Five Fun Friday Facts about Privacy Policies

For your Friday morning, here are five facts about privacy policies that you may not have already known:

1) Privacy policies might not be necessary — Technically, not every website or online business needs a privacy policy. With certain industry exceptions (discussed below), a website needs to have a privacy policy only if it actually collects information from users — the policy should inform users what information is being collected, how it is being used, and how it is being protected. However, for reasons that will be discussed below, for practical reasons most web companies should post privacy policies.

2) If you deviate from your policy, it may be a breach of contract — Simply by posting a privacy policy, a website becomes subject to Federal Trade Commission regulation, since the FTC considers privacy policies “advertising”. By acting as advertising, privacy policies could be interpreted as part of the “basis of the bargain” between the website and the user; having users click to agree to policies upon arriving at the site or upon account signup more definitively create an agreement. Failure to adhere to the policy afterwards can be construed as a breach of contract; generally, a website’s privacy policy should include a clause that grants the website owner the right to amend the policy unilaterally, so that before a website changes its operating procedures it can amend its privacy policy accordingly.

3) Certain industries are *required* to have privacy policies — Websites in certain industries or with certain focuses are required to have privacy policies under all circumstances — banking/financial websites, health-related websites, and websites directed to children under the age of 13.

Banking and financial websites are governed by the Gramm-Leach-Bliley Act. Websites must publish annual notices of their privacy policies and give users the ability to control who their information is shared with, in addition to stricter security requirements for protection of users’ data.

Health related companies must comply with the Health Insurance Portability and Accountability Act. The spectrum of health related company now includes not only healthcare providers, but also web companies that provide services to healthcare providers.

Finally, websites that collect information from children under the age of 13 must comply with the Children’s Online Privacy Protection Act, which prohibits sites from collecting or disclosing information collected from children under the age of 13 without verifiable parental consent (the standards for verifiable parental consent have recently become more strict). Even if a site doesn’t collect or disclose information from children under the age of 13, its privacy policy should explicitly state so (including methods to prevent children from transmitting their information to the site) in addition to giving parents the ability to have their children’s information deleted in the event it is found to have inadvertently been collected by the site.

4) In addition to federal privacy laws, every state has its own set of laws — In addition to federal laws and regulations governing privacy, each state may have its own set of laws that govern both web companies based within the state and the collection of information from the state’s residents (whether or not the company is actually based in the state). For example, California (which is regarded to have the strictest laws) requires app developers that collect information from California residents to have a privacy policy. Since many websites and apps have a national focus, as a practical matter most companies that collect information from users will need to include a privacy policy on their website or app.

5) The E.U. has its own that companies must comply with or face fines — The European Union is considered to have stricter privacy laws than the U.S. In particular, any company anywhere in the world that transfers user data out of the E.U. needs to comply with the E.U. Data Directive; however, U.S. companies have the benefit of the Safe Harbor Program set up by the Department of Commerce, which the E.U. considers an acceptable substitute for their Data Directive. U.S. websites and apps that collect information from E.U. citizens should ensure that their privacy policies comply with the Safe Harbor Program.

Leave a Reply

Your email address will not be published. Required fields are marked *