Expensify's Privacy Policy

Irene Mo
Senior Associate @Aleada Consulting
Mike Whelan
Chief Community Officer

Websites gather your personal information every time you visit. Those annoying pop-up notifications actually warn you and ask if you would like to read the privacy policy or even object to some of the information they will collect from you. Predictably, 89% of users accept privacy policies without ever reading them. Social media app privacy policies average more than six thousand words and can each take 30 to 90 minutes to read. Impatient web-surfing consumers have consent fatigue and agree to these complicated documents without reading or understanding them. Companies count on this as they data mine for marketing and other purposes.

Expensify’s Privacy Policy: an example of how drafting affects quality implementation. #ContractTeardown Click To Tweet

Privacy attorney and consultant Irene Mo talks about Expensify’s ten thousand word Privacy Policy. She also covers general privacy policy rules in different jurisdictions like the EU and California. Attorney Mo discusses the blowback from Expensify CEO David Barret’s October 2020 partisan political email sent to 10 million Expensify users’ private email addresses. She highlights how to create a culture of respect for the consumer’s data that goes beyond the documents. This is an excellent example of how your drafting quality can improve your client’s quality implementation.

K-Notes: Privacy Policy from Expensify Download Now

Questions

  1. Why are privacy policies important?
  2. What happens to your personal data?
  3. Which emails make the FTC angry?
  4. What is the CCPA?
  5. Did Expensify’s CEO break their privacy policy?

Why Privacy Policies Are Becoming More Strict

All US states and the EU are implementing different privacy laws. This means jurisdictions have become much stricter regulating what companies can put in their privacy policies, and what they can or cannot do with your personal data. Attorney Mo explains that the various jurisdictions want to make sure that companies are actually giving the consumer the correct information with very specific details of how and when their information will be used.

Find out what kind of emails anger the FTC. Privacy Policies on #ContractTeardown. Click To Tweet

Does Anybody Read Privacy Policies?

While privacy policies are important, attorney Mo agrees that the vast majority of users don’t read them. One of the reasons, she explains, is the flood of privacy policy update notifications consumers received after the California Consumer Privacy Act (“CCPA”) went into effect in January 2020. It seemed like every company on the Internet sent out an update notice to their users about the CCPA.

"You probably remember getting an email from every single company you signed up for that was saying, we updated our privacy policy. It was the whole California consumer privacy rush." Irene Mo

Use of Your Personal Data

Section 6 Use of Your Personal Data is primarily a bullet point list of specific reasons and ways that Expensify can use your personal data:

  • To help open your account
  • To send you a welcome email to verify your email address
  • To improve the user experience
  • To respond to your inquiries
  • To provide improved administrative services 

"Expensify's personal data use is a lot more narrow and discrete than I would usually draft it." Irene Mo

Attorney Mo explains that this particular list is a narrow approach to drafting privacy policies, and she recommends more broad and generalized explanations. The danger a company runs by having a long and specific list, is that consumers might believe this is the exact list of activities that the company is using – these activities and nothing more.

Making the document easy to read by using headers, sub-headers and bullet point lists is fine according to attorney Mo. But, she recommends general paragraphs to explain subjects, which would include some examples that highlight the broad explanation.

For example, the company might tell users that they would like to communicate with them about products and services and then give some examples. They might also explain they would like to use the information for marketing and advertising and provide more examples. This way the company is explaining in generalities and not tied to specificities.

Transactional vs. Marketing

Privacy policies, including this one, spell out how the company may contact you with certain notices about product changes, updates, technical matters, and even new products and services. Companies have a right not to provide service to you if you refuse to accept emails from them, and the FTC takes marketing promotional information via email very broadly. 

However, attorney Mo says the FTC “gets angry” when companies send marketing and promotional emails and pass them off as transactional emails.

"Where the FTC gets mad is when you try to pass off a commercial e-mail as a transactional email." Irene Mo

When sending commercial marketing emails in the US, companies are required to follow the FTC’s CAN-SPAM Act rules. The business must disclose if they are sending a marketing email and must give the consumer the ability  to opt out of future emails.

