The importance of having a Privacy Policy has been frequently emphasized. However simply having it is not enough, you need to make sure you stick to the terms of your policy.
The importance of adhering to your Privacy Policy was recently highlighted by the charges against the company Nomi Technologies.
Nomi provides brick-and-mortar retail outlets with a way to track their customers' mobile devices as they move around their respective stores, which can then be analyzed by the retailers to better understand consumer behavior and interactions.
The charges against Nomi were that it had misled consumers by promising them in its Privacy Policy that they would have the ability to opt-out of the tracking activity facility implemented by the company.
Nomi's Privacy Policy page stated that consumers would have the chance to either opt out of the track on Nomi's website or at the retail outlets:
Nomi pledges to always allow consumers to opt out of Nomi's service on its website, as well as at any retailer using Nomi's technology.
Nomi's policy also stated that consumers would receive notice of when they were being tracked, in and around the participating retail outlets. However, the consumers never received notice or the chance to opt out of the tracking, thus the company not adhering to its own policy.
The Director of the FTC's Bureau of Consumer Protection, Jessica Rich has emphasized the importance of adhering to your Privacy Policy:
It's vital that companies keep their privacy promises to consumers when working with emerging technologies, just as it is in any other context, ... if you tell a consumer that they will have choices about their privacy, you should make sure all of those choices are actually available to them.
What happened in Nomi's case is a stark example that the FTC considers that if a company offers an option for consumer control, it must be easily accessible and easy to use.
It's also notable from this case that the FTC is closely monitoring the collection and use of location data.
If you're a company or retailer that uses mobile location analytics, you should follow industry guidance such as the Mobile Location Analytics Code of Conduct issued by the Future of Privacy Forum.
As an operator of a mobile application or website, it's a legal requirement that you publish details of your data collection process, sharing and usage policies.
There are also specific terms, disclosures, and other specific items that must be included in your policy as specified by applicable regulations.
You must stick to every guideline contained in your Privacy Policy. If you do not stick to it you will risk liability: regulatory action and private litigation.
Nomi's opt-out system is now clearly displayed on their website, with their main privacy principles boldly stated as below:
There are two different places on the website's legal page a user can opt-out. The first is a big and bright button right at the top of the page:
The second is a link:
A similarity can be drawn to the unsubscribe mechanisms in email marketing campaigns.
If you're a Device Operator, like Nomi, you could produce something similar so that there will be an easy way for your users to opt out. It's important for your users to know how to opt out, at all times.
The way email marketing campaigns allow their subscribers to opt out can differ a little in form but they generally follow the same basic process. The emails usually contain a clear unsubscribe link which leads the user on how to carry out the unsubscribing process.
Marks and Spencer's unsubscribe web form has a survey asking why the user wishes to opt out but it also has a clear and simple opt out link at the bottom:
Innocent provides their customers with the opportunity to opt for a specified length of time or opt out straightaway.
Bed Bath & Beyond gives the user the chance to change the frequency of emails or simply opt out. They must go through a further step of entering their email address.
Whereas Apple requires the user's email address to be entered twice to confirm a opt-out request from that user:
By having an easy to access and clear way for your users to opt out, you'll be ensuring that you comply with all regulations.
Both the positive changes Nomi has made and the email unsubscribe mechanisms are good examples of clear ways you can provide an opt-out method for your users.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.