Here are Internet Lawyer Mike Young’s answers to frequently asked questions (FAQs) about website privacy policy requirements. If you own a website, this is vital information for protecting yourself from lawsuits and government investigations.
General Information About Website Privacy Policies
Q: What is a website privacy policy?
A: It’s the legal document that describes the website owner’s policy with respect to the privacy rights of site visitors.
These rights may be multi-tiered.
For example, a website visitor may have different rights and responsibilities than a paying customer with access to a restricted membership area.
Related Article: 5 Warning Signs You’re Using The Wrong Website Legal Documents
In addition to the legal aspects, a good privacy policy builds trust between the site owner and visitors.
On the other hand, the lack of a policy (or a poorly drafted one) creates suspicion the website owner is dishonest or an amateur treating the site like a hobby.
Q: Are privacy policies required?
A: Although not all jurisdictions require websites to have privacy policies, some countries and states do. Of particular concern to many business website owners is the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The problem with this is that most sites do not restrict access by geographic location. Even if you tried to restrict by country, visitors from the banned locations could still access your site using a virtual private network (VPN).
This means that if you’ve got a site with visitors from another state or country that requires sites have privacy policies, you have potential liability issues even if the location(s) where your site is based and hosted do not have such requirements.
Even if you win, it’s costly to defend against a lawsuit by a state’s attorney general or a consumer protection lawyer who attempts to get a class action certified again you as site owner for violating privacy laws you may not have even known existed.
Q: Can I save money by writing my own policy from scratch?
A: Probably not. Imagine you broke your arm with a compact fracture. The bone has pierced the skin.
Would you try to stop the bleeding, stitch up the wound, and set the bone at home with a do-it-yourself cast to save a trip to the emergency room? Chances are you’d end up spending a fortune later in medical bills trying to save the arm from amputation.
The same principle applies to legal issues like online privacy rights. It’s penny-wise and pound foolish to cut corners here pretending to be an experienced Internet business lawyer.
Q: What if I just “borrow” policy provisions I like from a big company’s website like Google or Amazon?
A: First, that’s intellectual property theft, which can lead to a copyright infringement lawsuit or at least a cease-and-desist demand letter from some unhappy corporate attorneys representing the owner you stole from.
Related Article: 7 Keys to Picking the Right Internet Lawyer
There was an entrepreneur about 10 years ago who decided to sell a website privacy policy without permission from the attorney who owned the copyright.
Although it’s unknown what the entrepreneur had to pay in addition to a very public apology, the lawyer went to website owners that bought the privacy policy and gave them an option. Each website owner could pay him several thousand dollars as a licensing fee or face a copyright infringement suit where the attorney could demand up to $150,000 per infringement.
Even if you have permission from the copyright owner to copy and paste from another website’s privacy policy, your business is not the same. In other words, what you must address on your site can be very different from another website even if the other site is owned by your competitor.
Different Kinds of Privacy Rights
Q: Why are there different types of privacy rights?
A: There are many legal variables at play in e-commerce. For example, the law treats website visitors very differently depending upon their ages.
Visitors who are at least 18 years old have minimal protection under the law because they’re generally treated as adults. Minors who are 13 to 17 years old have some legal safeguards under the law that are unavailable to adults.
Of course, the most protected privacy rights by law are those of children who are 12 years of age or younger. The federal Children’s Online Privacy Protection Act (COPPA) is a complex beast to comply with even you’re an experienced attorney.
Related Article: Amazon Associates’ Child Directed Policy, COPPA, and Your Website
And it’s important to note your view of who your website visitors are may be different from that of the Federal Trade Commission (FTC) or a state attorney general’s consumer protection office when trying to protect minors.
There have been companies that thought their target market was college students only to learn the hard way website visitors supplying information were actually pre-teens. This is not the position you want to be in from a liability standpoint.
Q: Do the types of information collected by the website owner affect what should be included in a privacy policy?
A: Yes. For many websites, it’s not much of an issue because the information being collected is rather mundane, such as the length of a visit to a particular web page. A lot of this type of data is collected and reviewed in the aggregate rather than at the individual user level.
