Website operators should always post a privacy and/or communications policy on their website if the website gathers any type of personal contact or identifying information from website visitors and/or customers.
This applies to websites that collect only email addresses. Personal information generally includes contact information such as a visitor’s physical address, phone number or email address and identifying information such as first and last names, social security number, etc. If your website conducts sales of goods, you will almost undoubtedly be collecting this type of information.
Additionally, registration with your website and/or the information your website collects to process a transaction or interact with some feature will result in collecting personal information. Collecting passive use information about how website visitors use and interact with a website should also be disclosed, especially if this information is then bundled with personally identifying information.
California’s Online Privacy Protection Act Framework
- When your website collects information. Your website may collect information upon registration with your website, or when any of your visitors order a product. But, how else will it collect information? Other collection of data may occur through collection of website traffic and aggregate usage data. For instance, the date and time a user visits your site, the (IP) address from which your website was accessed, the webpages visited, duration on each page, the type of browser and operating system used to access your site, etc. Information may also be collected through correspondences such as through emails, faxes or phone calls with your business. Collection of information also occurs through credit card processing or other third party applications accessed through your website;
- The information your website actually collects. What personal information will your website collect? You should use OPPA as your guide in defining and determining this information;
- How your business will use the personal information. You need to disclose exactly how your business intends to use any data or information it collects. Don’t leave anything out. If you don’t distribute any information, but will store it in some customer contact database, disclose this. Similarly, facilitation of product purchases or collection for future promotions should be disclosed in your policy;
- The information that is disclosed or provided to third parties. You must determine all the possible ways you will disclose your visitors personal information you collect. These will include information provided during the shipping process, to credit card merchants and banks, your host or ISP through operation of the website, etc. You should disclose all of this even if you don’t intend on distributing information to third parties;
FTC Rulings Establish Guidelines
-Disclose Exactly How Your Website Treats Personal Information. I touched upon this earlier. You must disclose all the ways you intend or will disclose personal information you collect. This is really a key lesson to be taken away from the FTC’s existing enforcement actions. If your object is only to provide information to one party, but you disclose it to third party marketers also, you must absolutely disclose this. If you collect information by accessing the personal information of third party sites through some service arrangement or software application you provide, this is also deceptive;
-Have Security Measures in Place. In a nutshell, you need to protect your customers and visitors personal information. The FTC has also stated that misleading express or implied statements about website security is prohibited. According to the FTC in one of their administrative decisions, your website must implement and document procedures that are reasonable and appropriate to: (1) prevent possible unauthorized access to your system (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
In subsequent cases, the FTC added to its definition of what constitutes “reasonable and appropriate security” measures. The FTC added requirements that (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., non-encrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.”
If the FTC ever does file a complaint against your business, it could lead to very stiff civil penalties and consumer redress damages. Better to play it safe then risk shelling out thousands of dollars to the FTC. In conclusion, the best route to take is to draft a privacy/communications policy based upon OPPA and the guidelines set forth by the FTC.
You should follow the guidelines below on how and where to place your privacy policies, which are meant to comply with FTC laws and the requirements set forth under OPPA.
There is no specific federal law regulating or requiring a website to have or post privacy policies. However, Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive marketing practices. While the FTC does not regulate privacy issues, any deceptive act or practice in commerce will lead to liability under the FTC Act. If your business gathers and unlawfully disseminates or discloses information from your visitors, this will generally be categorized as a deceptive or fraudulent business practice under the FTC Act.
Other then the FTC Act, some federal laws govern privacy policies in specific circumstances. This includes the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, which governs “Financial Institutions” and the Health Insurance Portability and Accountability Act (HIPAA).
State Website Privacy & Security Laws
A handful of states have separate online privacy protection statutes or have some express law dealing with gathering information from a website. A few states have laws placing security requirements on websites that collect personal information.
The following states have implemented more specific laws governing website privacy policies and security requirements:
-Pennsylvania includes false and misleading statements in privacy policies published on websites or otherwise distributed in its deceptive and fraudulent business practices statute.
-Nevada requires that “[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” This includes all e-mail, and websites, and other forms of Internet-based communications containing personal information. It is also important to note that the Nevada Law applies only to businesses “in this State.” However, for many businesses which are not located in Nevada, but that do business with customers in the state, they could be “doing business” in Nevada If you plan on doing a significant amount of business in Nevada, it is safe to assume that the law will apply.
-Massachusetts, like the Nevada laws, requires businesses to encrypt all personal information that is transmitted across public networks or by wireless transmission. It applies to all persons that own, license, store or maintain personal information about a resident of Massachusetts. This law also requires businesses to encrypt all personal information that is stored on laptops and other portable devices. Similar to the Nevada law, “personal information” is defined as a combination of a person’s name plus one of the following sensitive data elements related to that person: Social Security number, driver’s license or state-issued identification card number, or financial, credit or debit card account numbers.