Skip to main content

View more from News & Articles or Primerus Weekly

A privacy policy is a legal notice on a website providing information about the use of consumers personally identifiable information by the website owner.While there currently is no general federal law requiring any website operator to post a privacy policy, there is a California state law (discussed below).Moreover, the Federal Trade Commission (FTC) and other state Attorneys General regularly investigate and pursue legal action against web site operators who collect personal information without consent and share that information with third parties.Thus, if you own a website that involves e-commerce, facilitates social networking, or otherwise engages in the collection and/or sharing of your customers personally identifiable information, you should post a privacy policy on the homepage of your website.

Personally identifiable information generally means any information collected online about an individual consumer, such as his/her name, street address, e-mail address, telephone number, social security number, or any other information that permits the physical or online contacting of a particular individual.

In 2004, California became the first state to enact a law mandating a privacy policy to be posted on any commercial website that collects personally identifiable information about California residents.The California Online Privacy Protection Act (OPPA), codified at California Business & Professions Code 22575 22579, extends beyond Californias borders because websites all over the United States (and even the world) can be accessed by California residents who may submit their personally identifiable information at any time.OPPA requires privacy policies to set forth what information is collected and how it is shared.Those who fail to comply with OPPA risk civil suits for unfair business practices.

To comply with OPPA requirements, as well as FTC and other states standards, your website privacy policy should address all of the following issues:

What type of personal information is collected on the website?
How is the collected data used? Is it stored or discarded? Is it disclosed to third parties? If so to whom?
Are cookies used and if so, what type of information is recorded?
How can consumers opt out from receiving emails from the website and from disclosure of their information to third parties?
Does the website collect information from children? If so, how does the website obtain verified parental consent for information about their children in compliance with the Childrens Online Privacy Protection Act (COPPA), a federal statute?
How does the website operator keep its server and online operations secure?
How can a consumer review and make changes to his or her personally identifiable information, if the website allows such review and changes?
How do consumers learn of changes made to the website privacy policy?
What is the effective date of the privacy policy?

Most importantly, once you have a privacy policy in place, your company should act in accordance with it.Many online companies have gotten in trouble with the FTC for having a deceptive privacy policy one that does not reflect the actual practices of the company.Specifically, recent litigation in this area has focused on companies that posted privacy policies promising not to share their customers personal information but subsequently did share data with third parties.Another trouble area is when companies change their privacy policies without giving consumers appropriate notice and an opportunity to opt-out.Most of the legal actions to date have been based on the FTC Act and state consumer protection statutes that prohibit unfair and deceptive practices.The FTC and state Attorneys General have applied these laws to website owners that fail to comply with their own posted privacy policies.

Once you have adopted a legally-compliant privacy policy that you are comfortable with, the privacy policy must be conspicuously posted on your website, in accordance with OPPA.This means that a link to the privacy policy should appear on the homepage of your site.The link should contain the word privacy, and should be written either in capital letters equal to or greater in size than the surrounding text, in a type, font, or color that contrasts with the surrounding text of the same size, or be otherwise distinguishable from the surrounding text on the homepage.

As a final point, to the extent possible, your privacy policy should be written in clear and simple language that the average consumer can understand.Certainly legal compliance with OPPA and other laws is a key consideration; however, if your privacy policy is so filled with legal jargon and technicalities that your consumers feel confused about and distrustful of your practices, they may lack confidence in your business and will not feel comfortable providing their information to you online.Thus, seek the assistance of legal counsel to help you draft a website privacy policy that is not only legally compliant but also clear, concise and easy to understand.