Tel 800.661.2530 |
3 ‘PRIVACY’ Takeaways from the Google Buzz FTC Settlement in March 2011
As you may have heard, Google settled with the Federal Trade Commission regarding its rollout of Google Buzz and its alleged privacy violations during that rollout. There are a few SAAS privacy or software privacy tips here, so I have tried to outline/simplify them for you.
1) It is All About DEFAULT Privacy Settings. Think about it this way, if you add a new feature to your SAAS service where you connect customers/people/partners, etc. who submitted information subject to your privacy policy, you need to think about whether this feature is by default on or off (open or closed, enabled or disabled . . . you get the idea). I generally think that you should turn these off initially, and then educate your customers why they may want to use that new feature (i.e. it should be their choice). Well, Google got this wrong and opened up Buzz to gmail's contacts by default, and caused all kind of issues.
2) What Google Learned About its Privacy Policy (and you should know). Most privacy policies state that information subject to the policy will not be used for a purpose other than for the purpose for which the information was disclosed (translated into English, if a customer provides a company registration data then the data should only be used for registration purposes, without that customer's consent). Read your policy, because it may say something like this. If it does, make sure you know what it means, before the FTC comes a calling.
Here is the actual text from the Google Privacy Policy.
3) Appoint Someone in Charge. I bet you this privacy blunder occurred at Google, as the left hand did not know what the right hand was doing (i.e. their in-house privacy attorneys were probably not aware of the details of the Buzz rollout). You really don't have that excuse, as unless you are a super large company this mis-communication should not happen. For a SAAS or software company, even if you don't have an in-house attorney (which of course most don't), you can appoint someone to be in charge of your privacy policy, which can really help to ensure you are complying with it. Maybe someone in the marketing department?
As you can see this is not that hard, but at least learn the basics of what is going on in the privacy regulatory world, as a simple change of default settings (opt in or out) can cause the Federal Trade Commission to take action against you (not a good thing).
Resources.
Disclaimer: This post is for informational and educational purposes only, and is not legal advice. Hire an attorney if you need legal advice.
If Google Can Do It, Why Can’t You!
Why aren’t your policies written so they can be easily consumed by your customers and employees? Look, if Google, one of the largest and most sophisticated technology companies in the world can simplify their policies (in this case their Privacy Policy) then why can’t you (see this post by their Associate General Counsel regarding updating their Privacy Policy and Making it Simpler). Yes you read it right, Google’s lawyers are trying to make their Privacy Policy easy to read, transparent and simple.
So let’s brainstorm.
What policies can you simplify today? Privacy Policy, Customer Support Policy, Licensing Policies, HR Policies, Sales Policies……keep thinking of more as you probably have others.
The key thing to remember is it can be done, but you have to ask for it (maybe demand it) from your attorneys (it does not come naturally to most attorneys) or whoever is drafting these polices.
Think…. bullet points, highlighting, short sentences, bold, plain English, Icons, FAQ, etc. (Google did).
The big guys are doing this and maybe you should too!
Disclaimer: This is provided for educational and informational purposes only, and is not legal advice. Talk to your attorney for legal advice, as they should consider the pertinent facts and applicable law before providing any advice.
3 Privacy Tips for a Software or SAAS Company (Courtesy of the US Supreme Court in 2010)
Well, while the US Supreme Court in its decision in the case of City of Ontario vs. Quon (June 17, 2010)–an employee privacy expectation case (actually, a sexting case involving a SWAT officer)–intentionally tried not to provide a lot of specific guidance, there are some take aways.
1) Computer/Technology Usage Policies Matter. The US Supreme Court seemed to make a big deal about the fact that that the computer policy in this situation was clearly communicated, as were changes to the policy (i.e. its applicability to text messages). Note to Self: Create policy and make sure we communicate material changes to all employees.
2) Intent of the Search Matters. In this instance, the employer initially performed the search to see if there was excessive use by the employee of the employer owned device (pager), as the employee was footing part of the bill. The court seemed to like the fact that the initial intent was related to the proper allocation of expenses between the employee and the government, so why the search is being performed is a big deal. Note to Self: Make sure that we have the right people involved in deciding on when and how to perform any type of employee data search (i.e. so that the search is performed for the right reasons and in the right way).
3) Managers Shouldn't Try to Change Written Company Policies. While you probably knew the general principle that managers should not change written policies–and most written policies actually state this–this was a huge issue in the case (in fact there would not have been a case if it were not for the allegation that the supervisor changed the written policy). At least the Supremes got this right, as they did not take the bait that the supervisor changed the policy. Note to Self: Remind HR to tell all mangers that if there is a question about our written policies, they should contact HR and not try to interpret the policy themselves.
Look I can go into a lot more detail (trust me) and give you a much longer list, but if you can remember these 3 takeaways you are dong great. Give yourself some credit, as this is not one of the most exciting topics for any Software or SAAS business. However, you need to know at least the basics of the US Supreme Court's view of employee privacy in 2010.
Legal Disclaimer: This is for informational and educational purposes only, and is not intended to constitute legal advice.
CONNECT WITH ME
