Website operators should always post a privacy and/or communications policy on their website if the website gathers any type of personal contact or identifying information from website visitors and/or customers. This applies to websites that collect only email addresses. Personal information generally includes contact information such as a visitor’s physical address, phone number or email address and identifying information such as first and last names, social security number, etc. If your website conducts sales of goods, you will almost undoubtedly be collecting this type of information.
Additionally, registration with your website and/or the information your website collects to process a transaction or interact with some feature will result in collecting personal information. Collecting passive use information about how website visitors use and interact with a website should also be disclosed, especially if this information is then bundled with personally identifying information.
- When your website collects information. Your website may collect information upon registration with your website, or when any of your visitors order a product. But, how else will it collect information? Other collection of data may occur through collection of website traffic and aggregate usage data. For instance, the date and time a user visits your site, the (IP) address from which your website was accessed, the webpages visited, duration on each page, the type of browser and operating system used to access your site, etc. Information may also be collected through correspondences such as through emails, faxes or phone calls with your business. Collection of information also occurs through credit card processing or other third party applications accessed through your website;
- The information your website actually collects. What personal information will your website collect? You should use OPPA as your guide in defining and determining this information;
- How your business will use the personal information. You need to disclose exactly how your business intends to use any data or information it collects. Don’t leave anything out. If you don’t distribute any information, but will store it in some customer contact database, disclose this. Similarly, facilitation of product purchases or collection for future promotions should be disclosed in your policy;
- The information that is disclosed or provided to third parties. You must determine all the possible ways you will disclose your visitors personal information you collect. These will include information provided during the shipping process, to credit card merchants and banks, your host or ISP through operation of the website, etc. You should disclose all of this even if you don’t intend on distributing information to third parties;
FTC Rulings Establish Guidelines
-Disclose Exactly How Your Website Treats Personal Information. I touched upon this earlier. You must disclose all the ways you intend or will disclose personal information you collect. This is really a key lesson to be taken away from the FTC’s existing enforcement actions. If your object is only to provide information to one party, but you disclose it to third party marketers also, you must absolutely disclose this. If you collect information by accessing the personal information of third party sites through some service arrangement or software application you provide, this is also deceptive;
-Have Security Measures in Place. In a nutshell, you need to protect your customers and visitors personal information. The FTC has also stated that misleading express or implied statements about website security is prohibited. According to the FTC in one of their administrative decisions, your website must implement and document procedures that are reasonable and appropriate to: (1) prevent possible unauthorized access to your system (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
In subsequent cases, the FTC added to its definition of what constitutes “reasonable and appropriate security” measures. The FTC added requirements that (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., non-encrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.”