Think of your privacy policy as a disclosure statement for your
website visitors. In order not to be misleading or deceptive, you need
to disclose each specific practice or policy regarding the collection,
use and dissemination or disclosure of all personal information. So, you
need to know how and what information your website will collect.
In the most basic sense, you need to understand exactly how your business collects data, how it uses that information and how it shares or distributes it so your privacy policy can be accurate and not misleading. If you don't understand how your business discloses or uses information, you obviously won't inform your website visitors. This, in turn, could be considered deceptive. Unfortunately, most websites copy privacy policies they find on other sites. Copying another privacy policy may describe the practices of some other website, but may not describe your policies. This may be deceptive in of itself since it misleads your visitors.
Website operators should always post a privacy and/or communications policy on their website if the website gathers any type of personal contact or identifying information from website visitors and/or customers. This applies to websites that collect only email addresses. Personal information generally includes contact information such as a visitor's physical address, phone number or email address and identifying information such as first and last names, social security number, etc. If your website conducts sales of goods, you will almost undoubtedly be collecting this type of information.
Additionally, registration with your website and/or the information your website collects to process a transaction or interact with some feature will result in collecting personal information. Collecting passive use information about how website visitors use and interact with a website should also be disclosed, especially if this information is then bundled with personally identifying information.
Simply because you do not plan on disseminating this information to third parties does NOT mean you should ignore having a privacy policy on your website.
Many websites use California's Online Privacy Protection Act ("OPPA") requirements as guidelines in drafting their privacy policies. You should use these basic requirements as the framework for your website's privacy policy since they are well defined. Disclosing exactly how and when you collect personal information and when you distribute or disclose it will determine how to fill in the remainder of the policy avoid liability under the FTC Act and any other applicable state law.
When drafting your privacy policy, you should always disclose the following:
You should use the lessons learned from previous FTC enforcement actions to complete the rest of your privacy policy. Here is a quick summary of those lessons:
-Always Follow Your Privacy Policy. If you make statements that you won't distribute your visitors personal information or that "all information you provide will remain anonymous" you better follow those statements. If you don't do what you say, your business will be in violation of the FTC Act. Pretty simple concept-if you lie, you are in violation of the FTC Act and potentially OPPA and maybe other state laws;
-Disclose Exactly How Your Website Treats Personal Information. I touched upon this earlier. You must disclose all the ways you intend or will disclose personal information you collect. This is really a key lesson to be taken away from the FTC's existing enforcement actions. If your object is only to provide information to one party, but you disclose it to third party marketers also, you must absolutely disclose this. If you collect information by accessing the personal information of third party sites through some service arrangement or software application you provide, this is also deceptive;
-Have Security Measures in Place. In a nutshell, you need to protect your customers and visitors personal information. The FTC has also stated that misleading express or implied statements about website security is prohibited. According to the FTC in one of their administrative decisions, your website must implement and document procedures that are reasonable and appropriate to: (1) prevent possible unauthorized access to your system (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
In subsequent cases, the FTC added to its definition of what constitutes "reasonable and appropriate security" measures. The FTC added requirements that (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., non-encrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations."
-Proper Training and Oversight is Required. Inadequate training and oversight of the personnel who will implement your privacy policy is a reasonable step your business must take, according to the FTC.
-Don't Change Your Policy After the Fact. You cannot retroactively change your privacy policies to the detriment of consumers. If you began to disclose or sell personal information provided by your visitors without seeking or receiving their consent, your business will be violating the law. Your business must take additional steps to alert customers that it has changed its policy to permit third-party sharing of personal information without explicit consent. The FTC has complained that the retroactive application of privacy policy changes "caused or is likely to cause substantial injury to consumers." The FTC says you should provide additional notice when your privacy policy has materially changed and what aspects of the policy have changed. Any time you do, you must obtain the consent of your customers who have previously provided personal information.
