Wednesday, February 12, 2014

Does Your Website Privacy Policy Pass the Test?

In the past couple of years, Facebook, Twitter, and Google each settled disputes with the Federal Trade Commission ("FTC") relating to website privacy, and Google has reportedly paid $8.5 million to settle a class action suit based on similar privacy-based claims.  Even though actions against these Internet giants capture the headlines, all organizations, regardless of size, with websites can learn valuable lessons from the FTC's recent enforcement actions (as Upromise, Inc. learned in 2012 when the FTC took action against it on similar grounds).  The following discussion presents a high-level description of various aspects of website privacy law that organizations should not overlook:

Capturing Information

If your organization has a website that collects information in any way, including through an embedded "contact" form, or even cookies, you should strongly consider establishing a website privacy policy statement to protect your organization from liability.  Privacy policies are not just for large corporations and "web-based" companies.  A myriad of laws control what must be disclosed in a website privacy policy statement and how it is presented, as well as the underlying privacy practices.

Making Promises

Organization sometimes make promises in their website privacy statements that they fail to fulfill in practice.  Allegations of broken promises can be found in most of the FTC's recent enforcement actions in this area.  This is particularly unfortunate because, in many instances, the organization created an otherwise avoidable risk by establishing privacy standards that were stricter than the law required.  This type of risk is increased if an organization (or its third-party website designer) simply copies another organization's privacy policy statement without first understanding all of the legal and practical considerations that went into the original privacy statement, including what different or additional policies an organization may need to have because of the different ways in which it does business.  To be effective in protecting your organizationfrom liability, your website privacy policy statement must be tailored to your organization's own practices. 

Conducting Business On-Line  
If your organization does business through its website, it may well have additional financial privacy protection obligations and disclosure requirements under various federal and state financial privacy laws, particularly if credit is extended for online transactions.  Any organization engaging in credit transactions through its website needs to be aware of the many additional legal obligations created by the patchwork of financial privacy laws.

Protecting Children

Websites directed at children are subject to additional restrictions and requirements under the Children's Online Privacy Protection Act ("COPPA").  If your
organization's website, or a section of the website, is designed for children, COPPA disclosures and policies are necessary.

Opt-Out Requirements for Advertising

A federal law, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, commonly known as the "CAN-SPAM Act," limits electronic advertising.  Although it is not a privacy law per se, it does require Internet and email advertisers to provide an opt-out mechanism for electronic marketing, among other things.  If your company advertises through its website or by email, you must have CAN-SPAM policies and an opt-out procedure.  It is customary and advisable to address the CAN-SPAM Act and opt-out rights in a website privacy policy.

Don't Forget State Laws

A few states have their own website privacy laws with which your organization must comply if you are directing your website to residents of any of those states.  For example, if your organization's website is directed at California residents, or at U.S. audiences generally, your website will need to comply with California's rules, which are reputed to be the most rigorous and which include specific requirements that go beyond the requirements of the federal rules.


Internet privacy is gaining increasing attention from governmental entities, consumer groups, and plaintiffs' class action attorneys, and is expected to be an emerging source of risk for many companies.  Fortunately, much of that risk is avoidable if care is taken to observe the patchwork of applicable legal requirements.

No comments:

Post a Comment