In the past couple of years, Facebook,
Twitter, and Google each settled disputes with the Federal Trade Commission
("FTC") relating to website privacy, and Google has reportedly paid
$8.5 million to settle a class action suit based on similar privacy-based
claims. Even though actions against
these Internet giants capture the headlines, all organizations, regardless
of size, with websites can learn valuable lessons from the FTC's recent
enforcement actions (as Upromise, Inc. learned in 2012 when the FTC took
action against it on similar grounds).
The following discussion presents a high-level description of various aspects of website privacy law that organizations should not overlook:
Capturing Information
If your organization has a website that collects information in any way, including through an embedded "contact" form, or even cookies, you should strongly consider establishing a website privacy policy statement to protect your organization from liability. Privacy policies are not just for large corporations and "web-based" companies. A myriad of laws control what must be disclosed in a website privacy policy statement and how it is presented, as well as the underlying privacy practices.
Making Promises
Organization sometimes make promises in their website privacy statements that they fail to fulfill in practice. Allegations of broken promises can be found in most of the FTC's recent enforcement actions in this area. This is particularly unfortunate because, in many instances, the organization created an otherwise avoidable risk by establishing privacy standards that were stricter than the law required. This type of risk is increased if an organization (or its third-party website designer) simply copies another organization's privacy policy statement without first understanding all of the legal and practical considerations that went into the original privacy statement, including what different or additional policies an organization may need to have because of the different ways in which it does business. To be effective in protecting your organizationfrom liability, your website privacy policy statement must be tailored to your organization's own practices.
Organization sometimes make promises in their website privacy statements that they fail to fulfill in practice. Allegations of broken promises can be found in most of the FTC's recent enforcement actions in this area. This is particularly unfortunate because, in many instances, the organization created an otherwise avoidable risk by establishing privacy standards that were stricter than the law required. This type of risk is increased if an organization (or its third-party website designer) simply copies another organization's privacy policy statement without first understanding all of the legal and practical considerations that went into the original privacy statement, including what different or additional policies an organization may need to have because of the different ways in which it does business. To be effective in protecting your organizationfrom liability, your website privacy policy statement must be tailored to your organization's own practices.
Conducting Business On-Line
If your organization does business
through its website, it may well have additional financial privacy protection
obligations and disclosure requirements under various federal and state
financial privacy laws, particularly if credit is extended for online
transactions. Any organization engaging in
credit transactions through its website needs to be aware of the many additional legal
obligations created by the patchwork of financial privacy laws.
Protecting Children
Websites directed at children are subject to additional restrictions and requirements under the Children's Online Privacy Protection Act ("COPPA"). If your organization's website, or a section of the website, is designed for children, COPPA disclosures and policies are necessary.
Websites directed at children are subject to additional restrictions and requirements under the Children's Online Privacy Protection Act ("COPPA"). If your organization's website, or a section of the website, is designed for children, COPPA disclosures and policies are necessary.
Opt-Out Requirements for
Advertising
A federal law, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, commonly known as the "CAN-SPAM Act," limits electronic advertising. Although it is not a privacy law per se, it does require Internet and email advertisers to provide an opt-out mechanism for electronic marketing, among other things. If your company advertises through its website or by email, you must have CAN-SPAM policies and an opt-out procedure. It is customary and advisable to address the CAN-SPAM Act and opt-out rights in a website privacy policy.
A federal law, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, commonly known as the "CAN-SPAM Act," limits electronic advertising. Although it is not a privacy law per se, it does require Internet and email advertisers to provide an opt-out mechanism for electronic marketing, among other things. If your company advertises through its website or by email, you must have CAN-SPAM policies and an opt-out procedure. It is customary and advisable to address the CAN-SPAM Act and opt-out rights in a website privacy policy.
Don't Forget State Laws
A
few states have their own website privacy laws with which your organization must
comply if you are directing your website to residents of any of those
states. For example, if your organization's
website is directed at California
residents, or at U.S.
audiences generally, your website will need to comply with California's
rules, which are reputed to be the most rigorous and which include specific requirements
that go beyond the requirements of the federal rules.
Conclusion
Internet privacy is gaining
increasing attention from governmental entities, consumer groups, and
plaintiffs' class action attorneys, and is expected to be an emerging source of
risk for many companies. Fortunately,
much of that risk is avoidable if care is taken to observe the patchwork of
applicable legal requirements.
No comments:
Post a Comment