If your business maintains a website, chances are it’s legally required to contain and disclose a standard privacy policy. While there is no single federal law protecting consumer data, several laws (such as the Computer Fraud & Abuse Act) require a standard privacy policy if your website collects, or has the ability to collect, any personally identifying information (PII) about website visitors.
Data has become a commodity that’s worth a lot of money to marketers, advertisers, and businesses. As far as the law is concerned, if you’re going to collect (and possibly sell) PII, the people you’re collecting it from have a right to know.
Although it can be tempting to simply pull a standard privacy policy off the web, you need to give your policy’s wording careful thought before you post it. In this article, I’ve listed the top five considerations to focus on when drafting your company’s standard privacy policy.
1. What PII You Collect and How It’s Stored
First and foremost, your standard privacy policy needs to clearly state what type of PII you collect and how or where that information is stored. PII encompasses any data that could be used to identify an individual website visitor, such as:
- Social security number
- Credit card number
- Mailing address
- Billing address
- First and last name
- Telephone number
- Email address
After your site collects any of these pieces of information, is it kept on a secure server? Is it maintained in a credit card processing system? You need to inform consumers of that process so they can decide for themselves whether the information they’ve provided to you is secure enough for them—or whether they want to supply it at all.
2. Whether and How You Share PII
Your standard privacy policy should also include information about how PII will be used. Some common uses of PII include:
- Communications with customers to follow up on their orders
- Announcements or advertisements, such as email blasts or Facebook ads
- Sales to third parties
How to use the PII you collect is up to you (within legal limits, of course). No matter what you decide, however, you must inform your website visitors of your plans.
3. Handling the PII of Minors
Generally speaking, the law tends to be highly protective of minors, and regulations on collecting PII from this population are no exception. Although laws vary from state to state and country to country, they typically require that minors be given the opportunity to request removal of their PII from your database.
4. Compliance with Policies Such as GDPR and CalOPPA
One of the biggest reasons to seek an attorney when preparing a standard privacy policy is the myriad of international, state, federal, and local laws and regulations that impact the language you need to use.
For example, if your business is operating in California, you’ll need to comply with the California Online Privacy Protection Act (CalOPPA). In addition to the aforementioned opt-out protection for minors, CalOPPA requires that websites collecting PII provide a conspicuous link to the site’s standard privacy policy. It also delineates specific clauses that must be included within that policy.
Depending on the reach of your business, your standard privacy policy may also need to comply with the General Data Protection Regulation (GDPR), which provides standards for handling and protecting data throughout the European Union. Note that GDPR applies to EU citizens even if they’re residing in the U.S. You may have noticed that many companies have recently notified customers about updates to their privacy policies based on the GDPR’s mandates. If you already have a standard privacy policy in place on your website and your business is active in the EU, you may need to do the same thing.
5. Whether Your Standard Privacy Policy is Current
Data breaches make news headlines with alarming frequency these days. Lawmakers then scramble to draft laws in response that provide consumers with more protection as new vulnerabilities are discovered. Due to the quickly changing nature of technology, these laws are constantly being enacted and revised.
This ever-changing legislation is another reason to consult with an attorney when you’re drafting your standard privacy policy. Be sure to let your attorney know that you want a current policy and you also want to be updated whenever a change in the law requires a change in your policy language.
Part of my regular practice involves both drafting and updating standard privacy policies for my clients. I’m available to offer long-term legal guidance regarding your privacy policy as laws and regulations continue to evolve. Contact me for help protecting your business.