-Notify Visitors about Privacy Policy Changes. As stated, each time you change your privacy policy, the best practices include notifying visitors of the changes and requiring them to accept the changes after clicking through the amended policy. Any personal information you obtain from previous website visitors should not be used in a manner different than the original privacy policy unless you obtain their consent somehow.
If the FTC ever does file a complaint against your business, it could lead to very stiff civil penalties and consumer redress damages. Better to play it safe then risk shelling out thousands of dollars to the FTC. In conclusion, the best route to take is to draft a privacy/communications policy based upon OPPA and the guidelines set forth by the FTC.
Posting Your Privacy Policy
The basic principles set forth by state and federal laws provide that you should post your privacy policy in a conspicuous manner. A privacy policy is really just a disclosure to prevent your information collection practices from being deceptive.
You should follow the guidelines below on how and where to place your privacy policies, which are meant to comply with FTC laws and the requirements set forth under OPPA.
There is no specific federal law regulating or requiring a website to have or post privacy policies. However, Section 5 of the Federal Trade Commission ("FTC") Act prohibits unfair or deceptive marketing practices. While the FTC does not regulate privacy issues, any deceptive act or practice in commerce will lead to liability under the FTC Act. If your business gathers and unlawfully disseminates or discloses information from your visitors, this will generally be categorized as a deceptive or fraudulent business practice under the FTC Act.
The bottom line is that use and/or dissemination of information collected from website visitors is deceptive when the visitor is not properly made aware of the potential for this use and sharing before he or she provides any information to the website. The FTC basically requires that website operators/owners clearly inform visitors about all the ways the website collects any of their personal information ("personally identifiable information") and then how this information will or may potentially be used or shared with third-parties. There is no specific obligation imposed upon website operators to actually post a privacy policy on their website under the FTC Act. However, if you don't post a privacy policy on your website informing your visitors about all the ways your website collects and then discloses their personally identifying information, this is a deceptive practice.
If you post a privacy policy on your website and you or your business does not follow the stated policy, this will also be considered as a deceptive practice. For example, if you state on your website that the operators/owners do not sell or provide any collected email addresses to third-party marketers, but then you do anyways, this is obviously a deceptive practice. In other words, the website privacy policy cannot mislead your website visitors. According to the FTC, a violation of a former written agreement such as a privacy policy is clearly a deceptive act or practice.
Other then the FTC Act, some federal laws govern privacy policies in specific circumstances. This includes the Children's Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, which governs "Financial Institutions" and the Health Insurance Portability and Accountability Act (HIPAA).
State Website Privacy & Security Laws
A handful of states have separate online privacy protection statutes or have some express law dealing with gathering information from a website. A few states have laws placing security requirements on websites that collect personal information.
The following states have implemented more specific laws governing website privacy policies and security requirements:
-California has adopted the California Online Privacy Protection Act of 2003 (California Business and Professions Code Sections 22575-22579). The law requires "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site". It also requires the policy to identify the category of personal information that the website collects and the third parties whom the information may be shared with by the website. This statute applies to any website that collects personal information from a California resident.
-Connecticut requires any person who collects Social Security numbers in the course of conducting business to create a privacy policy. The policy must be "publicly displayed" by posting it on a web page and the policy must: (1) protect the confidentiality of Social Security numbers; (2) prohibit unlawful disclosure of Social Security numbers; and (3) limit access to Social Security numbers. Connecticut laws now also require that businesses must "safeguard the data, computer files and documents containing the [personal] information from misuse by third parties" and "destroy, erase or make unreadable such data, computer files and documents prior to disposal." Conn. Pub. Act 08-16, § 1.
-Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.
-Pennsylvania includes false and misleading statements in privacy policies published on websites or otherwise distributed in its deceptive and fraudulent business practices statute.
-Nevada requires that "[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission." This includes all e-mail, and websites, and other forms of Internet-based communications containing personal information. It is also important to note that the Nevada Law applies only to businesses "in this State." However, for many businesses which are not located in Nevada, but that do business with customers in the state, they could be "doing business" in Nevada If you plan on doing a significant amount of business in Nevada, it is safe to assume that the law will apply.
