Hello NAIIA members! I am excited to bring to you the collaboration piece for October 2018. In mid-2018, the compliance officer at Hausch & Co. was doing an internal review of our website. He brought to my attention that we did not have a Terms of Use and Privacy Policy on our website. We then started looking at samples of several other websites that eventually led us to the CPLIC, RRG website. We concluded the Hausch & Co did not have one, neither did CPLIC, RRG or the NAIIA. We then looked at several member sites and did not find any on member websites either.
We reached out to CPLIC, RRG to discuss the lack of a Terms of Use and Privacy Policy for all of us. Karen Haltman at CPLIC, RRG took the lead and thought it was a good topic to review. She has thoroughly researched the topic and has yielded the following information for our members:
1. Readability – should be grade 12 or lower. 86.7% of U.S. Adults read at a high school level.
2. California has a Privacy Policy Law (Business & Professional Code §§ 2257-22578) which has been in effect since January 1, 2004, states:
“operators of commercial websites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information. The privacy policy must also provide information on the operator’s online tracking practices. An operator is in violation for failure to post a policy within 30 days of being notified of noncompliance, or if the operator either knowingly and willfully or negligently and materially fails to comply with the provisions of its policy.
In summary, a company’s privacy policy must identify the categories of Personally Identifiable Information (PII) collected on website visitors and the categories of third parties that the company shares the data with. In 2014, the policy was expanded to include two additional aspects:
1. The privacy policy should disclose how it responds to a web browser ‘Do Not Track’ signal
2. Requires the website to disclose where third parties are or may be conducting such tracking on the operator’s site.
Connecticut requires any company or person that collects Social Security numbers in the course of business, must create a privacy protection policy. Policy must be ‘publicly displayed’ by posting on a web page and the policy must ‘(1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.’
I left in an optional paragraph detailing whether data is shared. CPLIC, RRG does not sell its list but left the option for those that might.
Karen has attached a Generic Website Privacy Policy. It’s been reviewed by CPLIC, RRG’s General Counsel; CPLIC, RRG’s BoD; and she has also run it be several people including our past president, Peter Crosa.
Click to view Terms of Use and Privacy Policy Draft – PDF
Click to view Terms of Use and Privacy Policy Draft – DOCX
We think its important for all members to have a Terms of Use and Privacy Policy added to their website. It is a trend that is coming to all states and is relevant to the data protection rules that you will be seeing as requirements to operate in your states. There are a lot of requirements coming out from the State of California effective 01/01/2019. Anyone that is doing London work had the GDPR requirements come out earlier in 2018.
A huge thank you to Karen Haltman and CPLIC, RRG for all of their efforts on researching this topic and drafting the initial piece for our members. There is a link in this article to download the document for member use as you see fit. It is my recommendation that everyone considers this as part of their business plan going forward.
David Hausch, President
October 24, 2018
