"Every business should protect Personally Identifiable Information (PII)," says
S. Jenell Trigg, chair of the New Technology and Media Practice Group at Washington, D.C.-based law firm Lerman Senter.
PII is any customer information that a business collects such as a customer's name, home address, phone number, e-mail address, or social security number. Trigg says privacy policies are especially important for online businesses because information is easier to collect and can be abused more readily.
1. Decide how long you will keep customer information.
McNabb recommends businesses disclose how long they will keep information in their policy. For sensitive information, such as credit card numbers, data breach notification laws in many states require businesses to contact consumers and state regulatory agencies if computer systems are hacked or disrupted. The longer you hold on to customer data the greater the risk consumer information will be compromised.
2. Make your policy easy to read.
Privacy policies used to be lengthy and hard to understand. Trigg notes that companies are now encouraged to provide shorter, concise, user-friendly privacy policies that describe what information is gathered and whether it's shared with other companies.
3. Craft clear and conspicuous disclosures.
4. Don't copy another company's policy.
5. Consider hiring an expert.
Lawyers specializing in privacy and data security know the law in various jurisdictions and have experience advising clients, from small to large businesses, regarding privacy matters.
6. Look for resources to help develop your policy.
In addition to seeking out professional guidance, many states provide "best practices" handbooks, available on state government websites. The FTC recently released a list of recommendations to businesses and advertisers, such as providing easy-to-read consumer disclosures and obtaining user consent before collecting sensitive information.