European Disclosure Laws

While the FTC enforces federal laws regarding privacy policies and emails in the US, in 2016, the EU passed the General Data Protection Regulations (GDPR) on data protection and privacy in the EU. While many states have a few paragraphs concerning data protection and privacy, the GDPR is an 88-page comprehensive document.

"A company's biggest risk is the EU, because that specific jurisdiction and specific notice is the most expansive." Irene Mo

California is Different

While the EU has the GDPR, California has the CCPA to protect consumers’ data privacy. Attorney Mo explains that California’s CCPA is similar to the EU’s GDPR, but there are some differences in approach and language. As an example, California talks about the allowable commercial use of the data, while the EU focuses on the legal basis for using the data. 


B. Additional Disclosures for California Residents
These Additional Disclosures for California Residents supplements the information contained in this Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”).
I. CCPA Disclosures
We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice. This Privacy Policy contains Expensify’s required notices and disclosures including its Privacy Policy for California Residents, Notice of Collection, Notice of Opt Out Rights, and Notice of Financial Incentives requirements.

 

Did Expensify’s CEO Violate Privacy Policy?

Attorney Mo does not believe that Expensify CEO David Barrett violated the privacy policy when he sent a pro-Biden email to the 10 million Expensify users. With the subject line of “Protect democracy, vote for Biden,” there was a firestorm of publicity and polarized public opinion. Attorney Mo explains that if the company had to answer to an authority like the EU or the FTC, the language of the privacy policy was sufficient to cover political emails sent from the company. 

CEO David Barrett's email sent to 10 million customers of Expensify

Notably, the Expensify Privacy Policy, updated June 1, 2021, now includes in Section 6 the following way that they may use your personal data:

“To send promotional communications newsletters, personal interest pieces, interests for the Expensify community, and news about events, elections, and campaigns.”

Should you draft specific or general?

With the different jurisdictions and their various rules, attorney Mo explains that businesses usually choose one of two methods for drafting their privacy policies. Some choose to write specific and segmented policies, with notices of certain jurisdictional requirements. Others decide to draft a more general and broad-based policy as a floor and then provide additional notices to consumers in those areas.

"It actually depends on the company and the information they collect and then their risk in each jurisdiction." -on drafting specific vs general language Irene Mo

Attorney Mo mentions the following practical tips:

  • A general broadly written policy with examples often works better than a specific bullet-point list type approach.
  • Include notices of the EU’s GDPR and California’s CCPA in your privacy policy, along with other specifically needed jurisdictions.
  • Make sure the company’s emails follow the jurisdictional law and rules. In the US, the FTC guidelines are relatively clear-cut.

Use your contract drafting skills to make your client’s privacy policy consumer friendly and easy to understand and you’ll head off a lot of problems right from the start. As technology continues to advance and privacy becomes more rare, a carefully drafted privacy policy is going to stand up better to those changes. In the case of Expensify, even though the CEO did not violate the privacy policy, many assumed he did which caused a lot of negative press. You not only need to make privacy policies general with examples, if you can make them easier to read, consumers won’t be as confused when the next debatable email is sent out.

K-Notes: Privacy Policy from Expensify Download Now

Show Notes

THE CONTRACT: Expensify’s Privacy Policy

THE GUEST: Irene Mo is an associate with Hintze Law working from the San Francisco Bay Area. She counsels clients on a wide range of privacy and data security issues, including conducting and setting up Records of Processing Activities, Data Protection Impact Assessments, implementing global data protection programs, and integrating privacy protections into emerging technology. She can be found at LinkedIn or Twitter.

THE HOST: Mike Whelan is the author of Lawyer Forward: Finding Your Place in the Future of Law and host of the Lawyer Forward community. Learn more about his work for attorneys at www.lawyerforward.com.