-Massachusetts, like the Nevada laws, requires businesses to encrypt all personal information that is transmitted across public networks or by wireless transmission. It applies to all persons that own, license, store or maintain personal information about a resident of Massachusetts. This law also requires businesses to encrypt all personal information that is stored on laptops and other portable devices. Similar to the Nevada law, "personal information" is defined as a combination of a person's name plus one of the following sensitive data elements related to that person: Social Security number, driver's license or state-issued identification card number, or financial, credit or debit card account numbers.
In the most basic sense, you need to understand exactly how your business collects data, how it uses that information and how it shares or distributes it so your privacy policy can be accurate and not misleading. If you don't understand how your business discloses or uses information, you obviously won't inform your website visitors. This, in turn, could be considered deceptive. Unfortunately, most websites copy privacy policies they find on other sites. Copying another privacy policy may describe the practices of some other website, but may not describe your policies. This may be deceptive in of itself since it misleads your visitors.
Website operators should always post a privacy and/or communications policy on their website if the website gathers any type of personal contact or identifying information from website visitors and/or customers. This applies to websites that collect only email addresses. Personal information generally includes contact information such as a visitor's physical address, phone number or email address and identifying information such as first and last names, social security number, etc. If your website conducts sales of goods, you will almost undoubtedly be collecting this type of information.
Additionally, registration with your website and/or the information your website collects to process a transaction or interact with some feature will result in collecting personal information. Collecting passive use information about how website visitors use and interact with a website should also be disclosed, especially if this information is then bundled with personally identifying information.
Simply because you do not plan on disseminating this information to third parties does NOT mean you should ignore having a privacy policy on your website.
Many websites use California's Online Privacy Protection Act ("OPPA") requirements as guidelines in drafting their privacy policies. You should use these basic requirements as the framework for your website's privacy policy since they are well defined. Disclosing exactly how and when you collect personal information and when you distribute or disclose it will determine how to fill in the remainder of the policy avoid liability under the FTC Act and any other applicable state law.
When drafting your privacy policy, you should always disclose the following:
- When your website collects information. Your website may collect information upon registration with your website, or when any of your visitors order a product. But, how else will it collect information? Other collection of data may occur through collection of website traffic and aggregate usage data. For instance, the date and time a user visits your site, the (IP) address from which your website was accessed, the webpages visited, duration on each page, the type of browser and operating system used to access your site, etc. Information may also be collected through correspondences such as through emails, faxes or phone calls with your business. Collection of information also occurs through credit card processing or other third party applications accessed through your website;
- The information your website actually collects. What personal information will your website collect? You should use OPPA as your guide in defining and determining this information;
- How your business will use the personal information. You need to disclose exactly how your business intends to use any data or information it collects. Don't leave anything out. If you don't distribute any information, but will store it in some customer contact database, disclose this. Similarly, facilitation of product purchases or collection for future promotions should be disclosed in your policy;
- The information that is disclosed or provided to third parties. You must determine all the possible ways you will disclose your visitors personal information you collect. These will include information provided during the shipping process, to credit card merchants and banks, your host or ISP through operation of the website, etc. You should disclose all of this even if you don't intend on distributing information to third parties;
- Will you use cookies or any type of tracking device? This should be clearly disclosed to website visitors and agreed to beforehand. Also, if you use "third-party cookies" (i.e. using a third party such as Google Analytics that passes cookies directly to your website visitors' browsers) this should now also be disclosed.
