Skip to main content


Federal Trade Commission a.k.a. FTC

Privacy Policy 101: What Every Website Owner Should Know

By Internet Lawyer, Website Lawyer, Website Legal Documents

Privacy Policy 101: What Every Website Owner Should KnowHere are Internet Lawyer Mike Young’s answers to frequently asked questions (FAQs) about website privacy policy requirements. If you own a website, this is vital information for protecting yourself from lawsuits and government investigations.

General Information About Website Privacy Policies

Q: What is a website privacy policy?

A: It’s the legal document that describes the website owner’s policy with respect to the privacy rights of site visitors.

These rights may be multi-tiered.

For example, a website visitor may have different rights and responsibilities than a paying customer with access to a restricted membership area.

Related Article: 5 Warning Signs You’re Using The Wrong Website Legal Documents

In addition to the legal aspects, a good privacy policy builds trust between the site owner and visitors.

On the other hand, the lack of a policy (or a poorly drafted one) creates suspicion the website owner is dishonest or an amateur treating the site like a hobby.

5 Warning Signs You’re Using The Wrong Website Legal DocumentsQ: Are privacy policies required?

A: Although not all jurisdictions require websites to have privacy policies, some countries and states do. Of particular concern to many business website owners is the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The problem with this is that most sites do not restrict access by geographic location. Even if you tried to restrict by country, visitors from the banned locations could still access your site using a virtual private network (VPN).

This means that if you’ve got a site with visitors from another state or country that requires sites have privacy policies, you have potential liability issues even if the location(s) where your site is based and hosted do not have such requirements.

Even if you win, it’s costly to defend against a lawsuit by a state’s attorney general or a consumer protection lawyer who attempts to get a class action certified again you as site owner for violating privacy laws you may not have even known existed.

Q: Can I save money by writing my own policy from scratch?

get website legal protectionA: Probably not. Imagine you broke your arm with a compact fracture. The bone has pierced the skin.

Would you try to stop the bleeding, stitch up the wound, and set the bone at home with a do-it-yourself cast to save a trip to the emergency room? Chances are you’d end up spending a fortune later in medical bills trying to save the arm from amputation.

The same principle applies to legal issues like online privacy rights. It’s penny-wise and pound foolish to cut corners here pretending to be an experienced Internet business lawyer.

Q: What if I just “borrow” policy provisions I like from a big company’s website like Google or Amazon?

A: First, that’s intellectual property theft, which can lead to a copyright infringement lawsuit or at least a cease-and-desist demand letter from some unhappy corporate attorneys representing the owner you stole from.

Related Article: 7 Keys to Picking the Right Internet Lawyer

7 Keys to Picking the Right Internet LawyerThere was an entrepreneur about 10 years ago who decided to sell a website privacy policy without permission from the attorney who owned the copyright.

Although it’s unknown what the entrepreneur had to pay in addition to a very public apology, the lawyer went to website owners that bought the privacy policy and gave them an option. Each website owner could pay him several thousand dollars as a licensing fee or face a copyright infringement suit where the attorney could demand up to $150,000 per infringement.

Even if you have permission from the copyright owner to copy and paste from another website’s privacy policy, your business is not the same. In other words, what you must address on your site can be very different from another website even if the other site is owned by your competitor.

Different Kinds of Privacy Rights

Q: Why are there different types of privacy rights?

A: There are many legal variables at play in e-commerce. For example, the law treats website visitors very differently depending upon their ages.

Visitors who are at least 18 years old have minimal protection under the law because they’re generally treated as adults. Minors who are 13 to 17 years old have some legal safeguards under the law that are unavailable to adults.

Of course, the most protected privacy rights by law are those of children who are 12 years of age or younger. The federal Children’s Online Privacy Protection Act (COPPA) is a complex beast to comply with even you’re an experienced attorney.

