Do I Need a Privacy Policy?: When Websites Are Required to Post Privacy Policies
Digital media law update: I recently attended a panel discussion on digital media law, and was surprised when the panel members were unable to cite to statutes or other authority requiring the posting of privacy policies for websites. In fact, a number of international, federal and state regulations require the creation and posting of privacy policies. Here is a list of some of the more important rules:
State privacy policy laws:
• California
The most broad-reaching privacy policy law is California's Online Privacy Protection Act (OPPA). See California Business & Professions Code § 22575-79. OPPA requires all operators of websites or online services that collect "personally identifiable information" about California consumers to post a privacy policy on their websites. While the Act ostensibly only applies to websites that collect information about California residents, it effectively reaches any website that collects information on a national scale -- because it is impractical (and undesirable) to screen out California residents.
OPPA's definition of personally identifiable information (termed "PII") is very broad and includes such things as the person's first and last name, address, email address, telephone number, social security number, any other identifier that permits the person to be contacted, and any other information about the person that is collected along with such PII. So if your website asks users to do something as simple as provide their name and email address, you are required create and post a privacy policy. Cal. Bus. & Prof. Code §22577.
The statute requires three "policy" elements to be included in a privacy policy: (i) identification of the categories of PII collected and the third parties with whom this PII may be shared, (ii) a description of the website's process, if any, by which a person may review and make changes to his PII, and (iii) a description of the process by which the website notifies consumers of material changes to its privacy policy. Cal. Bus & Prof. Code § 22575.
The privacy policy must be conspicuously posted on the home page, on the first significant page after home page, or via a hyperlink that boldly includes the word "privacy." Cal. Bus. & Prof. Code § 22577.
• Texas
Texas Business & Commerce Code § 501.052 provides that if a business requires an individual to disclose his social security number to obtain goods or services, then it must adopt a privacy policy and make it available to the public.
The privacy policy must provide that the individual's social security number will be maintained privately and securely. In addition to this, the policy must disclose how personal information is collected and used, who has access to the personal information; and the method of disposal of the personal information. By its nature, this statute applies to website operators, as well as non-web-based businesses.
Federal privacy policies
• The Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6504-06
COPPA requires all operators of websites that are directed toward children under age 13 or who knowingly collect PII from children under age 13 to create and post a notice regarding the collection and use of that information. "Collecting information" includes specific requests that children submit information, enabling children to make PII available in a chat room or social networking page, or the passive tracking of children using cookies.
COPPA defines "PII" more or less as the term is defined under California's OPPA. However, the COPPA definition also includes information about a child's parents that is combined with other PII.
The privacy notice must include: (i) the name and contact information of all operators collecting or maintaining the PII, (ii) the types of information collected and how the information is being used, (iii) whether the information is being disclosed to third parties, and (iv) a number of other required statements. See 16 CFR § 312.4. A hyperlink to the notice must be placed at every place where PII is collected from children, and in a "clear and prominent place and manner" on the site's homepage. 16 CFR §312.4.
Note: as we have previously written, COPPA has a very broad reach. Just because you don't intend children to use or provide PII on your website, does not mean that COPPA does not apply to you. The FTC enforces even unwitting breaches of COPPA.
• Gramm-Leach-Bliley (GLB), 15 U.S.C. § 6801-09
GLB and its related implementing regulations are very detailed. However, in general, GLB requires financial institutions to provide notice to consumers about their privacy policies. This notice must be given when an individual first becomes a customer of the institution or before information about the consumer is disclosed to a third party.
A customer relationship can be established very easily -- such as when a consumer provides any PII in an attempt to get a loan. The term PII is defined extremely broadly to include any information that a consumer provides to obtain a financial product or service or that the institution otherwise gathers about the consumer.
The privacy notice must be given "clearly and conspicuously." If the notice is given on a web page, the notice must be designed to call attention to its significance. The FTC also encourages that the notice or a link to the notice be placed on a screen that consumers access frequently. 13 C.F.R. § 313.3.
• Other federal laws
Privacy policies are also required by other federal laws, including the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. § 1232g) and the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d).
International privacy policies
• U.S. Safe Harbor for Transmission of Data from the European Union
The U.S. Department of Commerce developed a safe harbor scheme to permit the transfer of personal data from E.U. countries. To qualify for this safe harbor, a U.S. business must create a privacy policy statement. This statement must comply with seven "Privacy Principles." These rules are generally much more restrictive about data use than comparable U.S. laws.
These Principles include a principle called "notice." The notice requirement means that individuals be informed about the information is being collected about them and the purpose for which it is being used, the types of third parties to whom information is being disclosed and the individual's choices about limiting such disclosures. This notice must be provided in "clear and conspicuous" language when individuals are first asked to provide it, and whenever it is being used for some other purpose that that for which it was originally gathered.
What these rules mean for your websites
There is a well-established, and growing, body of state, federal and international regulations that require businesses -- whether on-line or brick and mortar -- to create and post privacy policies concerning data they gather from individuals. If you are operating an interactive website of any significance, it is highly likely that one or more of these many regulations will apply to you.
A website can't comply with these rules simply by copying the privacy policy from another site. The required disclosures are all website-specific. They depend on the such things as the types of information gathered and how the website uses it. These factors vary greatly from site to site.
The FTC considers deviations from posted privacy policies as deceptive business practices and regularly brings enforcement actions against website operators who deviate from their stated privacy policies. See, e.g, FTC, In re Geocities, Docket No. C-3850. These actions have even been brought after firms publicly announced a change in a privacy policy, if the website operator applied the change to pre-existing user data.
Developing a privacy policy requires careful planning. A privacy policy needs to identify the types of information being collected and how this information is being used. It also needs to take into account how the website operator might wish to use this information in the future.
You spend a lot of money creating your website and obtaining consumer responses. Take the time up front to create a privacy policy that will ensure that you get the maximum value from your efforts.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
