I've written loads of privacy statements and have probably reviewed five times as many since I started practicing privacy law. One of the first things that the writer of a privacy statement has to ask is, "who is the intended audience?" "Our customers" is invariably the reply. That's a start and gets you part-way there. I've found that not many people read privacy statements. Most are aware they exist, but don't care.

The main audience for privacy statements is almost always a subset of your customers: those who are privacy aware, those who have a specific question and those who are really upset about something. There's a secondary audience, too: regulators (such as the privacy commissioner), privacy activists and journalists who are looking for a "gotcha!". Writers of privacy statements need to keep this in mind.

Your privacy statement may make your lawyer happy and may be legally correct, but writing it in legalese and burying important provisions in the text are actually counter-productive. Nobody in your intended audience appreciate this and doing so actually undermines whatever good stuff may be in your policy.

From time to time, journalists and columnists read the privacy policies from the companies with whom they deal and are often surprised with what they find. That certainly was the case with Nicole Brodeur of the Seattle Times, who took a gander at the Starbucks privacy policy and wrote a column for today's paper:

The Seattle Times: Local News: Your life is theirs to share:

Thought you were just getting a happy holiday Peppermint Mocha from Starbucks?

If you paid for it with a Starbucks card, you weren't so much warming yourself up as opening yourself up to a world where your personal information is traded like animal skins. After years of surfing, searching and shopping online, I took the time to read the coffee company's just-revised privacy policy, which opens by stressing the company's "foundation of trust."

A later paragraph made me wonder: "Unless permitted by law, no personal information is collected, without first obtaining your consent for the collection, use and sharing of that information."

Fine, but read on: "The provision of personal information to Starbucks means that you agree and consent that we may collect, use, and share your personal information in accordance with this privacy policy."

In other words, the simple act of giving personal information is implied consent for Starbucks to share that information with its "consultants, strategic partners, agents, distributors, suppliers, contractors and other companies," as well as third-party, credit-card processors, mailing houses, Web hosts and e-mail vendors.

That's a lot of people to share a couple of pounds of Christmas Blend with, isn't it?

Indeed, Starbucks is as connected as Santa. The company sees where you are surfing. It knows when you're online. It knows just what you bought for whom, so be patient as you try to "opt out." ...

The "problematic" paragraph in the policy reads:

Our website may also share information with companies that provide support services to us (such as credit card processors, mailing houses or web hosts) or that help us market our products and services (such as email vendors). These companies may need information about you in order to perform their functions. These companies are not authorized to use the information we share with them for any other purpose.

Frankly, all of this "sharing" of information is entirely reasonable (if you pay with Visa, that transaction won't process itself and Starbucks ain't your bank), but you can easily see how an upset customer or someone looking make a story can read this paragraph to suggest they throw your personal information to the four winds.

If you have the task in your organization of writing or updating your privacy statement, be very aware of who will be reading it and how it can be interpreted.

Labels: information breaches