General Information About Website Privacy Policies
A: It’s the legal document that describes the website owner’s policy with respect to the privacy rights of site visitors.
These rights may be multi-tiered.
For example, a website visitor may have different rights and responsibilities than a paying customer with access to a restricted membership area.
Related Article: 5 Warning Signs You’re Using The Wrong Website Legal Documents
On the other hand, the lack of a policy (or a poorly drafted one) creates suspicion the website owner is dishonest or an amateur treating the site like a hobby.
Q: Are privacy policies required?
A: Although not all jurisdictions require websites to have privacy policies, some countries and states do. Of particular concern to many business website owners is the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The problem with this is that most sites do not restrict access by geographic location. Even if you tried to restrict by country, visitors from the banned locations could still access your site using a virtual private network (VPN).
This means that if you’ve got a site with visitors from another state or country that requires sites have privacy policies, you have potential liability issues even if the location(s) where your site is based and hosted do not have such requirements.
Even if you win, it’s costly to defend against a lawsuit by a state’s attorney general or a consumer protection lawyer who attempts to get a class action certified again you as site owner for violating privacy laws you may not have even known existed.
Q: Can I save money by writing my own policy from scratch?
A: Probably not. Imagine you broke your arm with a compact fracture. The bone has pierced the skin.
Would you try to stop the bleeding, stitch up the wound, and set the bone at home with a do-it-yourself cast to save a trip to the emergency room? Chances are you’d end up spending a fortune later in medical bills trying to save the arm from amputation.
The same principle applies to legal issues like online privacy rights. It’s penny-wise and pound foolish to cut corners here pretending to be an experienced Internet business lawyer.
Q: What if I just “borrow” policy provisions I like from a big company’s website like Google or Amazon?
A: First, that’s intellectual property theft, which can lead to a copyright infringement lawsuit or at least a cease-and-desist demand letter from some unhappy corporate attorneys representing the owner you stole from.
Related Article: 7 Keys to Picking the Right Internet Lawyer
Different Kinds of Privacy Rights
Q: Why are there different types of privacy rights?
A: There are many legal variables at play in e-commerce. For example, the law treats website visitors very differently depending upon their ages.
Visitors who are at least 18 years old have minimal protection under the law because they’re generally treated as adults. Minors who are 13 to 17 years old have some legal safeguards under the law that are unavailable to adults.
Of course, the most protected privacy rights by law are those of children who are 12 years of age or younger. The federal Children’s Online Privacy Protection Act (COPPA) is a complex beast to comply with even you’re an experienced attorney.
Related Article: Amazon Associates’ Child Directed Policy, COPPA, and Your Website
And it’s important to note your view of who your website visitors are may be different from that of the Federal Trade Commission (FTC) or a state attorney general’s consumer protection office when trying to protect minors.
There have been companies that thought their target market was college students only to learn the hard way website visitors supplying information were actually pre-teens. This is not the position you want to be in from a liability standpoint.
A: Yes. For many websites, it’s not much of an issue because the information being collected is rather mundane, such as the length of a visit to a particular web page. A lot of this type of data is collected and reviewed in the aggregate rather than at the individual user level.
However, there is information collected that receives additional protection in the United States, Canada, and other countries. For instance, some personal information can be used to identify or track an individual visitor.
This class of personal data is commonly referred to as sensitive personal information (SPI) or personally identifiable information (PII). The additional requirements for PII often control collection, storage, and use of such data because of how easy it can be abused to commit identify fraud, stalk people, and other illegal purposes.
Q: Can you give me some examples of SPI/PII?
A: Sure. Although it varies by jurisdiction, data such as a visitor’s full name, credit card number, and home address are commonly protected sensitive personal information. However, there are truly gray areas where there’s no real consensus on whether the data should enjoy such protection. For example, a person’s gender, zip code, and criminal record may or may not be considered PII.
And sometimes it’s a combination of two different pieces of information that becomes SPI when each part by itself is not. For example, “J. Smith” by itself may not be personally identifiable information. However, if the website collects this data and the name of Smith’s employer, together the data may constitute PII.
Q: So as a website owner, I’ve got additional responsibilities for protecting sensitive personal information that can be used to identify individual visitors?
A: Yes. However, you also should consider how your visitors treat each other’s PII too.
Q: What do you mean by that?
A: If your site allows visitors to post information (such as blog comments or forum posts), invariably someone will reveal personally identifiable information about themselves in the content they post even though they really shouldn’t do so. You want to make it clear in your policy that other visitors who read such PII can’t abuse it. This means you’ll want to prohibit or severely limit the circumstances under which they can use such information without the proper consent(s) do to so.
