Shining the Flashlight on Privacy Notices

Privacy notices are under scrutiny whether due to the new California “Do Not Track” disclosure requirements for web sites; or the recent FTC Settlement with a smartphone developer on a “Flashlight” application that collected and shared geo-location information without the customers consent. Today’s technologies make it more challenge to get and keep web privacy statements in synch with emerging consumer protection requirements. Privacy notices are a key part of any financial institution’s program for compliance to not only privacy regulations, but in getting and keeping customer’s trust.

Recent media headlines make it challenging for organizations of all sizes to figure out the best method of achieving transparency in customer disclosures about privacy and information sharing, while still leveraging the benefits of technology to deliver valued functionality to their customers.

Here are my thoughts on a bit of the privacy discussion with some ideas to consider in designing your privacy statements to avoid your privacy notice from being in the spotlight:

Do Not Track Disclosures

California is a leading state advocate for privacy rights, creating the first “Shine the Light” focus on web privacy statements and disclosures. California has required that web sites or online services that collect PII about California residents post a privacy policy, identity the effective date, describing the categories of PII that are collected, sharing practices, and notifications about changes to the policy. In 2014, California has expanded the web privacy statement requirements for its residents to require more explicit disclosures about how web sites respond to “web browser” or “do not track” requirements. The goal is to enable consumers to exercise choice about collection of PII for online services or across third party web sites. While a state requirement – in our borderless internet and digital marketplace, it creates a new standards for electronic commerce. Transparency on options for online behavioral advertising, and advertising network preferences are evolving from being simply icons on the web site, but linked in practice to the web privacy statement.

Transparency for Location Information

Smartphones and social media have location tracking capabilities. They power some of the best apps and functionality that consumer like and value. However, location information can be highly personal, and the collecting and sharing of that needs to be explicit, based on the consumer’s consent. Consumers understand location information in using GPS, or sharing on FaceBook their location at the local restaurant in a post. Those are contextual uses, and consumers are getting familiar with apps asking “can we use your location information?”.

The recent FTC case against a smartphone app developer brought to light a situation where the average consumer would never realize that location information was being collected or shared, but left consumers in the dark. In this example, the consumers who used the “Flashlight” application did not realize that location data was being shared with third parties and advertising networks regardless of what preference the user conveyed in their acceptance of the licensing agreement. The resulting settlement requires a “Just in Time” privacy disclosure for explicit notice to users for what, how, when, and where geo-location information is collected or used.

Third Party Sharing Considerations

Privacy disclosures have evolved since the early days of definition and enforcement of the key requirements driven by Gramm-Leach-Bliley Act (GLB). While GLB created the basic foundation, the rules have evolved with each advancement in internet technology. Consumers can’t opt out of all information sharing – there are allowable exceptions. However the language that describes those parameters can be misunderstood, or conveyed to be less than transparent. While the obvious privacy disclosures – third party sharing for marketing purposes are easier to identify, other uses of collection and sharing are more challenging. If your organization uses third parties to deliver functional – be up front and transparent; directly address customer concerns. Be up front on the limitations of the third party’s use of the information. GLB anticipated service provider relationships – that’s an allowable sharing situation, especially for processing transactions the consumer has requested or authorized.

I’ve seen in the rush to make a very restrictive privacy policy, that some financial institutions’ have put their organization in a corner, with limitations on using third parties, even for marketing campaigns for the bank’s own products and services. Be careful on using language like “we never share data”, while your intent is to satisfy a customer concern, you may create greater liabilities without considering your service provider relationships. If you use, or anticipate using third parties for marketing your own products and services, make sure your privacy notice does not create a conflict. Ensure you address clearly the restrictions to that sharing, and the limitations of the usage of the information. Leveraging the model forms in your annual privacy notice is a good start, but consider increasing the frequency by which you address updating the web privacy statement.

Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.