Website privacy policies explain how a business collects, uses, retains, shares, and secures customers’ personally identifiable information (PII), and often provide customers with the choices available to correct or delete their own PII from the business’ database.
In the U.S., there is no over-arching federal data privacy law that addresses website privacy policies for every business; rather, we have an overlapping “patchwork” of federal and state laws and regulations. Whether a particular law applies to a business usually depends on the business’ industry (e.g., healthcare and financial institutions) and the types of information collected (e.g., information about children).
Laws that require website privacy policies
A few examples of Federal laws that require website privacy policies include:
- The Healthcare Insurance Portability and Accountability Act (HIPAA) requires companies engaged in healthcare services to give written notice of its privacy practices.
- The Gramm-Leach-Bliley Act requires “financial institutions” – companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance- to provide a “clear, conspicuous, and accurate statement” about the company’s privacy practices.
Some states have laws requiring privacy policies. Importantly, the state privacy law that applies to a business is usually based on the residence of the individual whose information is collected, and not necessarily the location of the business.
- the categories of information collected,
- the types of third parties with whom the operator may share that information,
- instructions on how to review and request changes to a user’s information,
- how the business responds to do not track signals, and
- whether third parties can collect PII about users.
What if a business’ website or app doesn’t collect information?
The Federal Trade Commission (FTC) is the leading regulatory agency for consumer privacy in the U.S., and it has consistently demonstrated its willingness to enforce Section 5 of the FTC Act’s prohibition against “unfair” or “deceptive” acts or practices, which include instances where businesses don’t adhere to their own privacy policies.
Businesses that face FTC enforcement actions often agree to a consent order (essentially a settlement) under which they must pay civil penalties, make no additional misrepresentations about their privacy or cybersecurity practices, implement and maintain comprehensive written privacy and cybersecurity programs, and undergo independent compliance assessments every two-years for a 20-year period.
According to FTC guidance, websites and apps should adhere to the FTC’s fair information practice principles (FIPPs) when it comes to the collection, use, sharing, and protection of PII. The main elements of the FIPPs include:
- Notice and awareness: consumers should be given prominent and clear notice of a business’ information practices before any PII is collected from them. Specifically, the notice should inform consumers about which entity collects the PII (on behalf of the business); what types of PII is collected (name, address, email address, IP address, etc.); whether the collection of PII is voluntary or required; how the business collects PII; how it intends to use the PII; who the PII may be shared with; and how the business will ensure the confidentiality, integrity, and quality of the collected PII. In addition, the notice should be prominent enough that consumers can actually find it, and clear and concise enough that they can actually understand it.
- Choice and consent: businesses should give consumers options to control how their PII is used. For example, choices should be given regarding secondary uses of information that go beyond the initial needs of the business to complete the consumer’s transaction.
- Access and participation: consumers should be able to quickly and inexpensively view their PII that the business has collected, and verify or contest its accuracy.
- Integrity and security: businesses should ensure the accuracy and security of the PII it collects.
Many privacy policies are too long, too complex, and/or filled with too much legal jargon for the average consumer. Both the FTC and the California Attorney General’s Office (which enforces CalOPPA) have been critical of these types of policies for not providing sufficiently clear and concise notice to consumers, and thus such policies may be considered “deceptive” and subject to enforcement action.
A few tips
- Consider future business plans. For example, how would consumer PII be handled in the event of a sale or merger?
- Use clear and concise language. That means try to use short sentences, plain language, and avoid legal jargon. Also, organize the information reasonably- with the most important information near the top, and with sections and/or bullet points to break down key topics. Remember, if consumers don’t understand the policy, the FTC or other regulatory authority may consider it “deceptive.”
- Don’t make general statements that aren’t legally required, such as “your privacy is important to us.” And, don’t make statements that the business won’t be able to live up to, such as “we use the best cybersecurity.” These types of statements could come back to haunt you in the form of evidence in an enforcement action or a class action lawsuit.
- Inform consumers about how they will receive notice of revisions to the policy, and how these revisions will be implemented.