This is the third of a multi-article series by FireEye’s Chief Privacy Officer, Shane McGee in which Shane explores six fundamental steps to building an effective privacy program. While there are many critical pieces to consider, Shane chose to highlight the following:
1. Give Privacy a Voice
2. Follow the Data
3. Communicate Clearly, Carefully and Candidly
4. Become Part of the Process
5. Build a Culture of Privacy
6. Rinse and Repeat
Communicate Clearly, Carefully and Candidly
In the first article of this series, I wrote that privacy professionals could, at one point, boil best practices down to a single phrase: “say what you do and do what you say.” While privacy regulation and best practices have evolved to become more complex than can be captured in a simple adage, this concept still represents a necessary part of any privacy program. Stated another way, a good privacy program requires a company to set (“say what you do”) and meet (“do what you say”) its customers’ expectations with respect to the way it collects, stores, uses and shares data.
Being candid is another seemingly obvious piece of advice, though one that companies frequently ignore. The FTC is tasked with protecting consumers in the U.S., and the vast majority of its privacy-related investigations and settlements are based on its jurisdiction to police ‘deceptive’ trade practices. The large number of settlements negotiated by the FTC for those deceptive practices demonstrates it is common for companies to say one thing and do another. It can be an expensive mistake – Google paid $22.5 million to settle FTC charges that it misrepresented privacy promises to users of Apple's Safari browser.
I should have added another word to the title: consistently. After all, publishing differing messages on privacy doesn’t set expectations with customers – it confuses them. Moreover, from a strictly legal perspective, if a company publishes different privacy policies, a plaintiff or regulator can cherry-pick the message that supports his or her position and use it against you. As I indicated in my first article, the best way to avoid these problems and to promote a consistent message is to make certain your company has a single voice when it comes to privacy issues.
Setting expectations is a key to success in many endeavors, and privacy is no different. Make certain you’re setting those expectations appropriately by ensuring that your privacy message is clear, carefully drafted, consistent and candid.