The lesson of Facebook: Even small businesses need privacy policies

Following the Facebook data debacle, the social media giant announced in April that it was updating its policy to better spell out what data it collects and how it uses it in Facebook, Instagram, Messenger and other products.

For many companies, this type of information is outlined in a privacy policy, which can be found via a link at the bottom of most major websites.

But many small businesses would also be best served by creating a privacy policy outlining the type of information they collect and how  they use and share it. If they already have a policy, it's a good time to review it to see if it requires updates.

“Developing an accurate and well-drafted privacy policy could reassure customers that the business uses their information responsibly,” says attorney John DeMaro, a partner at Ruskin Moscou Faltischek in Uniondale involved in  intellectual property, cybersecurity and data privacy. 

It’s especially important if you collect any kind of personal  information from customers, he says.

If you fall into this category, you should sit down with relevant people in your company and find out what data you're collecting and what you’re using it for, he says. This will help ensure you’re making the proper disclosures.

It’s not recommended to just pull a generic privacy policy template, but rather to customize your own, says DeMaro, noting the policy would need to be updated if any conditions change.

“If your privacy policy doesn’t match what you’re doing and what data you’re collecting, then it’s not going to work,” he says.

Lydia de la Torre, a privacy law fellow at Santa Clara University School of Law, agreed: “You really need to understand your practices before you write your policy because if you don’t, you might not describe them correctly.”

You also have to make sure you’re not running afoul of any laws.

“Because of the cross-border nature of the internet, there’s a good chance you’ll run into some other jurisdiction’s law,” says Mark Grabowski, a communications professor specializing in internet law at Adelphi University in Garden City.

For instance, if you’re doing business with customers in California, the California Online Privacy Protection Act requires commercial websites and online services to post a privacy policy, he says.

In addition, certain highly regulated industries like health care and banking have separate laws governing privacy and data collection, he says.

Beyond that, companies should decide whether they will use a "browsewrap" agreement (ie., a small hyperlink at the bottom of a website that users can click to see the privacy policy) or a "clickwrap" agreement (a box appears where the user must click a button agreeing to terms of service, privacy policy, etc., in order to move forward on the site), Grabowski says.

A clickwrap agreement is generally more enforceable in court.

“It’s difficult for a business to enforce any terms if the user didn’t agree to them,” says Pedram Tabibi, an attorney at Meltzer, Lippe, Goldstein & Breitstone in Mineola.

Usually when he drafts a privacy policy for a client, he also drafts terms of service.  They generally include what you can and cannot do on a website, while a privacy policy outlines the type of information you collect from visitors to the site, what your company does with that information, how you retain the information, and whether you disclose that information to third parties for certain purposes, Tabibi says.

It should contain the proper disclosures but also be clearly laid out, considering that many of these policies can be hard for the average consumer to understand, he says. When Facebook revised its policy, it made the language clearer.

“I think one lesson perhaps here is maybe that there’s a need for these policies to be a little more plain English and more straightforward on what’s being done with your information,”  Tabibi says.