One of our many valued sweepstakes clients is Subway®. We've had the pleasure of working with Subway® on local and regional sweepstakes, and employee incentive programs for several years.

During that time, we've gotten to know Teresa Paquet, Subway's Privacy Officer. Teresa is a legal specialist with a concentration in privacy who has served as the Subway® Privacy Officer for 11 years. Teresa is a member of the International Association of Privacy Professionals (IAPP) since 2011 and earned the designation of Certified Information Privacy Professional (CIPP/US) in 2015 through the IAPP.

Recently, I asked Teresa if I could interview her about the current status of privacy policies. Here is our discussion:

Not everyone is familiar with privacy policies – in a nutshell, please explain what a privacy policy is.

A privacy policy is an internal statement that governs an organization's handling of personal information. It is directed at the users of the personal information. A privacy policy instructs employees on the collection and the use of the data, as well as any specific rights the data subjects may have.

On the other hand, a privacy statement or privacy notice is an outward facing document (i.e., an organization's website policy) that describes how the organization collects, uses, retains and discloses personal information collected from an individual.

What kind of information is considered "personal" information?

The definition of personal information varies, depending on your location. The best way to define personal information regarding an individual is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly — in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Are companies that obtain personal information required to have a privacy statement?

Yes, if you collect personal information from an individual, whether online or offline, your company is required to have a privacy statement on your website, or a hard copy should be made available if they request a copy.

When do the official rules of a sweepstakes or contest need to include a description of the sponsor's privacy statement?

A privacy statement should always be included with each sweepstakes or contest to ensure that an individual is kept informed of the collection, use, and sharing of an individual's personal information in connection with a sweepstakes or contest.

How are privacy statements made available to the public if they are required for sweepstakes or contests?

The sweepstakes or contest specific privacy statement should be posted in the same place that you have the official rules posted. Even if the sweepstakes or contest is being held in a store and not online, the privacy statement should be available at the store to any individual who asks for it.

What information about a sponsor's privacy statement should be included in the official rules?

There should be a privacy paragraph included in the official rules that informs entrants about who the sponsor is, who the administrator is, and any other third parties involved in the sweepstakes or contest. There should also be links to the sponsor's, administrator's, and/or third party's website privacy statement if they will have access to an individual's personal information.

Are there any laws or regulations that pertain to not having a privacy statement?

There are many data protection laws, including various state, federal, and international laws, so a person would need to research the privacy laws for the area where they want to have a sweepstakes or contest and follow what the law says. If a company is unsure about what law they would need to follow, they should contact an attorney who specializes in sweepstakes and contests, as well as data privacy laws.

Who enforces those laws or regulations and have there been any lawsuits brought under those laws?

In the United States, sweepstakes and contests are regulated by numerous federal and state laws as well as overseen by state attorneys general and various federal agencies. Federal agencies with jurisdiction to regulate sweepstakes and contests include the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the United States Postal Service (USPS), and the United States Department of Justice (DOJ). Yes, there have been numerous lawsuits filed regarding sweepstakes and contests.

Who should consumers contact if you have any questions about privacy statements for sweepstakes or contests?

A company's privacy statement should include the full contact information for the company's privacy officer. You should always contact the privacy officer first in order to report any privacy complaints or issues. If the privacy officer cannot resolve your problem you can then contact the various state and/or federal agencies listed above.

Thank you, Teresa! And let us just add that, if you have any questions or concerns about issues pertaining to your company's privacy policy, you should contact your legal department or an attorney representing your firm for advice.

This post was written by retired Thompson Coburn partner Dale Joerling.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.