Related Article: Amazon Associates’ Child Directed Policy, COPPA, and Your Website

Amazon Associates’ Child Directed Policy, COPPA, and Your WebsiteAnd it’s important to note your view of who your website visitors are may be different from that of the Federal Trade Commission (FTC) or a state attorney general’s consumer protection office when trying to protect minors.

There have been companies that thought their target market was college students only to learn the hard way website visitors supplying information were actually pre-teens. This is not the position you want to be in from a liability standpoint.

Q: Do the types of information collected by the website owner affect what should be included in a privacy policy?

A: Yes. For many websites, it’s not much of an issue because the information being collected is rather mundane, such as the length of a visit to a particular web page. A lot of this type of data is collected and reviewed in the aggregate rather than at the individual user level.
personally identifiable informationHowever, there is information collected that receives additional protection in the United States, Canada, and other countries. For instance, some personal information can be used to identify or track an individual visitor.

This class of personal data is commonly referred to as sensitive personal information (SPI) or personally identifiable information (PII). The additional requirements for PII often control collection, storage, and use of such data because of how easy it can be abused to commit identify fraud, stalk people, and other illegal purposes.

Q: Can you give me some examples of SPI/PII?

A: Sure. Although it varies by jurisdiction, data such as a visitor’s full name, credit card number, and home address are commonly protected sensitive personal information. However, there are truly gray areas where there’s no real consensus on whether the data should enjoy such protection. For example, a person’s gender, zip code, and criminal record may or may not be considered PII.

And sometimes it’s a combination of two different pieces of information that becomes SPI when each part by itself is not. For example, “J. Smith” by itself may not be personally identifiable information. However, if the website collects this data and the name of Smith’s employer, together the data may constitute PII.

Q: So as a website owner, I’ve got additional responsibilities for protecting sensitive personal information that can be used to identify individual visitors?

A: Yes. However, you also should consider how your visitors treat each other’s PII too.

Q: What do you mean by that?

A: If your site allows visitors to post information (such as blog comments or forum posts), invariably someone will reveal personally identifiable information about themselves in the content they post even though they really shouldn’t do so. You want to make it clear in your policy that other visitors who read such PII can’t abuse it. This means you’ll want to prohibit or severely limit the circumstances under which they can use such information without the proper consent(s) do to so.

hipaa compliant privacy policyQ: This sounds complicated. Are there more types of private information that gets protected?

A: Yes, primarily data pertaining to a visitor’s health. In the United States, there are complex rules affecting website privacy promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009. These laws and rules are particularly important to professional healthcare providers (e.g. doctors and dentists) when it comes to protecting patient privacy.

Why Transparency is Essential

Q: Okay, if I comply with all of these laws and rules, what do I have to disclose in my privacy policy? Shouldn’t compliance be enough?

A: Unfortunately, simply obeying the rules in collection isn’t sufficient. Your website’s privacy policy should be fully transparent about what is collected, how that information is used by you as the site owner, and, to the extent it is legal to do so, how the data is shared with third parties by individual visitor or in the aggregate.

Equally important for gaining visitor trust is to state what you are not doing with the information collected. For example, if you are not selling or otherwise sharing data with third parties, let visitors know that.

Related Article: 5 Business Website Disclosures And Disclaimers

5 Business Website Disclosures And Disclaimers For TransparencyQ: Why?

A: Because you want to give the visitor enough data to make an informed choice about using your site (or deciding not to use it). And for some jurisdictions, even that’s not enough.

For example, under some circumstances you may have to provide data to website visitors who are California residents if they request it pertaining to PII shared with third parties…and your privacy policy should make it easy for them to make that request.

website data retention and visitor privacyQ: How long should I retain visitor data I capture on my site?

A: The answer depends upon applicable law, the type of data collected, and your relationship with the visitor. For example, there’s certain information you’ll want to have that a customer provides you if there’s ever a breach of contract lawsuit regarding goods or services you provided.

