Is an External Privacy Policy Enough?

August 3, 2019

Most businesses today understand the value of an external privacy policy.  An external privacy policy helps people trust your business and, in certain circumstances, it may even be required.  In addition, well-thought out internal privacy and security policies are an equally important part of any data management program.

Unfortunately, many businesses, particularly small- and medium-sized businesses, think that’s enough. These businesses lack well-designed internal privacy and security policies, which are a critical piece of the puzzle. While this can be due to limited resources or slow adoption by leadership, it often arises simply because the business does not realize the importance of developing these policies. In this post, we will take a look at why internal privacy and security policies are important for your organization.

How Are Internal Privacy and Security Policies Different from an External Privacy Policy?

An external privacy policy is a publicly available notice describing how your business collects, uses, maintains, and discloses personal information. In contrast, internal privacy and security policies are inwardly-focused documents that govern the handling of customer and organizational data and ensure that your business is keeping the privacy promises it has made. At their core, these internal policies reflect an agreed-upon strategy for safeguarding personal information. They define roles and responsibilities, establish processes for secure and privacy-protective data handling, provide specific instruction to employees about how they may and may not use data and IT systems, and set consequences for failing to follow the rules.

How Important Is It That I Have Internal Privacy and Security Policies?

Having documented internal privacy and security policies helps ensure that your business complies with its own external privacy policy. Internal policies can also serve as additional evidence of reasonableness in the event of a privacy or security breach, and are required under certain federal and state statutes and regulations.

Compliance with External Privacy Policies

It is critically important that your business comply with its external privacy policy in all respects. The Federal Trade Commission (“FTC”) considers statements made in these policies to be enforceable privacy promises and has brought numerous legal actions against companies that failed to live up to the commitments they made to consumers through external privacy policies.  For instance, if you state in your privacy policy that you do not use cookies on your website, but in fact, you do use cookies in certain circumstances, then you may in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair and deceptive acts and practices.”

Often, when businesses fail to comply with their own external privacy policies it is because of a lack of communication and clear direction within the organization. Clearly articulated written internal privacy and security policies solve this problem by allowing you to deliver consistent information across your organization about expectations and procedures. Rather than rely on your employees to remember and interpret the information in your external privacy policy, systems and controls are formalized and employees are given specific instruction about their responsibilities. Strategies to identify and mitigate vulnerabilities can also be built into workflows lessening the likelihood that they will be overlooked or ignored by individual departments within a company.

Evidence of Reasonableness

Implementing internal privacy and security policies that clearly outline your business’ approach to safeguarding personal information can also be important in the event of a privacy or security breach. Regulators investigating a breach will almost certainly ask whether your business has written policies relating to privacy and security and will consider the existence of such policies positive evidence that your business takes its role as a data steward seriously. Indeed, on several occasions the FTC has cited the absence of a written information security plan as evidence that a company did not act reasonably (see e.g., the FTC case against Uber).

Of course, policies by themselves will not insulate your business from reprisal; you must also faithfully practice those policies, monitor compliance with them, and regularly review them to stay abreast of evolving threats, laws, and organizational changes. But it can be helpful if, in the aftermath of a privacy or security breach, you can show that you undertook efforts to clearly outline what actions are unacceptable and to educate and train your employees through policy and education.

Required by Some Statutes and Regulations

Depending on the types of data you handle, you may also be required by law or regulation to maintain written internal privacy and security policies. For example, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule, 45 C.F.R. Part 160, requires that covered entities maintain written security policies and procedures. Similarly, the Safeguards Rule, which implements Section 501(b) of the Gramm-Leach-Bliley Act (“GLB”), 15 U.S.C. § 6801(b), requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing a comprehensive written information security program.  For purposes of GLB, financial institutions are not merely banks but any business “significantly engaged” in providing financial products or services. In May 2018, the FTC charged peer-to-peer payment provider, Venmo (operated by PayPal) with violating the Safeguards Rule, in part for failing to maintain a written information security program.


What Is Involved in Developing These Policies?

If your business already has a well-developed data management program but simply doesn’t have everything documented, then memorializing your existing practices in writing may be all that you need. Alternately, you may have a patchwork of written policies, in which case the first step is to review those policies to identify gaps and outdated information. Or you may have only an external privacy policy. While ideally internal privacy and security policies should be developed first, an external privacy policy can nevertheless form the basis for the development of a mature internal privacy and security compliance program.

If you have questions about writing or implementing internal privacy and security policies and procedures, please contact us. We can help you craft policies that align with the laws, regulations, and best practices that apply to your business.


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop
Congress Reveals New Privacy Bill While States Push Ahead with Their Own Privacy Rules: Is Your Business Prepared?

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you