When designing a website or considering your website’s compliance with various federal and state laws, the question of whether a privacy policy is really necessary may arise. Certainly, most websites today have privacy policies, but they vary in scope, content, and protections for the website user and the website owner.
First, answer a few questions to determine the applicability of a privacy policy to your website:
- Is your website an information-only site? Is reading the site the only way for users to interact with it?
- Can users register for an account on your website? Can they submit their email address to receive updates?
- Do you have a shopping cart or a donation platform?
- Do you or your website host track visitors to the website, whether automatically or intentionally?
If the answer to any of the above questions is “yes,” your website needs a privacy policy. Virtually all website host platforms track website visitors’ Internet protocol (IP) addresses, and most websites track more information than IP addresses. Any website that tracks personal information of any kind should have a privacy policy to inform users what it does with their information and to protect the website’s owner in the event of a dispute.
The only current federal law requiring websites to have privacy policies concerns businesses that target children under the age of 13 or collect personal information from them online (Children’s Online Privacy Protection Act). However, websites that attract visitors from different states must comply with the requirements of those states — whether those states require a privacy policy or require certain content within the privacy policy. Often, website owners must comply with the law in the state that has the most stringent guidelines, because visitors from almost all states are virtually guaranteed for most sites.
For example, California requires operators of commercial websites or online services that collect personal information on California residents through a website to conspicuously post a privacy policy on the site and to comply with its policy (California Business and Professions Code §§ 22575-22578). The privacy policy must identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information, among other requirements.
(Continued)
While virtually all websites collect information about visitors, even if the visitors are not identified by name or contact information, certain states create a higher bar of disclosure for sites that collect particularly sensitive information. Connecticut law, for example, requires any person who collects Social Security numbers in the course of business to create a privacy protection policy that must be “publicly displayed” on a Web page and must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers (Conn. Gen. Stat. § 42-471). Companies involved in highly regulated industries such as academia, health care, or the financial industry may also have stringent federal or state requirements that must be disclosed in privacy policies and other places, both online and offline.
Privacy policies should also govern third-party access to personal information. California and Utah require all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation (Cal. Civil Code §§ 1798.83 to .84 and Utah Code §§ 13-37-101, -102, -201, -202, -203). Under the California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost. California also requires the website operator to disclose whether third parties are or may be conducting any tracking activities on the operator’s site or service (Calif. Bus. & Prof. Code § 22575).
While certain information is required to be included in a privacy policy, other information is highly advisable to include. For instance, website owners may want to tell users how the website uses the information it collects and whether the business reserves the right to change the policy. It’s also a good idea to notify them of the lack of privacy if they choose to post anything to message boards or other interactive features of the website, among other content.
Obtaining user consent to privacy policies
If the website has an online store where users can purchase items or has the ability to register users, these functionalities should require the user to accept the privacy policy and other policies that govern use of the website before the user can proceed with the transaction. The goal for a website owner is to make it impossible for the user to send personal information through registering on or buying a product from the website without approving the terms as they apply to him or her.
Aside from those functionalities, for simpler sites, as long as the Privacy Policy and Terms of Use are posted in a conspicuous manner (specifically, in contrasting text on the homepage), the website owner has complied with his or her duty to post the policies. Typically, website privacy policies also contain the provision that by using the website, the user consents to the privacy policy as insurance to protect the website owner in the event of a dispute.
Ariane C. Strombom is an attorney with Whyte Hirschboeck Dudek S.C., where she practices technology, corporate, and health care law. She can be reached at astrombom@whdlaw.com.