The statute of limitations for bringing such a lawsuit may make it necessary for you to keep that information longer than you otherwise would if the same data was supplied to you by a visitor who is not a customer.

The key here (particularly with PII), is to keep the information only as long as you really need it.

Regardless of what you do, your site’s privacy policy should be clear and consistent with how your data retention actually works.

Information Security Risks

data security and hackingQ: Why not keep the data forever just in case you might need it someday?

A: The longer you keep such information, the greater the risk hackers or a government agency spying online will access and misuse the data. Keep it as long as needed for legitimate business and legal reasons but no longer.

You should also point out the inevitable risk of such hacking and spying in your privacy policy, how you attempt to protect data (without providing too much detail that actually enables hacking), and let the visitor make an informed decision on what information to provide you via your site with full knowledge of these dangers.
data tracking and online privacyHow do you handle do-not-track requests? Interest-based advertising from ads served on your site by third parties? Remarketing tags/pixels and tracking cookies?

What about opting out from such tracking and interest-based advertising? Will you provide visitors with options to do so within the policy itself by following simple instructions?

Site Log-in Information

If your site permits visitors or customers to log in for access to parts of the site restricted from the general public, how are user names and passwords to be handled? Who is responsible under you policy for protecting the privacy of this information?

Can more than one person use the same log-in credentials to access your site? If not, have you told visitors this in your privacy policy and terms of use?

Privacy and Email Marketing

privacy rights and email marketingIf a visitor can opt into an email list you have via your website, you should explain the privacy rights related to use of their email address.

Will you self-host the list or use a reputable third party autoresponder service?

Are you using co-registration? Co-reg means a visitor providing an email address is opting into multiple lists, and often these lists owned by more than just the website owner. This is particularly common in joint ventures and in lead generation (lead gen) marketing.

Will a visitor be required to confirm his subscription to the list or is simply entering an email address enough to join it? How can a subscriber unsubscribe from the list?

Related Article: How to Avoid Spamming with Your Emails

What if a visitor posts his email address on your site (e.g. in blog comments)? How should that email be treated by other site users? Should the information be protected? Is there a reasonable expectation of privacy? Or can others who see it email the person directly?

Privacy Policies Versus Other Website Legal Documents

terms of useQ: What about other legal documents on my website? How do they relate to the privacy policy?

A: That’s something you need to decide and make clear within the policy itself. For example, if there’s a conflict between your website’s terms of use and the privacy policy, which one controls?

What if a visitor becomes your customer? Is there a customer agreement that affects privacy? How? What if it conflicts with the privacy policy? Which provisions govern?

Q: Why should I have other legal documents? Can’t I lump the privacy policy, terms of use, refund policy, etc. all into one document?

A: Although it’s possible to lump them all together, as a practical matter standard practice for liability and other reasons is to split these out into separate documents linked to in your website’s footer.

Q: I don’t want visitors getting hung up on legalese and leaving my site because of it. I’ll just link to the privacy policy in tiny font that blends in with the color of the footer’s background.

A: That’s a bad idea if you want these legal documents to provide you with protection. Many visitors are also savvy enough to understand what you’re doing with fine print. It smacks of dishonesty.

Related Article: How to Make Effective Internet Advertising Disclosures

fine print as deceptive trade practicesThe FTC and other government agencies dislike what they consider to be deceptive trade practices. Consumer protection lawyers make a lot of money suing over such deception.

This includes things like hiding legalese in the fine print. As a practical matter, you’ll want the footer links to your privacy policy and other docs to be at least the same height as the main text in the body of the page…and you’ll want the color to contrast with the background rather than blending into it.

Look at how the major websites do it. Some of the most successful retailers online all link clearly to their privacy policies without it adversely affecting sales conversions.

Let’s be realistic. Most website visitors know these legal documents exist and probably are going to ignore them.

