given access to your data.

What is the Privacy Act of 1974?

The Privacy Act is a sort of privacy policy for the federal government: it governs the collection, storage, use and dissemination of personal information. While many government records are freely available to the public, the Privacy Act prohibits disclosure of personal information without written consent from the individual. In other words, your next-door neighbor can’t contact the IRS and get a copy of your tax return. However, this is not an absolute prohibition – the law does make limited exceptions for disseminating personal information in various circumstances, such as national security reasons.

How do states protect my privacy?

Many states have passed laws requiring that companies follow certain standards in their privacy policies. For example, California requires that all websites inform consumers whether or not they honor Do Not Track requests. In addition, California mandates that consumers must be able to see what personal data a business holds about them, and have it corrected as necessary. The exact privacy rights available to you will vary state by state.

What is the US-EU Safe Harbor?

In 1998, the European Union put stringent new privacy controls in place and restricted the export of data to non-EU countries that did not have similar data protection standards in place. The US and EU formally created a framework known as the US-EU Safe Harbor that allows American businesses to certify that they comply with EU privacy standards. Not only does this benefit companies that wish to do business with customers in the European Union, it also benefits US consumers who will receive stronger privacy protections than are currently available under US law.

Do employees have privacy rights?

In general, yes. Your employer cannot monitor your personal activities that you do outside of work. However, your employer has the right to monitor all company property, computers, and networks, without giving you prior notice. If you check your Facebook or personal email account from a work computer, it is not considered a breach of your privacy if your company monitors that activity. Likewise, if you bring a personal laptop to work but connect to the company wifi network, your employer has the right to track any data sent and received over their network. Employers may enact stricter privacy policies at their discretion (e.g. a policy that emails marked "confidential" will not be monitored), but they are not required to do so by law.

Employers may also monitor employee phone calls, with one exception: as soon as it is apparent that a call is personal in nature, the company must stop monitoring it immediately. However, if the employee has been warned to stop making too many personal calls while at work, the employer has some leeway for monitoring.

Certain data, such as personnel files and medical information, must be kept confidential by the Human Resources department. When in doubt about what information will be kept private and what may be monitored, you should talk to your HR representative.