Privacy notices are under scrutiny whether due to the new California “Do Not Track” disclosure requirements for web sites; or the recent FTC Settlement with a smartphone developer on a “Flashlight” application that collected and shared geo-location information without the customers consent. Today’s technologies make it more challenge to get and keep web privacy statements in synch with emerging consumer protection requirements. Privacy notices are a key part of any financial institution’s program for compliance to not only privacy regulations, but in getting and keeping customer’s trust.
Recent media headlines make it challenging for organizations of all sizes to figure out the best method of achieving transparency in customer disclosures about privacy and information sharing, while still leveraging the benefits of technology to deliver valued functionality to their customers.
Here are my thoughts on a bit of the privacy discussion with some ideas to consider in designing your privacy statements to avoid your privacy notice from being in the spotlight:
Do Not Track Disclosures
Transparency for Location Information
Smartphones and social media have location tracking capabilities. They power some of the best apps and functionality that consumer like and value. However, location information can be highly personal, and the collecting and sharing of that needs to be explicit, based on the consumer’s consent. Consumers understand location information in using GPS, or sharing on FaceBook their location at the local restaurant in a post. Those are contextual uses, and consumers are getting familiar with apps asking “can we use your location information?”.
The recent FTC case against a smartphone app developer brought to light a situation where the average consumer would never realize that location information was being collected or shared, but left consumers in the dark. In this example, the consumers who used the “Flashlight” application did not realize that location data was being shared with third parties and advertising networks regardless of what preference the user conveyed in their acceptance of the licensing agreement. The resulting settlement requires a “Just in Time” privacy disclosure for explicit notice to users for what, how, when, and where geo-location information is collected or used.
Third Party Sharing Considerations
Privacy disclosures have evolved since the early days of definition and enforcement of the key requirements driven by Gramm-Leach-Bliley Act (GLB). While GLB created the basic foundation, the rules have evolved with each advancement in internet technology. Consumers can’t opt out of all information sharing – there are allowable exceptions. However the language that describes those parameters can be misunderstood, or conveyed to be less than transparent. While the obvious privacy disclosures – third party sharing for marketing purposes are easier to identify, other uses of collection and sharing are more challenging. If your organization uses third parties to deliver functional – be up front and transparent; directly address customer concerns. Be up front on the limitations of the third party’s use of the information. GLB anticipated service provider relationships – that’s an allowable sharing situation, especially for processing transactions the consumer has requested or authorized.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Forward Banker