Despite these concerns, many companies’ policies are seemingly insufficient. A recent opinion piece published as part of the New York Times’ Privacy Project assessed 150 privacy policies from various companies and found that the vast majority of them were incomprehensible for the average person. At best, these seem to have been “created by lawyers, for lawyers” rather than as a tool for consumers to understand a company’s practices.
- The types of data your site or application will be collecting, which may include, for example, personal data (e.g., name, address, email address, telephone number, credit card information), geolocation data, information about user hardware and software, and other logged data such as IP addresses;
- Why the information is needed and by whom (your entity, regulators, other third parties);
- Details about the methods used for collecting data (e.g., via forms, original referrers, automatic collection);
- How the information will ultimately be used (e.g., shared with, or sold to third parties, used solely to optimize the site or application for users, etc.); and
- Where and how the information will be stored, as well as comprehensible details regarding your company’s procedures and means to protect personal information.
In this Part 1 of our Contract Corner on Privacy Policies, we have provided an overview of the legal background impacting privacy policies and general items to be covered in an up-to-date policy. In Part 2 of this Contract Corner, we will provide specific pointers on drafting those policies.