Privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data.[1] Personal information can be anything that can be used to identify an individual, not limited to the person’s name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services.[2] In the case of a business, it is often a statement that declares a party’s policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises.[3][4] Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific. The exact contents of a certain privacy policy will depend upon the applicable law and may need to address requirements across geographical boundaries and legal jurisdictions. Most countries have own legislation and guidelines of who is covered, what information can be collected, and what it can be used for. In general, data protection laws in Europe cover the private sector, as well as the public sector. Their privacy laws apply not only to government operations but also to private enterprises and commercial transactions.

History

In 1995 the European Union (EU) introduced the Data Protection Directive[6] for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year, the U.S. Federal Trade Commission (FTC) published the Fair Information Principles[7] which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies. The United States does not have a specific federal regulation establishing universal implementation of privacy policies. Congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act[8] and the Online Privacy Protection Act of 2001,[9] but none have been enacted. In 2001, the FTC stated an express preference for “more law enforcement, not more laws”[10] and promoted continued focus on industry self-regulation. In many cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices.[11] The FTC’s powers are statutorily restricted in some cases; for example, airlines are subject to the authority of the Federal Aviation Administration (FAA),[12] and cell phone carriers are subject to the authority of the Federal Communications Commission (FCC).[13] In some cases, private parties enforce the terms of privacy policies by filing class action lawsuits, which may result in settlements or judgments. However, such lawsuits are often not an option, due to arbitration clauses in the privacy policies or other terms of service agreements.[14]

Applicable law

United States

While no generally applicable law exists, some federal laws govern privacy policies in specific circumstances, such as:

• The Children’s Online Privacy Protection Act (COPPA)[15] affects websites that knowingly collect information about or targeted at children under the age of 13.[16] Any such websites must post a privacy policy and adhere to enumerated information-sharing restrictions[17] COPPA includes a “safe harbor” provision to promote Industry self-regulation.[18]
• The Gramm-Leach-Bliley Act[19] requires institutions “significantly engaged”[20] in financial activities give “clear, conspicuous, and accurate statements” of their information-sharing practices. The Act also restricts use and sharing of financial information.[21]
• The Health Insurance Portability and Accountability Act (HIPAA) privacy rules[22] requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic.[23]
• The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.[24]
• The California Privacy Rights Act of 2020 (CPRA) expands the privacy and information security obligations of most employers doing business in California.[25]

Some states have implemented more stringent regulations for privacy policies. The California Online Privacy Protection Act of 2003 – Business and Professions Code sections 22575-22579 requires “any commercial websites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site”.[26] Both Nebraska and Pennsylvania have laws treating misleading statements in privacy policies published on websites as deceptive or fraudulent business practices.[27]

European Union

The right to privacy is a highly developed area of law in Europe. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence”, subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.[30] In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Co-operation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data”.[31] The seven principles governing the OECD’s recommendations for protection of personal data were:

1. Notice—data subjects should be given notice when their data is being collected;
2. Purpose—data should only be used for the purpose stated and not for any other purposes;
3. Consent—data should not be disclosed without the data subject’s consent;
4. Security—collected data should be kept secure from any potential abuses;
5. Disclosure—data subjects should be informed as to who is collecting their data;
6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
7. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.[32]

The OECD guidelines, however, were nonbinding, and data privacy laws still varied widely across Europe. The US, while endorsing the OECD’s recommendations, did nothing to implement them within the United States.[32] However, all seven principles were incorporated into the EU Directive.[32] In 1995, the EU adopted the Data Protection Directive, which regulates the processing of personal data within the EU. There were significant differences between the EU data protection and equivalent U.S. data privacy laws. These standards must be met not only by businesses operating in the EU but also by any organization that transfers personal information collected concerning a citizen of the EU. In 2001 the United States Department of Commerce worked to ensure legal compliance for US organizations under an opt-in Safe Harbor Program.[33] The FTC has approved a number of US providers to certify compliance with the US-EU Safe Harbor. Since 2010 Safe Harbor is criticised especially by German publicly appointed privacy protectors because the FTC’s will to assert the defined rules hadn’t been implemented in a proper even after revealing disharmonies.[34] Effective 25 May 2018, the Data Protection Directive is superseded by the General Data Protection Regulation (GDPR), which harmonizes privacy rules across all EU member states. GDPR imposes more stringent rules on the collection of personal information belonging to EU data subjects, including a requirement for privacy policies to be more concise, clearly-worded, and transparent in their disclosure of any collection, processing, storage, or transfer of personally identifiable information. Data controllers must also provide the opportunity for their data to be made portable in a common format, and for it to be erased under certain circumstances.[35][36]