Privacy Policies and “Data Sharing” Agreements

By Eric Goldman, Esq.

Cooley Godward LLP, Palo Alto, CA

 

1.                  Why Do Privacy Policies?

·         Make users feel comfortable using the system. 

·         Marketplace differentiation.

·         Legal compulsion?

2.                  Step 1: Site Analysis.

·         Look for data collection points.

·         Look for existing language regarding information use and disclosure.

3.                  Step 2: Other Due Diligence

·         Identify agreements whereby data is provided to third parties. 

·         Review ISP agreements.

·         Review agreements where a third party restricts information collection, use or disclosure.

·         Review other ways in which information is used or disclosed. 

4.                  Step 3: Consider third party validation services.

5.                  Step 4: Review issues related to children.

·         KidsCom.

·         GeoCities.

·         HR 3783 (“Child Online Protection Act”), Title I [“CDA II”/47 USC 231(d)].

·         HR 3783 (“Child Online Protection Act”), Title II (“Children’s Online Privacy Protection”).

·         Watch out for collecting information about age.

6.                  Step 5: Review issues related to the European Union Data Privacy Directive.

·         Is the organization physically in Europe?

·         Should the organization comply even if it is not?

·         Transborder data flows.

7.                  Step 6: Review reasons why undesired disclosure may occur.

·         Hacking.

·         Rogue employees.

·         Social engineering.

·         ECPA.

·         Child Protection and Sexual Predator Punishment Act.

·         Voluntary disclosure in civil proceeding.


8.                  Step 7: Consider the contract formation process.  Options include:

·         Mandatory clickthrough.

·         Legend on every page, with incorporation by reference.

·         Link in navigation bar or frame only.

·         With respect to existing users, email.

9.                  Step 8: Consider amendment process.  Options include:

·         Mandatory clickthrough.

·         Email with new policy.

·         Announcement of new policy at same URL; burden on the user to check.

·         Amend on an opt-in basis only.

10.              Step 9: Draft and Deploy.

·         Draft policy.

·         Confirm it is accurate.

·         Obtain third party validation if desired.

·         Segregate databases (if applicable).

·         Remove contrary references from the site.

·         Post the policy onto site.

·         Establish procedure for handling site changes.

11.              Threats to User Data in Online Arrangements.

·         Loss of trade secret status.

·         Loss of competitive advantage—loss of control over demographic information.

·         Loss of competitive advantage—competitors can target your core customers.

12.              Drafting “Data Sharing” Clauses.

·         Avoid Joint Ownership clauses.

·         Restrict disclosure of personally identifiable information.

·         Restrict disclosure of aggregated information about your users.

·         Restrict use of personally identifiable information to target users.

·         Watch out for restricting information in legacy databases.

·         Impose efforts to prevent inadvertent disclosure.

 

 

About the Speaker: Eric Goldman (formerly Eric Schlachter) is an attorney practicing cyberspace law with Cooley Godward LLP, Palo Alto, CA.  He also is an adjunct professor of Cyberspace Law at Santa Clara University School of Law.  Cooley Godward’s web page is located at http://www.cooley.com, and Eric’s personal home page is located at http://members.theglobe.com/ericgoldman/.  Eric can be reached at goldmane@cooley.com.