If you are interested in being a guest on Contract Teardown, please email us at community@lawinsider.com.

Transcript

Irene Mo [00:00:00] They’ve gotten a lot stricter on what you actually put in the document to make sure that you are actually giving consumers the correct information with very specific details of how and when you’re using their information. 

 Intro Voice [00:00:12] Welcome to the Contract Teardown Show from Law Insider, where legal experts tear down contracts from some of the most well-known companies and high profile executives around the world. 

 Mike Whelan [00:00:26] In this episode, privacy attorney and consultant Irene Mo talks to us about Expensify privacy policy with the company recently in the news for the CEOs political emails to users, she covers general principles, rules specific to jurisdictions like California and the EU, and how to create a culture of respecting consumer data that goes beyond the legal documents. It’s a great example of turning drafting quality into quality implementation for your client. So let’s tear it down. 

 Mike Whelan [00:00:57] Hey everybody, welcome to the contract Tear Down show. I’m Mike Whalen. On this show we hang out with smart friends like Irene with the purpose of breaking down contracts and documents that are on the inter webs. Irene, how are you today? 

 Irene Mo [00:01:14] I’m good. 

 Mike Whelan [00:01:15] It’s another day, it’s just another day. OK. We are amidst the apocalypse, we’re figuring it out. We’re learning things. So what we’re going to do today is talk about a document. Let me show you the document we are going through. This is the Expensify privacy policy. And we’ll talk about the overview of it and the fact that it’s super hard to navigate visually. But first, I want to ask you, I mean, what is this document? When are we going to see it? Why should we, as drafting lawyers, care about this thing? 

 Irene Mo [00:01:45] So this document is important because it is what gives consumers notice that you are using the information, you’re collecting their information and the purposes that your company is using this information. And recently, with all the different states and then the EU coming up with their privacy laws, they’ve gotten a lot stricter on what you actually put in the document to make sure that you are actually giving consumers the correct information with very specific details of how and when you’re using that information. 

 Mike Whelan [00:02:21] And we’re using this specific one from Expensify, because hilariously, the CEO, I think his name is David Barrett, sent an email out to literally everyone telling people he thought you should vote for which in this very split America easily offended 30 percent of his his user base and maybe violated some privacy rules. So we’re using this one to talk about a bit what happened there, but more for drafting purposes. How do you write this in a way that CEOs don’t go off the deep end and threaten your entire company? Irene, why am I talking to you? What’s your background? Tell me a bit about you and then we’ll get into the document. 

 Irene Mo [00:03:00] Yeah, so I am a senior associate at aleeda consulting, we are a boutique privacy and security firm, so I am a consultant. So what you might hear here might actually be a little bit different than what you hear from an attorney. So we instead of giving legal advice, which, you know, sort of tends more on CYA making sure to avoid every and all risk, we look more holistically at the business and do business risk. And of course, you know, because I am an attorney, standard disclaimer, nothing I say here represents my company and these are all my personal opinions. But, you know, basically that’s what I do. I look at the business as a whole, evaluate your risk and then give you advice based on that holistic view. 

 Mike Whelan [00:03:49] This is like the visual version of a re-tweet. I don’t like anything in the thing I’m retweeting. I haven’t even read it yet. I’m saving it to read later. So don’t don’t hold Irene accountable. It’s the visual read tweet. All right, here’s what we’re going to do. We’re going to go through specific sections of this document. But first, I wanted to give you a chance to talk about the overview of the thing. When you look at this document, this is intended for consumers, right? This is consumer facing. So if I’m writing this and formatting this, I’m trying to get it read. Do people actually read this thing when you look at it? 