However, there is information collected that receives additional protection in the United States, Canada, and other countries. For instance, some personal information can be used to identify or track an individual visitor.
This class of personal data is commonly referred to as sensitive personal information (SPI) or personally identifiable information (PII). The additional requirements for PII often control collection, storage, and use of such data because of how easy it can be abused to commit identify fraud, stalk people, and other illegal purposes.
Q: Can you give me some examples of SPI/PII?
A: Sure. Although it varies by jurisdiction, data such as a visitor’s full name, credit card number, and home address are commonly protected sensitive personal information. However, there are truly gray areas where there’s no real consensus on whether the data should enjoy such protection. For example, a person’s gender, zip code, and criminal record may or may not be considered PII.
And sometimes it’s a combination of two different pieces of information that becomes SPI when each part by itself is not. For example, “J. Smith” by itself may not be personally identifiable information. However, if the website collects this data and the name of Smith’s employer, together the data may constitute PII.
Q: So as a website owner, I’ve got additional responsibilities for protecting sensitive personal information that can be used to identify individual visitors?
A: Yes. However, you also should consider how your visitors treat each other’s PII too.
Q: What do you mean by that?
A: If your site allows visitors to post information (such as blog comments or forum posts), invariably someone will reveal personally identifiable information about themselves in the content they post even though they really shouldn’t do so. You want to make it clear in your policy that other visitors who read such PII can’t abuse it. This means you’ll want to prohibit or severely limit the circumstances under which they can use such information without the proper consent(s) do to so.
Q: This sounds complicated. Are there more types of private information that gets protected?
A: Yes, primarily data pertaining to a visitor’s health. In the United States, there are complex rules affecting website privacy promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009. These laws and rules are particularly important to professional healthcare providers (e.g. doctors and dentists) when it comes to protecting patient privacy.
Why Transparency is Essential
Q: Okay, if I comply with all of these laws and rules, what do I have to disclose in my privacy policy? Shouldn’t compliance be enough?
A: Unfortunately, simply obeying the rules in collection isn’t sufficient. Your website’s privacy policy should be fully transparent about what is collected, how that information is used by you as the site owner, and, to the extent it is legal to do so, how the data is shared with third parties by individual visitor or in the aggregate.
Equally important for gaining visitor trust is to state what you are not doing with the information collected. For example, if you are not selling or otherwise sharing data with third parties, let visitors know that.
Related Article: 5 Business Website Disclosures And Disclaimers
Q: Why?
A: Because you want to give the visitor enough data to make an informed choice about using your site (or deciding not to use it). And for some jurisdictions, even that’s not enough.
For example, under some circumstances you may have to provide data to website visitors who are California residents if they request it pertaining to PII shared with third parties…and your privacy policy should make it easy for them to make that request.
Q: How long should I retain visitor data I capture on my site?
A: The answer depends upon applicable law, the type of data collected, and your relationship with the visitor. For example, there’s certain information you’ll want to have that a customer provides you if there’s ever a breach of contract lawsuit regarding goods or services you provided.
The statute of limitations for bringing such a lawsuit may make it necessary for you to keep that information longer than you otherwise would if the same data was supplied to you by a visitor who is not a customer.
The key here (particularly with PII), is to keep the information only as long as you really need it.
Regardless of what you do, your site’s privacy policy should be clear and consistent with how your data retention actually works.
Information Security Risks
Q: Why not keep the data forever just in case you might need it someday?
A: The longer you keep such information, the greater the risk hackers or a government agency spying online will access and misuse the data. Keep it as long as needed for legitimate business and legal reasons but no longer.
You should also point out the inevitable risk of such hacking and spying in your privacy policy, how you attempt to protect data (without providing too much detail that actually enables hacking), and let the visitor make an informed decision on what information to provide you via your site with full knowledge of these dangers.
How do you handle do-not-track requests? Interest-based advertising from ads served on your site by third parties? Remarketing tags/pixels and tracking cookies?
