Website privacy policy requirements come from both the Federal Trade Commission (FTC) Act and applicable state statutes. In order not to be misleading or deceptive, website and app operators need to disclose each specific collection and use of all personally identifiable information. In order to do that, operators need to know what information the website or app will collect and how it is collected. Without understanding and these basic questions, no privacy policy can properly inform website or app users. Inadequate or non-existent privacy policy disclosures may be deceptive under Section 5 of the FTC Act and various state consumer deception laws regarding data collection and use.
This applies to websites or apps that collect only email addresses. Personally-identifying information generally includes contact information such as a physical address, phone number or email address, first and last names, social security numbers, biometric information or even unique identifiers when bundled with such identifying data. With the recent adoption of California’s Consumer Privacy Act (CCPA), IP addresses will be considered personally identifying data when collected from California consumers where the law applies
Registration with a website and/or the information website collects to process a transaction or interact with some feature will likely result in collecting personal information. Collecting passive use information about how website or app users use and interact with a website/app should also be disclosed if this information is then bundled with personally identifiable information. Simply because website/app operators do not plan on disseminating any personally-identifying information to third parties does NOT mean data privacy disclosures should not be in place.
California’s Online Privacy Protection Act Framework
Many websites use California’s Online Privacy Protection Act (“OPPA”) requirements as guides in drafting their privacy policies. The OPPA requirements should serve as the framework for website and app privacy policies since they are well defined. Disclosing exactly how and when you collect personal information and when you distribute or disclose it will determine how to fill in the remainder of the policy avoid liability under the FTC Act and any other applicable state law. As of 2020, you can now add the CCPA to the list of laws that dictate how website or app policies are modeled.
When drafting any privacy policy, operators should always disclose the following:
- When the website/app collects personally-identifying information? Your website or app may collect information upon registration, or when any of your visitors order a product. But, how else will it collect information? Other collection of data may occur through a collection of website traffic and aggregate usage data. For instance, the date and time a user visits a site, the (IP) address from which a website was accessed, the webpages visited duration on each page, the type of browser and operating system used to access your site, etc. Information may also be collected through correspondences such as emails, faxes or phone calls with your business. Collection of information also occurs through credit card processing or other third-party applications accessed through a website/app;
- What information does the website/app actually collect? What personally identifiable information does the subject website or app collect? Using OPPA and the CCPA as a framework is a great start in defining and determining this information;
- How will operators use personally identifiable information? Operators need to disclose exactly how the operator intends to use any data or information collected. Merely soring data in a customer contact database without sharing it, for example, should be disclosed. Similarly, facilitation of product purchases or collection for future promotions should be disclosed in any privacy policy;
- What information is disclosed or provided to third parties? Operators must determine all the possible ways data is disclosed to third parties. This may include data provided to ad networks or lead generation companies, SEO and marketing consultants, affiliated entities, etc. Where operators collect information and allow third parties to access the personal information through some service arrangement or software application like a WordPress plugin this must be disclosed;
- Does the operator use cookies or any type of automatic data tracking tool? This should be clearly disclosed where an identifier is used to uniquely identify a site/app user. This includes “third-party cookies” (i.e. a third party that passes cookies directly to website visitors’ browsers when they visit a website or use an app).
Federal Website Privacy Policy laws
There is no specific federal website privacy policy law regulating or requiring a website or app to post a policy. However, Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive marketing practices. While the FTC does not regulate privacy issues, any deceptive act or practice in commerce will lead to liability under the FTC Act. If website/app operators gather and unlawfully disseminate or disclose information from visitors, this will generally be categorized as a deceptive or fraudulent business practice under the FTC Act.
The bottom line is that the use and/or dissemination of information collected from website visitors is deceptive when the visitor is not properly made aware of the potential for this use and sharing before he or she provides any information to the website. The FTC basically requires that website operators/owners clearly inform visitors about all the ways the website/app collects any of their personally identifiable information and then how this information will or may potentially be used or shared with third-parties. There is no specific obligation imposed upon website operators to actually post a privacy policy on their website under the FTC Act. However, if a privacy policy is not posted on the website or app, this is a deceptive practice.
Other then the FTC Act, some other primary federal laws govern privacy policies in specific circumstances. This includes the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, which governs “Financial Institutions” and the Health Insurance Portability and Accountability Act (HIPAA).
FTC Rulings Establish Guidelines
Operators should use the lessons learned from previous FTC enforcement actions to complete the rest of their privacy policy. Here is a quick summary of those lessons:
-Always Follow Your Privacy Policy. Operators must abide by proclamations that operators won’t distribute website/app personally-identifying data or that “all information you provide will remain anonymous.” Otherwise, the operator is in violation of the FTC Act and a myriad of state data collection/use laws. Pretty simple concept-when operators lie, it is a deceptive practice under the FTC Act and other state laws;
-Disclose Exactly How the Website/App Treats Personal Information. Operators must disclose all the ways personally-identifying data is collected and used. This is really a key lesson to be taken away from the FTC’s existing enforcement actions.
-Have Security Measures in Place. In a nutshell, operators need to protect user data. The FTC has also stated that misleading statements about website security are prohibited. According to the FTC in one of their administrative decisions, website and app operators must implement and document procedures that are reasonable and appropriate to: (1) prevent possible unauthorized access to your system (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
In subsequent cases, the FTC added to its definition of what constitutes “reasonable and appropriate security” measures including (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., non-encrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.”