 Irene Mo [00:04:24] No, absolutely not. I think last December it was the whole California consumer privacy rush. So I think you remember probably getting, you know, an email probably from like every single company you signed up for that was saying, we updated our privacy policy. For those who didn’t do the whole GDPR update, a lot of them had to do with the California Consumer Privacy Update. And even then, the companies that were affected by the GDPR, they saw the update specifically for the EPA because the statutory language is a little bit different. So, you know, when we were getting these, you know, I was at holiday parties, we were like, oh, we’re getting all these emails. And I’m like, yeah, I’m the one that you’re old people. People don’t read, you know? But with me in particular, I do take into account that consumers are going to see this. And I want to make this as readable, as friendly as a privacy notice can possibly be.

 Mike Whelan [00:05:26] So going into specific sections, I’m looking down at number six in this document and it’s titled The Use of Your Personal Data, and it’s got a bullet point list. And under that, some paragraphs and the list is fairly long. It’s fairly inclusive, talking about what they can do with your data. But you wanted to talk about a couple of these that refer to promotional communications. I’m seeing a bullet point that says to send with your consent or where a friend has referred you to us promotional communications, also hardcopy or electronic newsletters or surveys. There’s all the standard stuff that you would think of and identify you as a member. I’m going to give you like I’m going to give you support. But talk to me about this marketing material line and why that kind of thing is written so expansively. 

 Irene Mo [00:06:13] Sure, so actually, if you for in my opinion, if you look at the Expensify  sort of like bullet point of the list, I think that this is a lot more narrow and discrete than I would usually draft it. I would usually do broad categories like to communicate with you about our products and services and then maybe give a couple of examples and then say for marketing or advertising and then give another seven examples. The way that this one is drafted with such an extensive list of sort of gives the impression to the reader that these are the exact discrete activities that we’re using. This is like the whole set of them, which sort of very narrowly limited the scope that the company can use information for. What that being said, though, the marketing and the newsletter and promotional information, that is pretty broad. The FTC, you know. They take marketing promotional information very broadly, where they do get angry is where a company tries to pass off marketing or promotional emails as a transactional email. And that means emails are related to your account, for example, verifying your identity or contacting you about certain features that you have, billing, stuff like that. So the FTC can disagree with me. There were two supreme and they say something different. Like nothing I say here matters because it’s that Disney World. But where they get mad is when you try to pass off the. Commercial e-mail as a transaction of email, and you don’t include things that are disclosing that this is like an ad or you don’t get people to unsubscribe option because that’s the thing. Companies are free to, you know, not provide their service to you if you choose not to receive any emails from them, including your transaction emails. But if it’s a marketing or promotional email, you have to give the consumers a way to unsubscribe from those. 

 Mike Whelan [00:08:20] Yeah, and I’m looking through on the paragraphs that are below the bullet points and it talks about we may also use your personal data to send important notices to you. So to your point about the specificity of this particular list, you know, it seems like they’ve got this list and then they sort of try to go back and make it broad again if I’m, you know, for the purpose of making sure that I’m doing the CYA right. If I’m the lawyer and not the consultant thinking about the CYA, you seem to be saying that it would have been better had they sort of kept things broad from the beginning and not would you not have put a bullet pointed list like this in the first place? 

 Irene Mo [00:08:58] No. So I think using a lot of headers pattern, bullet points list, those are sort of what makes it easy to read and friendly. What I would have rather than done is have that paragraph that sort of lists what they do. And then you see how they use the words, such as where they it’s sort of more like an example of what they do within that category of activities. I would rather they kept it sort of general like that so that you are giving broad categories and meeting notice requirements. But, you know, people know that, like, these are just examples of stuff that you’re doing with in that category and that, you know, this bullet point, the list is not the exact things that you do. 

 Mike Whelan [00:09:43] Yeah, I was wondering because later they get into a bunch of disclosure disclosures for specific jurisdiction. So I’m looking down at the Europe disclosures in 15. It says juristic jurisdiction, specific provisions and a talks about Europe. And we’ll get into some other ones. But I’m I’m looking at this and it says participation in the Privacy Shield application of the Privacy Shield framework and Privacy Shield principles here, they start getting more specific. Is it possible that the specificity early related to, you know, these other jurisdictions require something more specific? So let’s go ahead and give it for everybody and then do these future European few European disclosures, like is there a relationship between what those jurisdictions require and the overall document? Does that make sense? 