Q: This sounds complicated. Are there more types of private information that gets protected?
A: Yes, primarily data pertaining to a visitor’s health. In the United States, there are complex rules affecting website privacy promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009. These laws and rules are particularly important to professional healthcare providers (e.g. doctors and dentists) when it comes to protecting patient privacy.
Why Transparency is Essential
Equally important for gaining visitor trust is to state what you are not doing with the information collected. For example, if you are not selling or otherwise sharing data with third parties, let visitors know that.
Related Article: 5 Business Website Disclosures And Disclaimers
A: Because you want to give the visitor enough data to make an informed choice about using your site (or deciding not to use it). And for some jurisdictions, even that’s not enough.
Q: How long should I retain visitor data I capture on my site?
A: The answer depends upon applicable law, the type of data collected, and your relationship with the visitor. For example, there’s certain information you’ll want to have that a customer provides you if there’s ever a breach of contract lawsuit regarding goods or services you provided.
The statute of limitations for bringing such a lawsuit may make it necessary for you to keep that information longer than you otherwise would if the same data was supplied to you by a visitor who is not a customer.
The key here (particularly with PII), is to keep the information only as long as you really need it.
Information Security Risks
Q: Why not keep the data forever just in case you might need it someday?
A: The longer you keep such information, the greater the risk hackers or a government agency spying online will access and misuse the data. Keep it as long as needed for legitimate business and legal reasons but no longer.
How do you handle do-not-track requests? Interest-based advertising from ads served on your site by third parties? Remarketing tags/pixels and tracking cookies?
What about opting out from such tracking and interest-based advertising? Will you provide visitors with options to do so within the policy itself by following simple instructions?
Site Log-in Information
If your site permits visitors or customers to log in for access to parts of the site restricted from the general public, how are user names and passwords to be handled? Who is responsible under you policy for protecting the privacy of this information?
Privacy and Email Marketing
If a visitor can opt into an email list you have via your website, you should explain the privacy rights related to use of their email address.
Will you self-host the list or use a reputable third party autoresponder service?
Are you using co-registration? Co-reg means a visitor providing an email address is opting into multiple lists, and often these lists owned by more than just the website owner. This is particularly common in joint ventures and in lead generation (lead gen) marketing.
Will a visitor be required to confirm his subscription to the list or is simply entering an email address enough to join it? How can a subscriber unsubscribe from the list?
Related Article: How to Avoid Spamming with Your Emails
What if a visitor posts his email address on your site (e.g. in blog comments)? How should that email be treated by other site users? Should the information be protected? Is there a reasonable expectation of privacy? Or can others who see it email the person directly?
Privacy Policies Versus Other Website Legal Documents
A: Although it’s possible to lump them all together, as a practical matter standard practice for liability and other reasons is to split these out into separate documents linked to in your website’s footer.
A: That’s a bad idea if you want these legal documents to provide you with protection. Many visitors are also savvy enough to understand what you’re doing with fine print. It smacks of dishonesty.
Related Article: How to Make Effective Internet Advertising Disclosures
The FTC and other government agencies dislike what they consider to be deceptive trade practices. Consumer protection lawyers make a lot of money suing over such deception.
Look at how the major websites do it. Some of the most successful retailers online all link clearly to their privacy policies without it adversely affecting sales conversions.
Let’s be realistic. Most website visitors know these legal documents exist and probably are going to ignore them.
It’s unlikely more than 1% of your visitors are going to hang out and read all of the legalese. Yet you want it clearly available to everyone to read, including any government agencies employees who are checking up on how you do business online. Some of these government workers may even become your customers as part of investigating your business practices.
A: Your policy should address how updates will be made, when modifications will go into effect, and how users will be notified of these alterations. This gives them the opportunity to decide whether or not to continue using your site once the modifications are effective.
Related Professional Services Fees
A: As a practical matter, it’s usually a matter of misplaced priorities rather than a lack of funds. For example, it’s common for the Internet entrepreneur crying poverty when it comes to investing in legal protection to have bought the latest model cell phone, new computer, etc.
However, there are some website owners (e.g. bootstrapped startups) who are truly on a tight budget but need protection. One possible solution for many sites is Website Legal Forms Generator software.
Of course, if you have the funds, make the investment to get customized documents prepared by an experienced Internet lawyer. For example, our firm offers a Website Legal Protection Package for a flat fee.