Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
How To Kill A Company: Privacy Policies As Weapons Of Mass DestructionHow To Kill A Company: Privacy Policies As Weapons Of Mass Destruction
An intellectual property lawyer offers 12 ways to screw up your company by mishandling privacy policies. Of course, you can also ignore his suggestions and do just the opposite. But your company might succeed, and then where would you be?
7 Min Read
It used to be pretty easy to kill a company, especially a dot-com. Give it too much venture capital and watch it overdose. If the company survives the initial shock of the capital infusion, then you could stop the flow of the venture capital cold turkey; it would make the most delightful gurgling noises in withdrawal, especially when dead-pool tipsters start calculating the subsequent trajectory.
Since the dot-com bubble burst, it's a bit more difficult to kill a company, but not impossible. I'll let you in on a little secret: Privacy policies are absolutely delicious. You can do more damage to a company in a shorter period of time by using a privacy policy than you can by merely providing lousy service at high prices. Of course, privacy policies are not as damaging to a company as having the entire management team arrested for selling crack cocaine [1], but you can't have everything.
If you want to kill your company, try one or more of the following techniques:
Post a privacy policy when you don't need one. Not every Web site needs to post a privacy policy, so go ahead and post one anyway on your company's Web site. You needlessly limit your company's use of any data it collects from its Web site. Repeat after me: "We will not share our data with anyone else under any circumstances." There! You've foreclosed the company out of any business plan in which data is shared or sold, costing the company hundreds of thousands of dollars in potential revenue.
Don't post a privacy policy when you do need one. Privacy policies must be posted on Web sites under certain circumstances, such as when data is collected from children under 13 in the United States[2], or any personally-identifiable data is collected from Europeans by Web sites based in Europe [3]. If you don't post a privacy policy when the law says otherwise, you're sure to cost the company big time.
Lie to your users. Tell them whatever you think they want to hear. Then, when you get caught, the damage may be enough to put your company out of business [4].
Ignore free advice. Several Web sites provide information about privacy law and privacy policies [5] and even help you generate privacy policies at no charge [6]. Ignore these sites, because most of them have accurate information.
Ignore expensive advice. Call your attorney and get her advice. Pay the bill for that advice. Then, do the opposite of that advice. Not only have you spent the company's good money that could otherwise be used for an expensive rental car, but the company can no longer claim ignorance of privacy law; not that ignorance is a defense.
Get busted. Privacy certification providers, such as TrustE, CPA Web Trust, and BBBOnLine, charge for their certification services and can help you tailor a privacy policy to your business practices. Once you comply under the law for their certification, you should immediately do everything you can to have the certification publicly removed [7]. It will be humiliating, like those old movies in which a military officer rips the hard-earned decorations off the uniform of a soldier who has faltered.
Get the technology wrong. Tell your users that you don't store information in cookies when, in fact, you do. Most users don't know what cookies are, so there's no need to contact your MIS people when preparing the privacy policy.
Share data in new and innovative ways. Once you've lulled your users into thinking that their data won't be shared with anyone else, go ahead and trade it with another company for a couple of servers, some furniture, and a few pinball games. Don't worry, the users won't sue you and the Federal Trade Commission won't care. [8]
Go bankrupt, then sell your data. Toysmart.com pioneered this business plan. By going bankrupt, then offering to sell the personal data of its users (many of them children) in contravention of its privacy policy, Toysmart.com managed to beat itself up, even though it was an already-dead horse [9]. Masochists around the world are beating themselves up for not thinking of this strategy first.
Broadcast your customer's personal data as widely as possible. One pharmaceutical company managed to turn its discussion list of depressed patients into a "friends and family" promotion when it broadcast the E-mail addresses of all list subscribers to each list subscriber. Its privacy policy states that personal data--such as E-mail addresses--will not be shared with anyone else. This tactic was nearly as good as the pharmacy that shared its prescription database with a partner for promotional use. "I see that your doctor has prescribed Viagra for you; please accept the enclosed coupon for Depends."
Partner with someone who has read this article. Even if you don't understand all the tips and tricks to killing off a company, don't worry. Plenty of people can implement all of these tricks, often without understanding them. It's much easier to have someone else do your dirty work, so you can just outsource it.
Be someone who has read this article. OK, if you can't find someone else to do your dirty work, you can do it yourself. Just follow the numbered items, although you don't have to follow them in order, and you won't have to worry about that pesky company any more.
These techniques are just the beginning. I'm working on a book tentatively titled The Complete Idiots' Secrets To And Annoyances Of Using Privacy Policies To Kill A Company: The Pocket Reference For Dummies In A Nutshell. Look for it at a bookstore near you.
When he isn't watching Vincent Price movies, Fred Wilf practices business, technology, and intellectual property law at Morgan, Lewis & Bockius LLP in Philadelphia. Morgan Lewis is a general practice firm with more than 1,100 attorneys in 12 offices worldwide. The ideas and opinions expressed in this article, warped though they may be, are solely those of the author, and (thankfully) do not reflect the ideas or opinions of his firm, his clients, his family or his neighbors, all of whom are a little scared of him. For those not easily put off, Mr. Wilf may be reached at [email protected], and his firm's Web site (which is not at all threatening) is at http://www.morganlewis.com.
[1] John DeLorean was probably ahead of his time.
[2] Children's Online Privacy Protection Act is a statute passed by Congress and subject to regulations promulgated by the Federal Trade Commission. For information on COPPA, see the FTC's publication, How To Comply With The Children's Online Privacy Protection Rule.
[3] The European Union passed a directive, some years ago, requiring member nations to protect the privacy of personally identifiable data. All such data collected within the EU may not be exported outside of the EU (e.g., to the United States), except under limited circumstances. See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[4] An online pharmacy that lied to its users was hit with substantial penalties. See Online Pharmacies Settle FTC Charges.
[5] There's a great deal of free privacy information online from many organizations, including the Electronic Frontier Foundation, the American Civil Liberties Union, Privacy Rights Clearinghouse, Electronic Privacy Information Center, Center for Democracy & Technology, PrivacyExchange, Privacy Foundation, Privacy International, and Privacy.org (jointly operated by EPIC and Privacy International).
[6] Sample privacy policies and privacy-policy generators may be found online, including those provided by the Organization for Economic Cooperation and Development and TrustE .
[7] See, e.g., TrustE Orders Aveo To Remove Privacy Seal.
[8] OK, so maybe the FTC does care a little bit. See, for example, Internet Site Agrees To Settle FTC Charges Of Deceptively Collecting Personal Information In Agency's First Internet Privacy Case.
About the Author
You May Also Like
More Insights