 Irene Mo [00:10:35] Yeah, no, there is. So with all these different jurisdictions coming out and especially with the state specific ones that are a little bit more volatile, they have a little bit more leeway to make amendments very quickly versus the GDPR in the E.U., which is this, you know, broad sweeping law that covers entire EU. You know, there’s more leeway for volatility with the state specific laws. So what a lot of companies have done is either provide a very specific and segmented writes and notices for specific jurisdictions or what they’ve done is sort of have the General Privacy Policy Act as a floor and then provide additional notices that give additional protections to those consumers in those areas. 

 Mike Whelan [00:11:30] That’s interesting. So you might have done the opposite of what they did, meaning keep the overall document because it’s the floor as general and then give the specific disclosures for the jurisdiction as opposed to let me go ahead and make an exhaustive list and try to include everything. And then my California paragraphs are really short. 

 Irene Mo [00:11:49] Yeah. I mean, it actually depends on the company and the information they collect and then their risk in each jurisdiction. So it sort of looks like we’re here. Their biggest risk is the EU because that specific jurisdiction, specific notice is the most expansive, whereas later on when we look at all the other ones, they’re just like a couple of paragraphs. So it just depends on the company and where their risk lies with their data. 

 Mike Whelan [00:12:17] Yeah. Speaking of tell me about the there was something interesting under the California disclosures. There’s a paragraph that says we adopt this notice to comply with the CCPA and any terms defined in the CCPA have the same meaning when used in this notice. And then they have a like a definition section. This is what we mean in terms of California law. What do you know why that’s required? Why have a different definition section for California specifically? 

 Irene Mo [00:12:43] So California has the CCPA has a lot of sort of why I would say in terms of art where they. Use different wording and definitions than the GDPR, for example, those are the two basic laws that everyone is most concerned about and the reason why the price, because the responsibilities that are defined in the CCPA versus the GDPR is different depending on how they classify your company. So the reason why they include that is because the statutory language in the cap is very specific. For example, they talk about sort of the way that you can use data as a business or commercial purposes, whereas in the GDP you would say legal basis. So those are the different types of terminologies that really define what you can do within those laws. 

 Mike Whelan [00:13:39] I’m looking through there’s different pieces of the California, you know, they talk about collection use and disclosure of personal information. There’s quite a few paragraphs. Anything else about California that we should know if we’re drafting that? We make sure we add sections like this, if we’ve made sort of a generalized contract and then are focusing on California. 

 Irene Mo [00:14:00] Yeah, I would for companies I usually work with, I would usually recommend that they also include the CCPA specific categories of information that you collect. I don’t remember specifically if the Expensify one does include it, but sometimes that’s again as easy as giving examples. For example, identifiers are your name, email address, or if you are collecting job applicant information, then you might have like professional or educational information. And again, that’s like your work history and your skills. So just giving that very specifically, for CCPA is what is like the typical recommendation. But again, if your company doesn’t take that much risk in California, relying on the general privacy policy could also work for your company. 

 Mike Whelan [00:14:54] Hmm. And then finally, they’ve got one in Australia. But again, I think I think to your point, we’re seeing a lot of this pattern where we say, OK, our document, you know, these these disclosures are sort of the floor. We’re going to do the minimum for each jurisdiction and then we’re going to use our document to be used as widely as possible. And for an international company like this, it sort of has to be. So I want to get to principles. And in that, I want to talk about a little bit what the CEO did. And, you know, you tell me if if you’re in the position where you’re the lawyer in-house trying to control this kind of thing. So this CEO, when this happens, was the founder. And at the time, when you’re the founder of a little bootstrap company trying to raise money, you can do whatever you want. Right. But when you become CEO, you’re an employee. And so I’m wondering for the purpose of this kind of drafting, of drafting this kind of this kind of document, how do you set the CEO and the other people up in the company so that they don’t do things that could get them in big trouble in all these jurisdictions? Right. It’s not just that you wrote the thing, it’s that people have to be incorporated in their brains. 