-Proper Training and Oversight is Required. Adequate training and oversight of the personnel who will handle data collection is a reasonable step a business or organization must take, according to the FTC.
-Don’t Change A Policy After the Fact. Operators cannot retroactively change a privacy policy to the detriment of website or app users. If an operator begins to disclose or sell personal information provided by site/app users without disclosing this before collection, the operator is then in violation of the law. Operators must take additional steps to alert users that the operator has changed its policy to permit third-party sharing of personal information without explicit consent. The FTC has complained that the retroactive application of privacy policy changes “caused or is likely to cause substantial injury to consumers.” The FTC also has stated that operators should provide additional notice when the privacy policy has materially changed and note the aspects of the policy that has/have changed.
-Notify Visitors/Users about Privacy Policy Changes. Each time an operator changes a privacy policy, the best practices include notifying visitors/users about these changes and requiring them to accept the changes after clicking through the amended policy. Any personal information obtained from previous website/app users should not be used in a manner different than the original privacy policy unless their consent is obtained.
If the FTC ever does file a complaint against a website/app operator, it could lead to very stiff civil penalties and consumer redress damages. Better to play it safe than risk shelling out thousands of dollars to the FTC.
In conclusion, the best route for operators to take is to draft a privacy policy based upon OPPA, the CCPA and the guidelines set forth by the FTC.
State Website Privacy Policy Laws
A handful of states have separate online privacy protection statutes or have some express law dealing with gathering information from a website or app. A few states have website privacy laws placing security requirements on websites that collect personal information.
The following are a few notable examples of specific state laws governing website privacy policies and security requirements:
-California has the most comprehensive data privacy protection standards in the United States. It started by adopting the California Online Privacy Protection Act of 2003 (California Business and Professions Code Sections 22575-22579). The law requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site”. It also requires the policy to identify the category of personal information that the website collects and the third parties whom the information may be shared with by the website. This statute applies to any website that collects personal information from a California resident.
California’s “Shine the Light” data privacy law is also in effect. But, only businesses that have 20 or more employees, have shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year, and have an established business relationship with a customer who is a California resident must comply. [Cal. Civ. Code § 1798.83(c)(1) and (e)(1)]. Businesses that maintain a free and publicly viewable privacy policy and that also allow users to opt in to or opt-out of information sharing are exempt. [Cal. Civ. Code § 1798.83(c)(2)].
UPDATE: As of January 1st, 2020, California has adopted the CCPA.
-Connecticut requires any person who collects Social Security numbers in the course of conducting business to create a privacy policy. The policy must be “publicly displayed” by posting it on a web page and the policy must: (1) protect the confidentiality of Social Security numbers; (2) prohibit unlawful disclosure of Social Security numbers; and (3) limit access to Social Security numbers. Connecticut laws now also require that businesses must “safeguard the data, computer files and documents containing the [personal] information from misuse by third parties” and “destroy, erase or make unreadable such data, computer files and documents prior to disposal.” Conn. Pub. Act 08-16, § 1.
-Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.
-Pennsylvania includes false and misleading statements in privacy policies published on websites or otherwise distributed in its deceptive and fraudulent business practices statute.
-Nevada requires that “[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” This includes all e-mail, and websites, and other forms of Internet-based communications containing personal information. It is also important to note that the Nevada Law applies only to businesses “in this State.” However, for many businesses that are not located in Nevada but that do business with customers in the state, they could be “doing business” in Nevada. If operators plan on doing a significant amount of business in Nevada, it is safe to assume that the law will apply.
-Massachusetts, like the Nevada laws, requires businesses to encrypt all personal information that is transmitted across public networks or by wireless transmission. It applies to all persons that own, license, store or maintain personal information about a resident of Massachusetts. This law also requires businesses to encrypt all personal information that is stored on laptops and other portable devices. Similar to the Nevada law, “personal information” is defined as a combination of a person’s name plus one of the following sensitive data elements related to that person: Social Security number, driver’s license or state-issued identification card number, or financial, credit or debit card account numbers.
Posting A Privacy Policy
The basic principles set forth by state and federal laws provide that operators should post the privacy policy in a conspicuous manner. A privacy policy is really just a disclosure to prevent information collection practices from being deceptive. Accordingly, operators should follow the guidelines below on how and where to place privacy policies, which are meant to comply with FTC laws and the requirements set forth under OPPA.
- Place a link that contains the word(s) “PRIVACY” or “PRIVACY POLICY” on the homepage of the website or within the app. The link should lead to a separate page containing the privacy policy. App operators can host the policy on a separate website and include a link in the app, or provide it directly within the app. The text link should be written in capital letters equal to or greater in size than the surrounding text or in contrasting type, font, or color to the surrounding text, or set off from the surrounding text somehow with symbols or other marks that call attention to the language” (i.e. “PRIVACY POLICY”); and
- Any privacy policy page links should not be hidden or innocuous where website/app users have to scroll down to the bottom of a page to stumble upon it. In other words, the link should be placed on the immediately visible portion of the page.
What about the GDPR?
The scope of this article focuses on U.S. website privacy policy requirements and laws. I have written separately about the basic GDPR requirements website and app operators should understand. But, operators without an EU audience and don’t market to the EU may be exempt from GDPR requirements.