I’m going to guess that if you’re reading this blog, you’re likely already aware that under current US law, there is no comprehensive Internet privacy protection scheme working to place limits on the gathering and use of Americans’ personal data. Most of the Western nations have such statutes in place (including all the states of the EU – and even Canada!), and I’ve little doubt that’s a boon to compliance officers mournfully tasked with keeping current on International Policy and Regulatory concerns. But apart from zeroing out your vacation hours before each legislative session, what can be done to ensure that your company’s Internet privacy policies are going to continue to fall in line with the letter of the law?

Here are a few tips to make sure you don’t bloody your nose:

  • You follow any applicable state laws that may apply. (As a reminder to my fellow Texans, last year’s H.B. 300 will go into effect on 9/1/12 and will make substantial changes to our exisitng data breach notification law applicable to all persons “conducting business in" Texas. This also includes anyone whose sensitive personal data was – or is even believed to have been – acquired by an unauthorized party. As you might expect, the penalties for failure to notify have also increased.)
  • You make no attempt to mislead, mischaracterize or otherwise deceive your Internet users regarding your collection and use of their data.
  • Implement and supply an adequate, understandable Internet privacy policy. Best practice dictates you supply a link to it on every page of your website.
  • Actually follow your privacy policy. (I know – it sounds so obvious… But, oh, the stories I could tell.)
  • You maintain compliance with and awareness of any additional rules/reporting applicable to your specially-regulated industry (e.g., the healthcare or financial industries).
  • Think of the children! There are incredibly strict regulations regarding dealings with children under the age of 13. Familiarize yourself with the Children’s Online Privacy Protection Act or COPPA (for pronunciation help, see: James Cagney) found at U.S.C. §§ 6501–6506. Even if you’re not targeting children, you can still run afoul of the COPPA, so it’s a good thing to keep in the back of your mind.
  • Finally, if you’re in an industry with a long list of competitors, take a look at their Internet privacy policies and ask how they may differ from yours and why. In my experience, the content of any particular privacy policy can be read as a list of corporate missteps (or for the very clever, anxieties), so take a look at what your contemporaries are doing and see if you can glean any insight (or joy) from their miseries.

There you have it. Subject to the above, you generally have freedom as to how you collect, store, buy, sell, use, pillage and exploit an individual’s personal data. As with any topic posted here, these thoughts reflect a snapshot in time and you absolutely must continue to keep your ear to the ground for new legal developments at both the state and federal level. If you’ve ever wondered why “Compliance Officer" is a full-time job, there’s your answer.