This applies to websites or apps that collect only email addresses. Personally-identifying information generally includes contact information such as a physical address, phone number or email address, first and last names, social security numbers, biometric information or even unique identifiers when bundled with such identifying data. With the recent adoption of California’s Consumer Privacy Act (CCPA), IP addresses will be considered personally identifying data when collected from California consumers where the law applies
Registration with a website and/or the information website collects to process a transaction or interact with some feature will likely result in collecting personal information. Collecting passive use information about how website or app users use and interact with a website/app should also be disclosed if this information is then bundled with personally identifiable information. Simply because website/app operators do not plan on disseminating any personally-identifying information to third parties does NOT mean data privacy disclosures should not be in place.
California’s Online Privacy Protection Act Framework
Many websites use California’s Online Privacy Protection Act (“OPPA”) requirements as guides in drafting their privacy policies. The OPPA requirements should serve as the framework for website and app privacy policies since they are well defined. Disclosing exactly how and when you collect personal information and when you distribute or disclose it will determine how to fill in the remainder of the policy avoid liability under the FTC Act and any other applicable state law. As of 2020, you can now add the CCPA to the list of laws that dictate how website or app policies are modeled.
- When the website/app collects personally-identifying information? Your website or app may collect information upon registration, or when any of your visitors order a product. But, how else will it collect information? Other collection of data may occur through a collection of website traffic and aggregate usage data. For instance, the date and time a user visits a site, the (IP) address from which a website was accessed, the webpages visited duration on each page, the type of browser and operating system used to access your site, etc. Information may also be collected through correspondences such as emails, faxes or phone calls with your business. Collection of information also occurs through credit card processing or other third-party applications accessed through a website/app;
- What information does the website/app actually collect? What personally identifiable information does the subject website or app collect? Using OPPA and the CCPA as a framework is a great start in defining and determining this information;
- What information is disclosed or provided to third parties? Operators must determine all the possible ways data is disclosed to third parties. This may include data provided to ad networks or lead generation companies, SEO and marketing consultants, affiliated entities, etc. Where operators collect information and allow third parties to access the personal information through some service arrangement or software application like a WordPress plugin this must be disclosed;
Other then the FTC Act, some other primary federal laws govern privacy policies in specific circumstances. This includes the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, which governs “Financial Institutions” and the Health Insurance Portability and Accountability Act (HIPAA).
FTC Rulings Establish Guidelines
-Disclose Exactly How the Website/App Treats Personal Information. Operators must disclose all the ways personally-identifying data is collected and used. This is really a key lesson to be taken away from the FTC’s existing enforcement actions.
-Have Security Measures in Place. In a nutshell, operators need to protect user data. The FTC has also stated that misleading statements about website security are prohibited. According to the FTC in one of their administrative decisions, website and app operators must implement and document procedures that are reasonable and appropriate to: (1) prevent possible unauthorized access to your system (2) detect possible unauthorized access to the system; (3) monitor the system for potential vulnerabilities; and (4) record and retain system information sufficient to perform security audits and investigations.
In subsequent cases, the FTC added to its definition of what constitutes “reasonable and appropriate security” measures including (i) companies should not store sensitive information for unnecessarily long periods of time or in a vulnerable (i.e., non-encrypted) format, (ii) must use strong passwords to prevent a hacker from gaining control over computers and access to personal information stored on a network, (iii) must use readily available security measures to limit access between computers on its network and with the internet; and (iv) must employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.”
-Proper Training and Oversight is Required. Adequate training and oversight of the personnel who will handle data collection is a reasonable step a business or organization must take, according to the FTC.
If the FTC ever does file a complaint against a website/app operator, it could lead to very stiff civil penalties and consumer redress damages. Better to play it safe than risk shelling out thousands of dollars to the FTC.
A handful of states have separate online privacy protection statutes or have some express law dealing with gathering information from a website or app. A few states have website privacy laws placing security requirements on websites that collect personal information.
The following are a few notable examples of specific state laws governing website privacy policies and security requirements:
UPDATE: As of January 1st, 2020, California has adopted the CCPA.
-Pennsylvania includes false and misleading statements in privacy policies published on websites or otherwise distributed in its deceptive and fraudulent business practices statute.
-Nevada requires that “[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” This includes all e-mail, and websites, and other forms of Internet-based communications containing personal information. It is also important to note that the Nevada Law applies only to businesses “in this State.” However, for many businesses that are not located in Nevada but that do business with customers in the state, they could be “doing business” in Nevada. If operators plan on doing a significant amount of business in Nevada, it is safe to assume that the law will apply.
-Massachusetts, like the Nevada laws, requires businesses to encrypt all personal information that is transmitted across public networks or by wireless transmission. It applies to all persons that own, license, store or maintain personal information about a resident of Massachusetts. This law also requires businesses to encrypt all personal information that is stored on laptops and other portable devices. Similar to the Nevada law, “personal information” is defined as a combination of a person’s name plus one of the following sensitive data elements related to that person: Social Security number, driver’s license or state-issued identification card number, or financial, credit or debit card account numbers.
What about the GDPR?