Is Your Small Business Privacy Friendly?
 By B.J. Addington

Information is power. That’s why all good businesses collect information about their customers. The information tells you about customer preferences, and it helps you find other customers like them who are likely to have the same desires. That’s just good marketing.

But what’s good for your business isn’t always viewed as favorable by your customers. Indeed, a major credit bureau was found in violation of the law for using information from credit reports for direct marketing purposes.

Drawing on good, useful customer information while protecting the privacy of the same customers can be a delicate balancing act. That’s where a privacy policy can help.

To create your company’s privacy policy, first take inventory:

• What private information do you collect now?

• How do you collect information?

• How do you store it?

• Who has access to it?

• Who controls it?

• And perhaps most important of all, is it shared with third parties in any way?

Next, to determine what laws and regulations apply to your information gathering. There is no single federal agency that oversees privacy issues. Information held by third parties (such as financial records) is not generally governed by federal privacy laws.

But there are specific privacy regulations for particular industries, such as the Health Insurance Portability and Accountability Act of 1996 for healthcare and the Gramm-Leach-Bliley Act for financial matters. The Federal Trade Commission oversees and enforces laws regarding consumer credit information and fair trading practices.

As you can see, laws governing privacy are a patchwork of sometimes overlapping regulations that vary by industry and from state to state. But all 50 states recognize invasion of privacy as an actionable civil offense.

To determine what privacy laws your business must comply with, start by contacting whatever government licensing agencies oversee your particular industry. From there, check with your trade association, the chamber of commerce and of course ultimately an attorney specializing in your industry. Don’t forget to also consult your trade or professional association’s code of ethics.

After you have determined what you collect, how you use it and whether you share it, then you can compare those facts to the applicable laws, regulations and canons.

A good rule of thumb is to be as open with your privacy policy as you are circumspect with the information it protects. No two privacy policies are likely to be identical, but yours should incorporate these features:

• If you collect Social Security numbers, explain why it’s necessary.

• Explain the reason for collecting any other personal information you gather.

• If any information you gather is to be shared with a third party, be upfront about it and permit your customer a reasonable means of opting out.

• Always permit customers to opt out of providing information of any kind in the first place, regardless of whether you intend to share it.

• Always explain how information will be used when it is collected in surveys and questionnaires.

• Put your customers at ease by explaining the safeguards that you employ in collecting and storing their information.

• Be transparent in explaining the purposes and uses to which the information will be put.

• Permit customers to have access to whatever personal data you collect about them, allowing them to challenge and correct errors.

These points can form the heart of your written privacy policy. The policy should not only protect customers’ privacy, but also put customers at ease. For that reason, make your written privacy policy available. Tout it as an advantage to doing business with your company. And before writing anything in stone, consult an attorney to review or draft your finished policy.

Finally, live up to what your policy promises. Make it part of new employee orientation so everyone in the organization operates in conformance.


(Posted September 2005)

>>Back to Owner's Manual