You finally created your website.
- Did you include eye-catching graphics? Check.
- Did you include an attention-grabbing banner slogan?
- Did you post all of your social media handles?
- Did you include a privacy policy for the website? Maybe…
We get questions from clients about whether they are required to include a privacy policy and, if so, what should it say. The answers may surprise you, but a privacy policy should definitely not be an afterthought for website owners. It certainly isn’t a best practice to simply copy and paste the privacy policy of another’s company’s website. The representations made in website privacy policies may subject website owners to legal risk, so thought and consideration is critical.
We generally convey one broad message when it comes to a published privacy policy – “Say what you do, and do what you say.”
Why is a Website Privacy Policy Important?
First, there is no over-arching law that dictates that any particular website must include a privacy policy, or the terms that such a policy should include. If your website is merely passive, and not collecting any data, you may not need a privacy policy at all. Certain states have passed laws requiring website privacy policies, but the few state laws that exist are very different. But California is one such state, and it’s a rare commercial website owner that is not hoping that it will capture the attention of consumers in the country’s most populace state. Regardless of where the server running your website is located, a website owner will want to make sure that it does not fun afoul of the few state statutes that exist.
Second, certain industries such as banking, healthcare, and companies marketing to children are required to comply with specific data and privacy laws and regulations may at least obliquely address public statements that are made about privacy and data security practices.
Third, including a website privacy policy is an opportunity to convey a branding message, i.e., commitment to privacy, or dedication to consumer interests.
The Critical Elements of a Privacy Policy
The most crucial element of a website privacy policy is that it must be accurate and reflect the website owner’s actual practices. This is why simply copying the privacy policy of another website is ill-advised, as third party policies may not reflect the website owner’s actual practices and procedures.
A website privacy policy should disclose the website owner’s practices for the collection, dissemination, and use of personally identifying information or PII. The policy should also negate privacy expectations from users or consumers that may lead to state action, litigation, or enforcement proceedings by the Federal Trade Commission. No electronic system for the collection or storage of PII is impenetrable. So, don’t over promise. On the other hand, don’t be cavalier.
The FTC, which under Section 5 of the Federal Trade Commission Act has the power police deceptive and unfair trade practices, assesses website privacy policies through the lens of consumer expectations. Along these lines, absolute statements such as “we never share your information with anyone” are not considered a best practice. Alternatively, ambiguity about practices regarding certain categories of information is not advisable. The FTC previously provided guidance stating that website privacy policies should provide “clear” and “prominent” notice to consumers regarding a website owner’s collection and use of PII, including but not limited to:
- The specific elements of information collected, (i.e., name, addresses, email addresses, etc.);
- The intended use;
- The third parties to whom such collected information is disclosed;
- A consumer’s ability to access such information and the method to obtain such access;
- A consumer’s ability to remove such information from a website’s databases and the manner in which this may be accomplished; and
- Procedures to delete PII from the website owner’s company databases and any limitations to such deletion.
The best practice for any published privacy policy is to disclose a website’s collection and storage practices, as well as the anticipated use and dissemination of the information. Like we said, “Say what you do.”
Information Disclosures
A website privacy policy should elaborate on the circumstances under which PII is disclosed to third parties, including subpoenas and court orders. At the same time, a website owner should make sure that restrictions on information are not so strict that disclosures cannot be made to lawyers or consultants, including in the event of litigation. If a website includes PII licensed or acquired from third parties, the website owner should review pertinent agreements associated with such information to assess the limits of use and re-use of this data.
Website privacy policies should disclose collection practices that are both apparent and non-apparent. An apparent collection practice may involve information collected from consumers in response to an online form that requests PII. A non-apparent collection practice includes information that is automatically collected through the operation of a website. Along these lines, a website should disclose how the company utilizes cookies, web beacons, and other tools that may gather PII and non-PII, what information is collected, and how this information is used. Remember, “do what you say.”
Style and Tone of Website Privacy Policies
The representations in a website privacy policy mold consumer expectations. Thus, website privacy policies should be accurate and thorough in conveying the nature of information collected, disclosed, and disseminated. Website privacy policies should not rely upon jargon and should not be overly long. Furthermore, website privacy policies should be written clearly with headings that address the specific topics discussed.
The Takeaway: Concealing substance in a website privacy policy through confusing jargon or omitting information to misrepresent the nature of information collection, dissemination, and use are not only bad practices, such activity may subject a website owner to litigation, an FTC enforcement action, or both. Likewise, displaying excessively long website policies that are not likely to be read or discerned by consumers poses a similar risk. When it comes to website privacy policies, website owners should focus on accuracy, thoroughness, clarity, and brevity.
“Say what you do, and do what you say.”
Janet Cho,janet.cho@leclairryan.com