|
|
|
Internet Concessionaire Customer Privacy Policy
1. All Internet Concessionaires must use some form of encryption mechanism
(example, Secure Sockets Layer (SSL) or Pretty Good Privacy (PGP) encryption,
etc.) to protect Exchange online customer' sensitive information when shopping
at an Internet Concessionaire's Internet site(s). Sensitive information such as
credit car information must be encrypted before it is sent over the Internet.
AAFES information must be stored on secured computer servers in a controlled,
secure environment, protected from unauthorized access, use or disclosure. The
terms AAFES and Exchange online are used interchangeably in this policy
statement.
a. Internet Concessionaires must have written procedures in place for notifying
AAFES within 8 hours, and all Exchange online customers within 24 hours, on any
security incident that might adversely affect the Exchange online customer,
measured from when the Internet Concessionaire becomes aware of the incident.
Security incidents include but are not limited to the following:
i. Web servers/site compromise
ii. Stolen credit card information
iii. Identity fraud
b.. Internet Concessionaires are responsible for safeguarding Exchange online
customers' information and may be held liable if the best common security
practice was not adhered to and negligence can be proven.
2. Internet Concessionaires are prohibited from asking Exchange online
customers for their Social Security Numbers, and are prohibited from asking
Exchange online customers for personal information not necessary to complete
the transaction.
3. Internet Concessionaires must obtain written consent for the collection,
use, and sharing of a child's (ages 12 and under) personal information online,
from the child's parent.
4. Internet Concessionaires must provide Exchange online customers the option
and the ability to accept or decline cookies. Internet Concessionaires must
inform Exchange online customers of the type of cookie that will be installed
on their computer and the information on it will be collecting when the user
visits the Internet Concessionaire's site(s). Information allowed to be
collected and analyzed include the Internet protocol (IP) address used to
connect the Exchange online customer's computer to the Internet; login; e-mail
address; password; computer and connection information such as browser type and
version, operating system, and platform; purchase history; the full Uniform
Resource Locators (URL) click stream to, through, and from the Exchange web
site, including date and time; cookie number; products viewed or searched for;
Exchange online customer preference; shopping history; and Exchange online
customer phone number.
5. Internet Concessionaires must not sell, rent or lease its customer lists
that include Exchange online customers, to third parties without the written
consent of AAFES. Exchange online customer data must only be shared with other
trusted partners to perform statistical analysis that will provide benefits to
all parties involved. Internet Concessionaires are prohibited from using
Exchange online customers' information except to provide quality service and
are required to maintain the confidentiality of such information.
6. Internet Concessionaires must not add Exchange online customers to their
mailing list without the Exchange online customer's consent, but must use an
"opt in" system for Exchange online customer consent for mailing lists and
sharing of such information with others. Exchange online customers must be
given the option to request to request to have their information removed from
the Internet Concessionaire's mailing list and to modify, correct or update
their information on the Internet Concessionaire's database.
7. Internet Concessionaires may disclose Exchange online customer's personal
information, without notice, only if required to do so by law or in the good
faith belief that such action is necessary to:
a. Conform to the edicts of the law or comply with legal process served on
AAFES or the site.
b. Protect and defend the rights of property of AAFES, or an AAFES Web site.
c. Act under exigent circumstances to protect the personal safety of users of
AAFES, its web sites, or the public.
8. Internet Concessionaire's security and privacy practices will be reviewed on
a quarterly basis and information regarding specific Internet Concessionaire's
connections will be updated as necessary. Internet Concessionaires not
conforming to this policy and the Privacy Act of 1974 will have their link
removed from AAFES web site.
9. This policy will remain in effect after the business relationship between
AAFES and the Internet Concessionaire is ended to ensure that Exchange online
data will continue to be safeguarded.
10. Questions or concerns regarding this specific policy, or AAFES general
computer security policies should be directed to the contracting officer.
|