A privacy policy is a legal document that discloses some or all of the ways a website operator gathers, uses, discloses and manages a visitors’ data and personal information. As simple as it sounds, privacy and communications policies have presented many issues for website owners.
Website operators should always post a privacy and/or communications policy on their website if the website gathers any type of personal contact or identifying information from website visitors and/or customers. This applies to websites that collect only email addresses. Personal information generally includes contact information such as a visitor’s physical address, phone number or email address and identifying information such as first and last names, social security number, etc. If your website conducts sales of goods, you will almost undoubtedly be collecting this type of information. Additionally, registration with your website and/or the information your website collects to process a transaction or interact with some feature will result in collecting personal information. Collecting passive use information about how website visitors use and interact with a website should also be disclosed, especially if this information is then bundled with personally identifying information.
Simply because you do not plan on disseminating this information to third parties does NOT mean you should ignore having a privacy policy on your website.
Federal laws
There is no specific federal law regulating or requiring a website to have or post privacy policies. However, Section 5 of the Federal Trade Commission (“FTC”) Act prohibits unfair or deceptive marketing practices. While the FTC does not regulate privacy issues, any deceptive act or practice in commerce will lead to liability under the FTC Act. If your business gathers and unlawfully disseminates or discloses information from your visitors, this will generally be categorized as a deceptive or fraudulent business practice under the FTC Act.
The bottom line is that use and/or dissemination of information collected from website visitors is deceptive when the visitor is not properly made aware of the potential for this use and sharing before he or she provides any information to the website. The FTC basically requires that website operators/owners clearly inform visitors about all the ways the website collects any of their personal information (“personally identifiable information”) and then how this information will or may potentially be used or shared with third-parties. There is no specific obligation imposed upon website operators to actually post a privacy policy on their website under the FTC Act. However, if you don’t post a privacy policy on your website informing your visitors about all the ways your website collects and then discloses their personally identifying information, this is a deceptive practice. But, if you post a privacy policy on your website and you or your business does not follow the stated policy, this will also be considered as a deceptive practice. For example, if you state on your website that the operators/owners do not sell or provide any collected email addresses to third-party marketers, but then you do anyways, this is obviously a deceptive practice. In other words, the website privacy policy cannot mislead your website visitors. According to the FTC, a violation of a former written agreement such as a privacy policy is clearly a deceptive act or practice.
Other then the FTC Act, some federal laws govern privacy policies in specific circumstances. This includes the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, which governs “Financial Institutions” and the Health Insurance Portability and Accountability Act (HIPAA).
State Website Privacy & Security Laws
A handful of states have separate online privacy protection statutes or have some express law dealing with gathering information from a website. A few states have laws placing security requirements on websites that collect personal information.
The following states have implemented more specific laws governing website privacy policies and security requirements:
-California has adopted the California Online Privacy Protection Act of 2003 (California Business and Professions Code Sections 22575-22579). The law requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site”. It also requires the policy to identify the category of personal information that the website collects and the third parties whom the information may be shared with by the website. This statute applies to any website that collects personal information from a California resident.
-Connecticut requires any person who collects Social Security numbers in the course of conducting business to create a privacy policy. The policy must be “publicly displayed” by posting it on a web page and the policy must: (1) protect the confidentiality of Social Security numbers; (2) prohibit unlawful disclosure of Social Security numbers; and (3) limit access to Social Security numbers. Connecticut laws now also require that businesses must “safeguard the data, computer files and documents containing the [personal] information from misuse by third parties” and “destroy, erase or make unreadable such data, computer files and documents prior to disposal.” Conn. Pub. Act 08-16, § 1.
-Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.
-Pennsylvania includes false and misleading statements in privacy policies published on websites or otherwise distributed in its deceptive and fraudulent business practices statute.
-Nevada requires that “[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” This includes all e-mail, and websites, and other forms of Internet-based communications containing personal information. It is also important to note that the Nevada Law applies only to businesses “in this State.” However, for many businesses which are not located in Nevada, but that do business with customers in the state, they could be “doing business” in Nevada If you plan on doing a significant amount of business in Nevada, it is safe to assume that the law will apply.
-Massachusetts, like the Nevada laws, requires businesses to encrypt all personal information that is transmitted across public networks or by wireless transmission. It applies to all persons that own, license, store or maintain personal information about a resident of Massachusetts. This law also requires businesses to encrypt all personal information that is stored on laptops and other portable devices. Similar to the Nevada law, “personal information” is defined as a combination of a person’s name plus one of the following sensitive data elements related to that person: Social Security number, driver’s license or state-issued identification card number, or financial, credit or debit card account numbers.
There are also state laws in effect dealing with credit card purchases restricting the website operator from requiring or recording any personal information that is not required by the credit card company. Of course, state laws regulating online information collection practices are rapidly evolving.