It’s unlikely more than 1% of your visitors are going to hang out and read all of the legalese. Yet you want it clearly available to everyone to read, including any government agencies employees who are checking up on how you do business online. Some of these government workers may even become your customers as part of investigating your business practices.

privacy policy updatesQ: What about making changes to a website’s privacy policy?

A: Your policy should address how updates will be made, when modifications will go into effect, and how users will be notified of these alterations. This gives them the opportunity to decide whether or not to continue using your site once the modifications are effective.

It’s common to email your subscribers and post a notice for a brief period of time on a site (e.g. a pop-up bar) to inform visitors the privacy policy has new terms with the opportunity to learn more about what’s different.

Related Professional Services Fees

Q: What if a website owner doesn’t have the budget for paying an experienced Internet lawyer to prepare a customized privacy policy?

A: As a practical matter, it’s usually a matter of misplaced priorities rather than a lack of funds. For example, it’s common for the Internet entrepreneur crying poverty when it comes to investing in legal protection to have bought the latest model cell phone, new computer, etc.

website legal protectionHowever, there are some website owners (e.g. bootstrapped startups) who are truly on a tight budget but need protection. One possible solution for many sites is Website Legal Forms Generator software.

I personally created and updated the privacy policy and other legal forms generated by this software that’s available through the Internet Attorneys Association.

Of course, if you have the funds, make the investment to get customized documents prepared by an experienced Internet lawyer. For example, our firm offers a Website Legal Protection Package for a flat fee.

Native Advertising: Announcing New FTC Guidelines

By Business Lawyer, Internet Lawyer
native advertising ftc

Does your website’s native advertising comply with new FTC guidelines?

Do you use native advertising? On December 22, 2015, the U.S. Federal Trade Commission (FTC) “issued an enforcement policy statement explaining how established consumer protection principles apply to different advertising formats, including ‘native’ ads that look like surrounding non-advertising content.”

The primary purpose is to ensure that consumers are undeceived by native ads that look like nearby content that is not advertising.

Use of native advertising is common on websites.

For example, you’ll likely read a news story in one column and find a related advertorial selling a product or service right next to the news story. Although this is good from a marketing conversion standpoint, without proper disclosures, the FTC may consider the practice deceptive because it confuses readers into mistakenly believing an advertisement is really objective news.

To ensure compliance and avoid getting into legal trouble with the FTC for native ads, you’ll want to check out the following resources.

The guide linked to above provides a good overview plus examples to help you obey the law.

What do businesses need to know to ensure that the format of native advertising is not deceptive? The Enforcement Policy Statement explains the law in detail, but it boils down to this:

1. From the FTC’s perspective, the watchword is transparency. An advertisement or promotional message shouldn’t suggest or imply to consumers that it’s anything other than an ad.
2. Some native ads may be so clearly commercial in nature that they are unlikely to mislead consumers even without a specific disclosure. In other instances, a disclosure may be necessary to ensure that consumers understand that the content is advertising.
3. If a disclosure is necessary to prevent deception, the disclosure must be clear and prominent.

Questions About Native Advertising?

Of course, if you have any questions about the advertising content on your website(s), consult with an Internet business lawyer.

[optin-cat id=7577]

Amazon Associates’ Child Directed Policy, COPPA, and Your Website

By Internet Lawyer, Website Lawyer, Website Legal Documents

coppa childrens online privacy laws

Amazon recently emailed its affiliates (called Amazon Associates) to let them know that “sites targeted at children under 13 are not eligible to display links and advertising from the Amazon Associates program.”

Amazon sells children’s clothing, toys, games, etc.

So why would the company do this?

The reason is simple: potential legal liability.

There’s a U.S. law known as the Children’s Online Privacy Protection Act of 1998 (COPPA). This makes it difficult to legally do business online with websites that target (directly or indirectly) children because there are many extra requirements for doing so. If your website violates the law or related regulations, chances are you’re exposing yourself to lawsuits and government investigations by the U.S. Federal Trade Commission (FTC) and other consumer protection agencies.

