THE PRIVACY AUDIT CHECK LIST
IVAN HOFFMAN, B.A., J.D.
If you own, operate, host, design or build web sites, you are potentially at legal risk if those web sites are operated in a manner that violates the ever-growing body of law dealing with privacy policies or the lack thereof. There are a number of articles on my site under the link “Articles About Privacy” that deal with some of these issues and the reader is strongly encouraged to read those articles. This article is intended merely as a check list of those and other issues that sites must be aware of if they are to try and stay out of legal trouble. This article is limited to privacy issues as they pertain to the Internet and the operation of web sites and it deals primarily with the legal and business issues with regard to the same.
3. What sort of data is to be collected? Is it limited to merely a collection of email addresses or does the data include “cookies” and other information? What is the mechanism for a party either opting in or opting out of the pool of information? Is that mechanism followed with care, especially with regard to opt out procedures. Many of the laws being proposed focus in on the mailer removing the names of those who opt out at the first request.
4. From whom is the data to be collected? Are “children” actual or potential visitors to the site? The most important area in which privacy policies are required relate to sites that fall within the scope of the Children’s Online Privacy Protection Act (COPPA) and compliance with the intricacies of that act is essential. What methods are in place for obtaining the necessary “verifiable parental consent?” The penalties are severe for failure to so comply. There are other laws regulating privacy issues such as health information, financial information and student data collected by schools, among others.
5. How is the data to be used internally? How is the data stored? Who has access to that data? What procedures are in place to prevent a party with access from taking that data when he or she leaves the organization? Are there appropriate non-disclosure, non-compete and confidentiality agreements in place?
6. Is the information sold or leased to third parties? In your licenses, are the issues related to ownership of the data and rights to use the data covered with particularity? Is any of the data considered confidential such as customer lists in the offline world? Are there appropriate non-disclosure, non-compete and confidentiality agreements in place? What are the other rights and duties of the licensee with regard to the data including with regard to obligations to delete the data of parties who have provided the same but now wish to “opt out?”
© 2001 Ivan Hoffman