Federal Trade Commission will begin enforcing its Red Flags Rule December 3, 2010

October 19, 2010

BBB Advice:  Writing a Privacy and Identity Theft Policy

Online privacy policies have garnered a lot of attention as social networking sites and search engines have come under fire for sharing user information. As a result, the Federal Trade Commission (FTC) has created the Red Flags Rule, which will require many businesses and organizations to implement a written Identity Theft Prevention Program. The goals of these rules is to detect the warning signs, or red flags, of identity theft in daily operations.

Even if you think your business is too small to have a written policy, your BBB advises that it is to your benefit to have a comprehensive policy - you may be required to do so. You can find out by going to ftc.gov/redflagsrule.

In the meantime, your BBB recommends using simple language to help you answer the following five questions:

  • What information do you collect? - Outline the types of personal information you collect from customers. This includes home address, e-mail, phone numbers and credit card numbers.
  • How do you collect the information? - Websites collect information from customers in many different ways. Even if you don’t actually sell goods through a website, you might have an e-mail sign-up for a newsletter, an application for credit, or install cookies on the visitor’s computer to track their activities. Disclose how data is being collected to show you have nothing to hide.
  • How do you use the information? - Explain how you share customer information with third parties, such as when you process orders. If you sell customer information to marketers, explain what information is sold and how it could be used.
  • What control does the customer have over their personal information? - Customers need a way to contact your business and control their personal data, whether it’s changing a password on their account or taking their name off of a mailing list. Provide reliable contact information so consumers can manage their information.
  • How do you protect the information? - Explain how you protect customer data including website encryption, limiting employee access to sensitive customer data and server security.

There is no cookie-cutter privacy policy. Your business is unique and that must be reflected in your privacy policy. Seek legal guidance before you finalize your policy. You are legally liable if you fail to abide by your privacy policy statement or if the statement does not comply with local and national laws.

As your business changes, so should your privacy policy. Plan to revise your policy as your web activities evolve and alert customers when you make revisions affecting their personal data.