BBB Logo

Council of Better Business Bureaus ®
Start With Trust®
Council of Better Business Bureaus
Part 3: Keeping Privacy in Mind as You Grow Your Business

In Parts 1 and 2, we offered tips on reviewing and retooling your privacy policy and internal privacy practices. This final post highlights the privacy implications of activities your small business may engage in as it expands its reach—hosting online ads, expanding overseas, and launching a mobile app. We’ll identify some steps you can take to avoid privacy pitfalls as you take your business to the next level.

Hosting Interest Based Ads

Like many small businesses, you may be looking to online advertising to generate revenue. Be aware that if your website allows ad networks to serve interest-based ads, sometimes called targeted ads or online behavioral ads, or to collect data for use in this type of advertising, it is subject to the Self Regulatory Principles for Online Behavioral Advertising. These Principles are enforced by the Online Interest Based Advertising Accountability Program, operated by the Council of Better Business Bureaus (CBBB) as an independent agent for the Digital Advertising Alliance (DAA).

The Principles require that consumers receive enhanced notice and choice when served ads based on their interests as inferred from their Web browsing activity. Ad networks usually provide enhanced notice of this type of advertising by placing a distinctive icon -the Advertising Options Icon - inside or near an interest based ad. By clicking on the icon, consumers are taken to a site with information on online behavioral advertising and are given the option to opt out of receiving targeted ads. If the ad network does not place the icon, the website operator must place a direct link to the opt-out page (separate from the main website privacy policy link) on the pages of the website where the ads are served or the advertising data collection occurs. The CBBB Accountability Program published a Compliance Warning in October 2013 stating that it will step up enforcement of the Principles’ enhanced notice requirements for website operators beginning January 1, 2014.

For more information on how to comply with the Principles, visit the website of the Digital Advertising Alliance.

Selling Internationally

If your website collects personal data from overseas consumers or business partners, be aware that multiple privacy laws may apply to the processing of that data. Pay particular attention to the data requirements of the European Union (EU) and Switzerland, which prohibit the transfer of their citizens’ personal data to countries, including the United States, that do not meet EU and Swiss “adequacy” standards for privacy protection.

To assist US businesses in bridging this privacy divide, the US Department of Commerce, the European Commission and the Swiss Data Privacy Commissioner created the US-EU and US-Swiss Safe Harbor Frameworks. The Safe Harbor program enables U.S. businesses to receive EU and Swiss consumer data after self-certifying to the Commerce Department their compliance with seven Safe Harbor Privacy Principles. Most US businesses regulated by the Federal Trade Commission are eligible for this program. To get the benefits of Safe Harbor membership, you must:

  • Review your business’s privacy practices and verify their compliance with the Safe Harbor Privacy Principles. Verification can be done as a self-assessment or performed by a third party.
  • Develop a Safe Harbor-compliant privacy policy to display on your website after self-certification.
  • Identify an independent dispute resolution mechanism that offers low-cost and accessible privacy complaint handling for European citizens whose data you collect. BBB EU Safe Harbor, a program operated by the CBBB, offers this service and can help you with self-certification. Other providers are listed on the Department of Commerce website.
  • Complete the online self-certification form on the Commerce Department website.

Moving to Mobile

Perhaps you’re considering deploying a mobile app to enable customers to use your services on the go. For many apps, full functionality may rely on collecting geo-location, contact lists and other personal data from the user’s mobile device. Before launching an app, you should be asking several questions:

  • What data must this app collect to function as I want it to?
  • Should I notify users before collecting data?
  • Am I protected if I tell my users what data I’m collecting and how I’m using it, or is any data legally off limits?
  • What laws may apply to this data collection? Fortunately, guidance is available.

California has published a privacy toolkit to enable app developers, mobile platform providers and networks to work together to promote consumer privacy. If you are doing business with California consumers, be aware that California law specifically requires privacy policies for mobile apps.

The Federal Trade Commission published its own guidelines for mobile privacy best practices in February 2013, and has recently begun enforcing these standards. In December 2013, app maker Goldenshores Technologies settled FTC charges that it deceptively shared geolocation and device information with ad networks and others through its popular Brightest Flashlight app. The information was collected automatically as soon as users opened the app, before they could accept or refuse the terms of the privacy policy. The FTC settlement requires the company to obtain consumers’ affirmative express consent before collecting, using and sharing information.

Before implementing your app, make sure that you: 

  • Have a privacy policy and make it easily accessible through the app stores;
  • Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information.
  • Coordinate and communicate with ad networks and other third parties that provide services for your app, such as analytics companies, so you can better understand their practices and, in turn, provide accurate disclosures to consumers about what information is collected and how it will be used.
  • Consider participating in self-regulatory programs, trade associations, and industry organizations, which can help you in crafting understandable short-form privacy disclosures.
  • Don’t forget about protecting the mobile data you collect – check out the FTC’s security guidelines for mobile app developers.

A Final Word: Stay Current and Stay Vigilant

If there’s one thing we know for certain about your privacy obligations today, it’s that they won’t be the same tomorrow. As technology evolves and lawmakers struggle to keep pace with new cyber threats, businesses must be mindful of the changing privacy landscape. Don’t let this information be the final word on privacy for your business – make a commitment to stay tuned in to the latest legal requirements and privacy best practices that affect your industry.