Q: A consultant who works on our agency website has told us that we need a "privacy policy" on the site because we collect and use certain personal information for our mailing lists and the like. Is this correct? If so, what are the consequences of failing to have such a policy? I notice that many of my competitors have no privacy policy. Are they acting illegally?
A: Your consultant's advice is wrong: You are not required by federal or state law to have a privacy policy. If you have one, you may wish you didn't, as failing to follow it can be held against you.
By the way, a privacy policy is an online statement that tells the website user the ways in which a party gathers, uses, discloses and manages a client's "personal information." Personal information can be anything that can be used to help identify an individual, not limited to but including name, address, date of birth, contact information and travel patterns. For example, see the 2,360-word policy of Northstar Travel Media, Travel Weekly's parent company.
I don't blame your consultant for not knowing the law, as it is quite hard to research the question of whether one is required. If you Google "are privacy policies legally required," you will not find the truth unless you look very carefully.
You may want to have a privacy policy as a business proposition, as many travel companies probably do. They reason that, if they had no policy, they might lose some sales, as having a policy makes it appear that you safeguard personal information.
You also may want to have a privacy policy simply to look more professional, as most -- but not all -- of the largest agencies and tour operators have them. Some of them integrate the policies with their other online terms and conditions, which is fine.
On the other hand, you might want to dispense with any privacy policy because of the risk that the government will penalize you if you don't follow what the policy promises. As the Federal Trade Commission (FTC) states, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."
The FTC claims to have authority to pursue breaches under a roundabout but clever theory. The agency enforces Section 5 of the FTC Act, which simply prohibits all unfair and deceptive practices affecting interstate commerce. So, violation of your privacy policy is seen as prosecutable, deception practice, even if it is inadvertent.
The only enforcement case involving the travel industry was a complaint that the FTC filed last summer against Wyndham Worldwide. In its complaint, the FTC quoted from Wyndham's privacy policy and then alleged that Wyndham violated its own policy in failing to safeguard personal information, including 619,000 credit cards whose numbers, expirations, and security codes accessed by hackers because of allegedly inadequate data protections.
The FTC called Wyndham's privacy policy and the lack of safeguards an "unfair and deceptive practice." Since every state has similar laws on its books, breaches of your privacy policy could trigger state action, too.
So, you have to weigh the benefits of having a policy against the risks of being prosecuted for not following it.
Mark Pestronk is a Washington-based lawyer specializing in travel law. To submit a question for Legal Briefs, email him at [email protected].