 Irene Mo [00:15:58] Right, so specifically for the GDPR, there are six legal basis is that you can process information, so you would want to make sure that whatever you list in your notice that your company is aware of that. So before a new product or like a new feature launch, you’d want to have it set up where if your company isn’t in the habit of doing what we call data protection impact assessments, which is sort of assessing the privacy risks associated with the new product or feature that at the very least like the product team or the future team, as at least reaching out to the privacy attorney and saying, hey, this is what we’re thinking about doing early on. And I think this is something that’s very that’s echoed with all in-house attorneys. We want to be brought on as early on as possible so that we’re not the no person at the end. So that’s sort of goes to beyond drafting these governance documents, you really want to build a culture within the company that is privacy focused and what we like to call privacy by design, where you are building in privacy and into these products and in these processes so that it’s not an afterthought where there’s a scrambling at the end where we’re like, oh, crap, are we doing something with consumer data that we’re not actually supposed to be doing? 

 Mike Whelan [00:17:29] Yeah, I’m assuming to your point that a document like this, which is public facing, might be just the outer bounds, but then internally as a company, you’ve got to define some you know, some point short of that that so that we totally avoid getting to that outrebounded. 

 Irene Mo [00:17:46] Right, so this notice, it’s to consumers. So what would a company this would probably be an internal privacy policy that lays out the specific policies and procedures of what you can do with data and, you know, sort of like what the acceptable uses are, what the unacceptable uses are. But again, beyond these governance documents, we can drop them and we can sort of help a company implement them and build out these policies and processes. But the culture change isn’t there. If people aren’t willing to actually respect consumer privacy, that’s that’s not on us. Like we can draft the best ideas, stay and work with a company to get there. But in a culture change, then, you know, egregious uses of consumer privacy is just going to be continued to happen. 

 Mike Whelan [00:18:34] So because I’m curious, did the Expensify CEO, in your opinion, violate the privacy policy of Expensify or any of these relevant laws, do you think? 

 Irene Mo [00:18:45] I don’t think so. I think the way it’s take I mean, I don’t I don’t think it’s a hot take, I mean, if I I think there are multiple ways that, you know, if their attorney had to answer to a supervisor supervisory authority, whether it be the FTC or one of the supervisory authorities in the EU, I think there are multiple ways that this notice is written that would cover their political emails being sent out from the company. 

 Mike Whelan [00:19:16] Hmm. Yeah. Yeah, this one was I mean, it definitely got out in the ether. If you look at Twitter, it seemed like everybody in the world received this email and was was pretty had strong feelings one way or the other. Well, I appreciate you talking to us about it. It is such an interesting lesson in lawyers do the thing where they write the thing and then you’ve actually got to go implement it with human beings. So it’s an interesting tale. Will have all these resources available at Lawnsider.com/resources. Irene, if people want to get in touch with you to learn more about what you do and examples like this of practical lawyering, what’s the best way to reach out to you? 

 Irene Mo [00:19:54] I’m on Twitter, and then I’m also a good way to connect is on LinkedIn 

 Mike Whelan [00:19:59] awesome will make sure that people have links to that. Remember it’s lawinsider.com/resources. And if you want to be a contributor on the contract tear down show, just email us. We’re at Community@LawInsider.com. We’ll see you guys next time. Thanks again, Irene.

Contributors

Irene Mo
Senior Associate @Aleada Consulting
Mike Whelan
Chief Community Officer

You may also like

College Athlete Deals vs Influencer Agreements (NIL)

In this episode of the Contract Teardown show, sports attorney John Gibson uses an online influencer agreement to explain special rules for college athletes looking to sign brand deals.

Salesforce's Data Processing Agreement (DPA)

Salesforce's Data Processing Agreement (DPA) illustrates the risks associated with data management roles in contracting.