Privacy Policies in the U.S.
- Notice: data collectors must disclose their information practices before collecting personal information from consumers. They must provide information about how customers can contact the organization with any inquiries complaints.
- Choice: consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided. For sensitive information, the organization must include an affirmative or explicit choice if the information is to be disclosed to a third party or used for a purpose other than its original purpose.
- Access: consumers should be able to view and contest the accuracy and completeness of data collected about them.
- Security: data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from loss, misuse, unauthorized access, disclosure, alteration and destruction.
- Enforcement: data collectors should establish enforcement mechanisms to impose sanctions for noncompliance with fair information practices.
U.S.-EU Safe Harbor Framework
The European Union (EU) relies on comprehensive legislation that requires the creation of independent government data protection agencies, registration of databases, with those agencies, and prior approval before personal data processing may begin (in some cases). The U.S. takes a different approach, relying on a mix of legislation, regulation, and self-regulation.
To bridge these differences the U.S. Department of Commerce has set forth a “safe harbor” framework regarding the collection, use, and retention of personal information from the European Union member countries. For a company to satisfy the safe harbor framework, the company must certify that they adhere to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. For more information regarding the Safe Harbor Privacy Principles, click here.