You should use the lessons learned from previous FTC enforcement actions to complete the rest of your privacy policy. Here is a quick summary of those lessons:
-Always Follow Your Privacy Policy. If you make statements that you won't distribute your visitors personal information or that "all information you provide will remain anonymous" you better follow those statements. If you don't do what you say, your business will be in violation of the FTC Act. Pretty simple concept-if you lie, you are in violation of the FTC Act and potentially OPPA and maybe other state laws;
-Disclose Exactly How Your Website Treats Personal Information. I touched upon this earlier. You must disclose all the ways you intend or will disclose personal information you collect. This is really a key lesson to be taken away from the FTC's existing enforcement actions. If your object is only to provide information to one party, but you disclose it to third party marketers also, you must absolutely disclose this. If you collect information by accessing the personal information of third party sites through some service arrangement or software application you provide, this is also deceptive;
-Have Security Measures in Place. In a nutshell, you need to protect your customers and visitors personal information. The FTC has also stated that misleading express or implied statements about website security is prohibited. According to the FTC in one of their administrative decisions, your website must implement and document procedures that are reasonable and appropriate to: (1) prevent possible unauthorized access to your system (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
In subsequent cases, the FTC added to its definition of what constitutes "reasonable and appropriate security" measures. The FTC added requirements that (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., non-encrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations."
-Proper Training and Oversight is Required. Inadequate training and oversight of the personnel who will implement your privacy policy is a reasonable step your business must take, according to the FTC.
-Don't Change Your Policy After the Fact. You cannot retroactively change your privacy policies to the detriment of consumers. If you began to disclose or sell personal information provided by your visitors without seeking or receiving their consent, your business will be violating the law. Your business must take additional steps to alert customers that it has changed its policy to permit third-party sharing of personal information without explicit consent. The FTC has complained that the retroactive application of privacy policy changes "caused or is likely to cause substantial injury to consumers." The FTC says you should provide additional notice when your privacy policy has materially changed and what aspects of the policy have changed. Any time you do, you must obtain the consent of your customers who have previously provided personal information.
-Notify Visitors about Privacy Policy Changes. As stated, each time you change your privacy policy, the best practices include notifying visitors of the changes and requiring them to accept the changes after clicking through the amended policy. Any personal information you obtain from previous website visitors should not be used in a manner different than the original privacy policy unless you obtain their consent somehow.
If the FTC ever does file a complaint against your business, it could lead to very stiff civil penalties and consumer redress damages. Better to play it safe then risk shelling out thousands of dollars to the FTC. In conclusion, the best route to take is to draft a privacy/communications policy based upon OPPA and the guidelines set forth by the FTC.
Posting Your Privacy Policy
The basic principles set forth by state and federal laws provide that you should post your privacy policy in a conspicuous manner. A privacy policy is really just a disclosure to prevent your information collection practices from being deceptive.
You should follow the guidelines below on how and where to place your privacy policies, which are meant to comply with FTC laws and the requirements set forth under OPPA.
- Post the privacy policy directly on the homepage of your website or first significant page after entering your website; or
- Place a link that contains the word(s) "privacy" or "privacy policy" on the homepage of your website, or on the first significant page after entering the site. The link should lead to a separate page containing the privacy policy. The text link should be written in capital letters equal to or greater in size than the surrounding text or in contrasting type, font, or color to the surrounding text, or set off from the surrounding text somehow with symbols or other marks that call attention to the language" (i.e. "PRIVACY POLICY"); and
- Any privacy policy page links should not be hidden or innocuous where your visitors have to scroll down to the bottom of the page to find it. In other words, the link should be placed on the immediately visible portion of the page.
There is no specific federal law regulating or requiring a website to have or post privacy policies. However, Section 5 of the Federal Trade Commission ("FTC") Act prohibits unfair or deceptive marketing practices. While the FTC does not regulate privacy issues, any deceptive act or practice in commerce will lead to liability under the FTC Act. If your business gathers and unlawfully disseminates or discloses information from your visitors, this will generally be categorized as a deceptive or fraudulent business practice under the FTC Act.
The bottom line is that use and/or dissemination of information collected from website visitors is deceptive when the visitor is not properly made aware of the potential for this use and sharing before he or she provides any information to the website. The FTC basically requires that website operators/owners clearly inform visitors about all the ways the website collects any of their personal information ("personally identifiable information") and then how this information will or may potentially be used or shared with third-parties. There is no specific obligation imposed upon website operators to actually post a privacy policy on their website under the FTC Act. However, if you don't post a privacy policy on your website informing your visitors about all the ways your website collects and then discloses their personally identifying information, this is a deceptive practice.
