Privacy Policies and Consumer Protection

    With more and more games being provided online and through websites as opposed to the old brick and mortar model, consumer privacy protection is an ever evolving issue. When you develop a game or product that derives data from the user it is important to take that user's privacy into consideration. To that end, you may ask yourself whether you need a privacy policy and what you need to do to comply with consumer protection laws or industry standards. In this entry I'll cover some of the legal issues that are relevant to user privacy and your obligations as a developer or website designer.

     Consumer Protection and Privacy

    In the U.S. consumer privacy is protected and enforced by the Federal Trade Commission (FTC). To protect consumer privacy the FTC relies on specific legislation such as COPPA and the Gramm-Leach-Blilely Act as well as legislation governing false advertising and deceptive trade practices under Section 5 of the FTC Act. Most businesses are not legally obligated to protect user privacy unless they promise to do so (via a Privacy Policy). There are exceptions: Financial institutions, websites and businesses that collect medical data subject to HIPAA regulations, and websites, games or businesses that collect personal information from individuals under the age of 13 must comply with federal regulations by providing notice and complying with specific requirements under the law. In those cases notice in the form of a privacy policy is required. For the purpose of game development, perhaps the most relevant regulation falls under COPPA, which concerns data collection from children under the age of 13.

    The U.S. is more lax about consumer privacy and data collection than the EU. Under the EU Data Privacy Directive of 1995 EU signatories were required to implement laws and regulations in compliance with the directive. The Directive contains strict guidelines for consumer data collection. It also requires the registration of consumer databases with government agencies. If you live in the EU it is very likely that as a business you are required to handle user data in accordance with the Directive. You can find the full text here.
The EU Directive can apply to American companies that operate in the EU or exchange user information with EU companies—to that end, use of a privacy policy is required to be protected under the Directive's Safe Harbor for US companies.

    Do I Need a Privacy Policy?

    A privacy policy is a form of notice. It lets users know how their information will be used, exchanged, and stored and protected. While legally you may not be required to have a privacy policy, many businesses choose to use a privacy policy for ethical or business reasons. Certification programs like eTrust are widely recognized and many consumers won't share their personal or financial information without some kind of assurance that their privacy will be protected. This is especially true if you collect credit card or other financial information. From a business standpoint, a privacy policy may be conspicuous in its absence. While consumers may not read every line and verse of a privacy policy, they still expect to see one.

    What Does my Privacy Policy Need to Include?

    The most dangerous thing you can do when creating a privacy policy? Make a promise you don't intend or aren't able to keep. While you may not be required to protect user privacy by law, you are absolutely required to comply with your own privacy policy. Failing to do so will expose you to liability under the FTC's deceptive practices regulation. This is incidentally how most companies get into trouble—they promise to protect user data but then engage in data management that doesn't fulfill the promise made in the policy. For this same reason, it's important to keep your policy up to date.

    Bearing that in mind, below is what a functional privacy policy will include:

    1. Introduction—this includes the company name, the business you're engaged in, and special instructions (e.g. parental verification)

    2. Description of what information is being collected—having a user fill out a form and stating the information collected from that form should be obvious. However, this also includes the personal information that is passively collected such as information logged by your server or collected by a third party program that is integrated in your site or game.

    3. Method of Collection—Explain how you're getting the information from the user, whether it be automated, passive, or via form.

    4. Description of the use of the information—how do you plan on using the information? Who has access to the information? Do you need to share this information with third parties, and if so, who? Are you going to sell this information to marketing or advertising firms? Honesty is the only policy here. If you need or want to share user information with third parties for any reason, you need to say so.

    5. Storage/Protection—this is another area where honesty is the only policy. If you decide to describe the technology by which you plan to store and protect user privacy, make sure you a) accurately describe that technology and b) update your policy whenever you change that method.

    6. Contact information—Give several options and make sure users are able to contact you to discuss their privacy. This includes e-mail, a phone number, etc.

    7. Compliance with regulations—you may be required to comply with federal or international regulations. If that's the case, you have to include everything those regulations require.

    Regulations and Regulation Compliance

    The Children Online Privacy Protection Act

    COPPA pertains to websites and businesses directed to children that collect data from children under the age of 13. If your audience includes minors 13 or younger and you're collecting their e-mail, address, or other personal info, here's what you need to know:

    1. You must have a privacy policy. The policy must state a) what information is being collected, b) how that information will be used, and c) who will have access to that information (disclosure policy).

    2. You need a way to obtain verifiable parental consent. You have some options here:

        a) Provide a form that the parent can fill out and send;

        b) Require the parent to use a credit card in connection with a transaction;

        c) Provide a phone number where parents can call in their consent;

        d) Get consent via e-mail from the parent, provided the e-mail contains a digital signature.

    3. You need to provide a method by which parents can make requests concerning the child's personal information—this includes destroying that information or refraining from selling or sharing that information.

    You should carefully review the COPPA FAQ. Not only can it provide specific guidelines for compliance, but you may also be eligible for certain exceptions.

    State Laws That Require Privacy Policies    

    California law requires that any website or operator who collects private information from California residents must provide a privacy policy if the user data is being sold or shared with third parties. The policy must also provide a method for opting out or full disclosure—i.e., something the consumer can send in to request that the information not be shared or, in the alternative, receive a list of the third parties who have purchased or received that consumer's personal info.

    The FTC provides a comprehensive guide for managing user data. This information will help you organize your own policies and best practices for consumer and employee data management.