What about opting out from such tracking and interest-based advertising? Will you provide visitors with options to do so within the policy itself by following simple instructions?
Site Log-in Information
If your site permits visitors or customers to log in for access to parts of the site restricted from the general public, how are user names and passwords to be handled? Who is responsible under you policy for protecting the privacy of this information?
Can more than one person use the same log-in credentials to access your site? If not, have you told visitors this in your privacy policy and terms of use?
Privacy and Email Marketing
If a visitor can opt into an email list you have via your website, you should explain the privacy rights related to use of their email address.
Will you self-host the list or use a reputable third party autoresponder service?
Are you using co-registration? Co-reg means a visitor providing an email address is opting into multiple lists, and often these lists owned by more than just the website owner. This is particularly common in joint ventures and in lead generation (lead gen) marketing.
Will a visitor be required to confirm his subscription to the list or is simply entering an email address enough to join it? How can a subscriber unsubscribe from the list?
Related Article: How to Avoid Spamming with Your Emails
What if a visitor posts his email address on your site (e.g., in blog comments)? How should that email be treated by other site users? Should the information be protected? Is there a reasonable expectation of privacy? Or can others who see it email the person directly?
Privacy Policies Versus Other Website Legal Documents
Q: What about other legal documents on my website? How do they relate to the privacy policy?
A: That’s something you need to decide and make clear within the policy itself. For example, if there’s a conflict between your website’s terms of use and the privacy policy, which one controls?
What if a visitor becomes your customer? Is there a customer agreement that affects privacy? How? What if it conflicts with the privacy policy? Which provisions govern?
Q: Why should I have other legal documents? Can’t I lump the privacy policy, terms of use, refund policy, etc. all into one document?
A: Although it’s possible to lump them all together, as a practical matter standard practice for liability and other reasons is to split these out into separate documents linked to in your website’s footer.
Q: I don’t want visitors getting hung up on legalese and leaving my site because of it. I’ll just link to the privacy policy in tiny font that blends in with the color of the footer’s background.
A: That’s a bad idea if you want these legal documents to provide you with protection. Many visitors are also savvy enough to understand what you’re doing with fine print. It smacks of dishonesty.
Related Article: How to Make Effective Internet Advertising Disclosures
The FTC and other government agencies dislike what they consider to be deceptive trade practices. Consumer protection lawyers make a lot of money suing over such deception.
This includes things like hiding legalese in the fine print. As a practical matter, you’ll want the footer links to your privacy policy and other docs to be at least the same height as the main text in the body of the page…and you’ll want the color to contrast with the background rather than blending into it.
Look at how the major websites do it. Some of the most successful retailers online all link clearly to their privacy policies without it adversely affecting sales conversions.
Let’s be realistic. Most website visitors know these legal documents exist and probably are going to ignore them.
It’s unlikely more than 1% of your visitors are going to hang out and read all of the legalese. Yet you want it clearly available to everyone to read, including any government agencies employees who are checking up on how you do business online. Some of these government workers may even become your customers as part of investigating your business practices.
Q: What about making changes to a website’s privacy policy?
A: Your policy should address how updates will be made, when modifications will go into effect, and how users will be notified of these alterations. This gives them the opportunity to decide whether or not to continue using your site once the modifications are effective.
It’s common to email your subscribers and post a notice for a brief period of time on a site (e.g. a pop-up bar) to inform visitors the privacy policy has new terms with the opportunity to learn more about what’s different.
Related Professional Services Fees
Q: What if a website owner doesn’t have the budget for paying an experienced Internet lawyer to prepare a customized privacy policy?
A: As a practical matter, it’s usually a matter of misplaced priorities rather than a lack of funds. For example, it’s common for the Internet entrepreneur crying poverty when it comes to investing in legal protection to have bought the latest model cell phone, new computer, etc.
Now if you have the budget, make the investment to get customized documents prepared by an experienced Internet lawyer. For example, our firm offers a Website Legal Protection Package for a flat fee.
