Those “notices” that fall out of your credit card bills are there for a reason. Identity theft is a huge and growing criminal enterprise, and, unless we elect to live our lives outside of the internet, our personal information is always at risk. The US Department of Commerce has developed “safe harbor” practices that are used by many large companies, and they provide a good guideline for all online businesses. Here are some highlights:
- Give Users Notice. If you sell information, give users clear notice and the choice to opt out. Tell them why you are collecting information, how you will use it, how to contact you with questions or complaints, and the types of third parties to which you will transfer the information. Always give users a choice, and a way to limit your use or disclosure of their information. Use the information only for the purpose you collected it. Transmit it only to the “agent” you designate to handle users’ personal information under your instructions, and make sure the information is to be utilized solely for you or on your behalf. Users should also know if your policy is not to sell their information.
- Give Users a Choice. If information will be used for any reason incompatible with the reason you collected it in the first place, then make it quick and easy for users to “opt out” of the disclosure. If you gather or use “sensitive” information (including information as to an individual’s medical or health condition, racial, or ethnic origin, political opinions, religious or philosophical beliefs, or sexual preferences), make sure users actually and affirmatively “opt in”, if the information is to be disclosed to a third party, or used for a purpose other than the original business relationship.
- Keep It Safe. Take reasonable precautions to protect users’ personal information from loss, misuse and unauthorized access, disclosure and destruction.
- Keep It Honest. Do not use, handle or process personal information in any way that is incompatible with the original purpose for which you collected it.
- Keep it Accurate. Give users access to their personal information, and the ability to correct, amend, or delete that information where it is inaccurate.
- Comply and Enforce. Comply with your own policy! Enforce it. Verify your own compliance. Provide a resource for users affected by your non-compliance. Promptly investigate and resolve complaints, and offer users a remedy for consequences resulting from non-compliance.
– Lisa R. Aljian, Esq.