Business Startup

Privacy Policies in the U.S.

A privacy policy discloses some or all of the ways a company gathers, uses, discloses and manages customer data. Businesses that collect personal information from customers should adopt a comprehensive privacy policy in order to maintain full disclosure.

There is currently no specific federal regulation establishing universal implementation of privacy policies in the United States (U.S.). However, the Federal Trade Commission (FTC) enforces terms of privacy policies under Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices. The FTC’s Fair Information Practice Practices provide details relating to critical issues that should be covered by a company’s privacy policy, including notice, choice, access, security, and enforcement.

  • Notice: data collectors must disclose their information practices before collecting personal information from consumers. They must provide information about how customers can contact the organization with any inquiries complaints.
  • Choice: consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided. For sensitive information, the organization must include an affirmative or explicit choice if the information is to be disclosed to a third party or used for a purpose other than its original purpose.
  • Access: consumers should be able to view and contest the accuracy and completeness of data collected about them.
  • Security: data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from loss, misuse, unauthorized access, disclosure, alteration and destruction.
  • Enforcement: data collectors should establish enforcement mechanisms to impose sanctions for noncompliance with fair information practices.

U.S.-EU Safe Harbor Framework
The European Union (EU) relies on comprehensive legislation that requires the creation of independent government data protection agencies, registration of databases, with those agencies, and prior approval before personal data processing may begin (in some cases). The U.S. takes a different approach, relying on a mix of legislation, regulation, and self-regulation.

To bridge these differences the U.S. Department of Commerce has set forth a “safe harbor” framework regarding the collection, use, and retention of personal information from the European Union member countries. For a company to satisfy the safe harbor framework, the company must certify that they adhere to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. For more information regarding the Safe Harbor Privacy Principles, click here.

If you have any questions about privacy policies or best practices for online businesses, please contact us or subscribe to our free Q & A service.


Gavin Johnson

Gavin enjoys craft beer and is learning the art of brewing.

146 N Canal Street, Suite 350   |