If you post a privacy policy on your website and you or your business does not follow the stated policy, this will also be considered as a deceptive practice. For example, if you state on your website that the operators/owners do not sell or provide any collected email addresses to third-party marketers, but then you do anyways, this is obviously a deceptive practice. In other words, the website privacy policy cannot mislead your website visitors. According to the FTC, a violation of a former written agreement such as a privacy policy is clearly a deceptive act or practice.
Other then the FTC Act, some federal laws govern privacy policies in specific circumstances. This includes the Children's Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, which governs "Financial Institutions" and the Health Insurance Portability and Accountability Act (HIPAA).
State Website Privacy & Security Laws
A handful of states have separate online privacy protection statutes or have some express law dealing with gathering information from a website. A few states have laws placing security requirements on websites that collect personal information.
The following states have implemented more specific laws governing website privacy policies and security requirements:
-California has adopted the California Online Privacy Protection Act of 2003 (California Business and Professions Code Sections 22575-22579). The law requires "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site". It also requires the policy to identify the category of personal information that the website collects and the third parties whom the information may be shared with by the website. This statute applies to any website that collects personal information from a California resident.
-Connecticut requires any person who collects Social Security numbers in the course of conducting business to create a privacy policy. The policy must be "publicly displayed" by posting it on a web page and the policy must: (1) protect the confidentiality of Social Security numbers; (2) prohibit unlawful disclosure of Social Security numbers; and (3) limit access to Social Security numbers. Connecticut laws now also require that businesses must "safeguard the data, computer files and documents containing the [personal] information from misuse by third parties" and "destroy, erase or make unreadable such data, computer files and documents prior to disposal." Conn. Pub. Act 08-16, § 1.
-Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.
-Pennsylvania includes false and misleading statements in privacy policies published on websites or otherwise distributed in its deceptive and fraudulent business practices statute.
-Nevada requires that "[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission." This includes all e-mail, and websites, and other forms of Internet-based communications containing personal information. It is also important to note that the Nevada Law applies only to businesses "in this State." However, for many businesses which are not located in Nevada, but that do business with customers in the state, they could be "doing business" in Nevada If you plan on doing a significant amount of business in Nevada, it is safe to assume that the law will apply.
-Massachusetts, like the Nevada laws, requires businesses to encrypt all personal information that is transmitted across public networks or by wireless transmission. It applies to all persons that own, license, store or maintain personal information about a resident of Massachusetts. This law also requires businesses to encrypt all personal information that is stored on laptops and other portable devices. Similar to the Nevada law, "personal information" is defined as a combination of a person's name plus one of the following sensitive data elements related to that person: Social Security number, driver's license or state-issued identification card number, or financial, credit or debit card account numbers.
This article was written by Philip A. Nicolosi, J.D. Mr. Nicolosi
provides legal services through his law firm, Phil Nicolosi Law, P.C.,
focusing on startup and small business law, Internet & technology
law and commercial transactions.
Mr. Nicolosi serves as a trusted advisor to numerous startups and small to medium sized businesses. This includes representation for a wide range of business law matters including business organization, corporate/LLC governance, regulatory law, contracts and transactions and most other matters outside of litigation. Mr. Nicolosi provides guidance with e-commerce, Internet marketing and technology-related legal matters. He also assists startup technology companies with seed financing, venture capital and exit transactions.
Mr. Nicolosi serves as a trusted advisor to numerous startups and small to medium sized businesses. This includes representation for a wide range of business law matters including business organization, corporate/LLC governance, regulatory law, contracts and transactions and most other matters outside of litigation. Mr. Nicolosi provides guidance with e-commerce, Internet marketing and technology-related legal matters. He also assists startup technology companies with seed financing, venture capital and exit transactions.
