There are no comprehensive federal laws concerning privacy policies; however, laws you should be cognizant of when drafting your policy are unfair and deceptive trade practice acts (both at the federal and state level, although all have broadly similar language), as well as COPPA, the Children’s Online Privacy Protection Act, which requires sites to obtain verifiable parental consent before collecting the personal information of minors under the age of 13. In practice, obtaining verifiable parental consent is a tricky situation, so most sites simply have users certify that they are 13 or older. Finally, there may be specifically laws governing privacy policies for the particular industry in which your startup operates; for example, in the financial or healthcare industries.
– Collection of information
This section should describe what information you collect from the user, whether the information you collect is personal or anonymous, how you collect the information (cookies, log data, etc.), who you collect the information from (e.g., the user themselves, or when they connect to third-party partners such as Facebook), and if and how the user can control what information is collected (usually by going to their account settings).
– Use of information
Most importantly, in this section you need to explain why you collect each kind of information; for traffic information such as cookies or log data, it is usually enough to explain that you use such information to monitor, customize, and improve your service, although if you use such information for other purpose, explain so. You should also explain in this section where you send user information to be processed or stored — though U.S. startups will usually keep information in the U.S., some third-party service providers may be located overseas and this possibility must be noted. Finally, you should also explain what steps you take to secure user information, even if it’s just to point out that you use commercially reasonable means (if you use server companies or the like, you may not know what specific measures they take to secure data).
– Sharing of information
Here you should describe who you share user information with, and whether you require the user’s consent to share particular types of information with particular parties. In particular, you should note what information you share with third parties, as well as what happens in the event there is a change in ownership of the company (usually by acquisition — a very real proposition for startups!)
– Changes to the policy
Finally, you should detail your rights and the user’s rights to changes in the policy — generally, most companies reserve the unlimited right to change the policy, with notice coming to the user if there is a material change (what is material is subject to the sole discretion of the company). You should also give users the means to contact you regarding questions and issues with privacy. You can also cover issues such as severability, termination, and integration here.
Off-topic Note: The First Venture Legal Blog will be on Thanksgiving break this Friday; however, we’ll be back with a new article next Tuesday, November 27th!