What Should Your Website Privacy Policy Say?

Think of your privacy policy as a disclosure statement for your website visitors. In order not to be misleading or deceptive, you need to disclose each specific practice or policy regarding the collection, use and dissemination or disclosure of all personal information. So, you need to know how and what information your website will collect.

In the most basic sense, you need to understand exactly how your business collects data, how it uses that information and how it shares or distributes it so your privacy policy can be accurate and not misleading. If you don’t understand how your business discloses or uses information, you obviously won’t inform your website visitors. This, in turn, could be considered deceptive. Unfortunately, most websites copy privacy policies they find on other sites. Copying another privacy policy may describe the practices of some other website, but may not describe your policies. This may be deceptive in of itself since it misleads your visitors.

Website operators should always post a privacy and/or communications policy on their website if the website gathers any type of personal contact or identifying information from website visitors and/or customers. This applies to websites that collect only email addresses. Personal information generally includes contact information such as a visitor’s physical address, phone number or email address and identifying information such as first and last names, social security number, etc. If your website conducts sales of goods, you will almost undoubtedly be collecting this type of information.

Additionally, registration with your website and/or the information your website collects to process a transaction or interact with some feature will result in collecting personal information. Collecting passive use information about how website visitors use and interact with a website should also be disclosed, especially if this information is then bundled with personally identifying information.

Simply because you do not plan on disseminating this information to third parties does NOT mean you should ignore having a privacy policy on your website.

Many websites use California’s Online Privacy Protection Act (“OPPA”) requirements as guidelines in drafting their privacy policies. You should use these basic requirements as the framework for your website’s privacy policy since they are well defined. Disclosing exactly how and when you collect personal information and when you distribute or disclose it will determine how to fill in the remainder of the policy avoid liability under the FTC Act and any other applicable state law.

When drafting your privacy policy, you should always disclose the following:


    • When your website collects information. Your website may collect information upon registration with your website, or when any of your visitors order a product. But, how else will it collect information? Other collection of data may occur through collection of website traffic and aggregate usage data. For instance, the date and time a user visits your site, the (IP) address from which your website was accessed, the webpages visited, duration on each page, the type of browser and operating system used to access your site, etc. Information may also be collected through correspondences such as through emails, faxes or phone calls with your business. Collection of information also occurs through credit card processing or other third party applications accessed through your website;


    • The information your website actually collects. What personal information will your website collect? You should use OPPA as your guide in defining and determining this information;


    • How your business will use the personal information. You need to disclose exactly how your business intends to use any data or information it collects. Don’t leave anything out. If you don’t distribute any information, but will store it in some customer contact database, disclose this. Similarly, facilitation of product purchases or collection for future promotions should be disclosed in your policy;


    • The information that is disclosed or provided to third parties. You must determine all the possible ways you will disclose your visitors personal information you collect. These will include information provided during the shipping process, to credit card merchants and banks, your host or ISP through operation of the website, etc. You should disclose all of this even if you don’t intend on distributing information to third parties;


  • Will you use cookies or any type of tracking device? This should be clearly disclosed to website visitors and agreed to beforehand. Also, if you use “third-party cookies” (i.e. using a third party such as Google Analytics that passes cookies directly to your website visitors’ browsers) this should now also be disclosed.


FTC Rulings Establish Guidelines

You should use the lessons learned from previous FTC enforcement actions to complete the rest of your privacy policy. Here is a quick summary of those lessons:

-Always Follow Your Privacy Policy. If you make statements that you won’t distribute your visitors personal information or that “all information you provide will remain anonymous” you better follow those statements. If you don’t do what you say, your business will be in violation of the FTC Act. Pretty simple concept-if you lie, you are in violation of the FTC Act and potentially OPPA and maybe other state laws; e poe tegemine

-Disclose Exactly How Your Website Treats Personal Information. I touched upon this earlier. You must disclose all the ways you intend or will disclose personal information you collect. This is really a key lesson to be taken away from the FTC’s existing enforcement actions. If your object is only to provide information to one party, but you disclose it to third party marketers also, you must absolutely disclose this. If you collect information by accessing the personal information of third party sites through some service arrangement or software application you provide, this is also deceptive;

-Have Security Measures in Place. In a nutshell, you need to protect your customers and visitors personal information. The FTC has also stated that misleading express or implied statements about website security is prohibited. According to the FTC in one of their administrative decisions, your website must implement and document procedures that are reasonable and appropriate to: (1) prevent possible unauthorized access to your system (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.

In subsequent cases, the FTC added to its definition of what constitutes “reasonable and appropriate security” measures. The FTC added requirements that (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., non-encrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.”

-Proper Training and Oversight is Required. Inadequate training and oversight of the personnel who will implement your privacy policy is a reasonable step your business must take, according to the FTC.

-Don’t Change Your Policy After the Fact. You cannot retroactively change your privacy policies to the detriment of consumers. If you began to disclose or sell personal information provided by your visitors without seeking or receiving their consent, your business will be violating the law. Your business must take additional steps to alert customers that it has changed its policy to permit third-party sharing of personal information without explicit consent. The FTC has complained that the retroactive application of privacy policy changes “caused or is likely to cause substantial injury to consumers.” The FTC says you should provide additional notice when your privacy policy has materially changed and what aspects of the policy have changed. Any time you do, you must obtain the consent of your customers who have previously provided personal information.


Leave a Reply

Your email address will not be published. Required fields are marked *