If you’re an Amazon affiliate, the company doesn’t want to end up being liable for you putting ads on a site that violates COPPA.

What if your site isn’t targeted at young children?

You probably ought to make that clear on your site, both in your content and the website’s legal documents. That’s why the customized site documents I draft for clients (privacy policies, terms and conditions, etc.), and my legal forms generated by Website Legal Forms Generator software (, inform visitors that a site is not intended for children and imposes limits on how minors can use the website with parental involvement.

What if you do have a children’s website covered by COPPA?

Have a qualified Internet business lawyer review your site to ensure you’re not violating COPPA. Let’s face it. If Amazon thinks there’s a legal risk, chances are you don’t want to violate that law either.

Internet Law News: Kickstarter Crowdfunding Campaign Nailed by FTC

By Internet Lawyer
kickstarter crowdfunding

FTC cracks down on dishonest Kickstarter crowdfunding campaign

The U.S. Federal Trade Commission just cracked down on alleged deceptive trade practices in a Kickstarter crowdfunding campaign.

According to the FTC, funds were raised for a project to produce a board game. However, the fundraiser never delivered the rewards he promised to his financial backers and he didn’t offer refunds either. Instead, he spent the money on personal expenses and other items unrelated to the board game.

It’s important to note that there was no allegation of wrongdoing by Kickstarter. The FTC went after the fundraiser.

Under the settlement reached with the FTC, the fundraiser “is prohibited from making misrepresentations about any crowdfunding campaign and from failing to honor stated refund policies. He is also barred from disclosing or otherwise benefiting from customers’ personal information, and failing to dispose of such information properly. The order imposes a $111,793.71 judgment that will be suspended due to [his] inability to pay. The full amount will become due immediately if he is found to have misrepresented his financial condition.”

Lesson to learn? If you’re going to crowdfund to raise money, be sure to honor your commitments. Taking the money and spending it on yourself is a bad idea from both a legal and ethical standpoint.

Related reading: Crowdfunding Project Creator Settles FTC Charges of Deception

[optin-cat id=7577]

How to Get the FTC to Sue You Because of Your Website

By Internet Lawyer
ftc website lawsuits

Will you end up in court because of your website’s content?

The U.S. Federal Trade Commission (FTC) recently sued some website owners for deceptive trade practices. What the government has claimed is a lesson about what not to do with your website – unless you enjoy getting sued.

Internet marketing tactics that lead to government investigations and lawsuits.

Here are some highlights of what the website owners allegedly did that got the FTC’s attention.

  • Set up websites to look like news websites even though they were really product sales pages.
  • Made false and deceptive claims about what their product could do for clients.
  • Gave free samples to clients who provided testimonials but did not disclose that fact.
  • Paid clients for video testimonials but didn’t disclose that either.
  • Misused a celebrity’s photo to imply the celebrity had endorsed their product.
  • Ran banner and text ads with deceptive product claims.

“[The defendants] compounded the deception by advertising on pretend news sites, making it impossible for people to know whether they were seeing news or an ad.” – Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.

How do you avoid website-related lawsuits?

People can sue anyone for anything these days regardless of the merits. However, there are steps you can take to reduce your risk of legitimate lawsuits by unhappy clients or the government.

This includes making sure your website is both factually correct and contains all of the information a prospective client needs in order to make an informed decision whether or not your product or service should be purchased. Honesty and transparency are mandatory.

This is particularly important if you’re selling products and services in high risk niches such as health or how to make money online.

Get a Professional Website Legal Diagnostic

If you value your time and hate lawsuits, a good place to start is to get a site legal checkup by having a Professional Website Legal Diagnostic performed by an experienced Internet lawyer. That way you’ll know what needs to be changed on your site in order to reduce your risk of getting taken to the cleaners in a lawsuit.

[optin-cat id=7577]