Privacy Policies: Why Having One Is Crucial For Your Company
July 24, 2019 | By Jeff Villalobos
It is difficult to find a company that does not have personal information sourced from the company’s customers or website visitors. To maintain compliance with various state and federal laws, it is important that a company keeps records on how it collects, processes, uses, and shares personal information. This blog focuses on the importance of a privacy policy for your website and/or application.
WHAT IS A PRIVACY POLICY AND WHY DOES MY COMPANY NEED ONE?
A privacy policy is a disclosure document that informs visitors of your site or users of your app about what information you collect from them and what you do with that information. Because practices vary greatly from company to company, it is important that your privacy policy reflects your platform’s actual practices and not those of another platform. For instance, a SaaS product that enables employers to process new hires is likely going to hold data that is more sensitive than a blog site that collects readers’ email addresses.
While the United States has established some privacy regimens, like the Children’s Online Privacy Protection Act (COPPA), it has not yet enacted a comprehensive privacy law. As a result, many states have led the charge and require that companies, small and large, disclose their practices to consumers. Additionally, with the enactment of the General Data Protection Regulation (GDPR) in the EU in 2018, many companies find that they are subject to international standards for privacy laws. Because it is rare that a transaction only occurs in one state and because websites or apps have users in many jurisdictions, a company can easily find itself subject to the privacy laws of another state or country. In the United States, the primary federal agency that enforces privacy violations is the Federal Trade Commission (FTC). The FTC promulgates guidelines for privacy best practices and enforces certain federal rules, which will be discussed more in depth later.
Due to complex state, federal, and international laws, if you choose to not include a privacy policy, you can become subject to large fines or other severe penalties.
WHAT DOES MY PRIVACY POLICY NEED TO INCLUDE?
The exact things needed for your privacy policy may vary depending on your platform, but some of the basics include:
- The legal name of the business. Contact information and a corporate address should also be included. If you are running a home business, we recommend opening a PO Box or hiring a mail-forwarding service to protect your privacy.
- Exactly what information is collected. You should disclose all information that is being collected, including names, email addresses, physical location, device information, or other personal information. Depending on the location of your data subject, you may also need to explain why the data is collected.
- How data is being collected. To make informed decisions, consumers should know how you are getting their data. You should disclose whether you are collecting the data automatically, collecting the data manually when the data subject submits information, or both. You should specifically provide information about cookies if your service uses them.
- Who the company shares data with and why. Examples of such third parties include: the company’s service providers, affiliates, vendors, and, in some cases, government agencies.
- How the consumer can review, change, or request deletion of the information collected by the company. Examples include allowing the consumer to opt-out of email communications, not sign up for an account, or request mechanisms to obtain a list for data collected.
- Age limitations for data collection. Federal and state laws provide substantial protection for the personal data of minors. You should list the ages of persons from which you will collect data and should have a mechanism available for parents to inform you if you accidentally obtained data from minors. While the federal law focuses on children under the age of 13, the California Consumer Privacy Act will prohibit selling personal information of a consumer under 16 without consent. Similarly, the GDPR’s default age for consent is 16. It is likely that future privacy laws will use 16 as the default.
- The effective date of the privacy policy. Include when the privacy policy was drafted and made effective.
- How the company notifies the consumer of changes to the privacy policy. Explain how the user will be made aware of any changes to the policy.
Special considerations for mobile apps
The FTC has released a set of guidelines to help mobile app developers comply with basic privacy policy principles. These guidelines include:
- Building privacy considerations from the start
- Being transparent about your data practices
- Offering choices that are easy to find and use
- Protecting kids’ privacy (particularly COPPA compliance)
- Keeping user data secure
HOW DO I MAKE SURE MY CONSUMERS ARE AWARE OF MY PRIVACY POLICY?
Clickwrap and browsewrap agreements are the most common ways companies present privacy policies on websites and apps. Clickwrap agreements are the preferred method, as they obtain affirmative consent from the data subject. Most commonly, clickwrap occurs upon account sign-up or log-in when the user clicks an unchecked “check box” stating that they have read and agree to the terms of use and/or the privacy policy. Browsewrap is a less certain form of agreement. Browsewrap usually takes the form of a banner on the screen or a link at the bottom of the homepage that contains the words “privacy policy.”
Under current case law, which may vary from state to state, browsewrap agreements are enforceable only when the website or app gives the user conspicuous ?? of the agreement and its terms. Unlike a clickwrap agreement, a user does not take action to affirm consent to be bound by the privacy policy. Instead, the agreement typically states that use of the website or app is deemed acceptance of the agreement. Courts are more likely to enforce clickwrap agreements than browsewrap agreements.
In order to comply with more stringent European internet privacy laws, such as GDPR, some websites and apps have begun using pop-up banners to alert users that their data is being collected. These pop-ups function very similarly to clickwrap agreements and have gained popularity largely in part because of the broad scope of GDPR’s language that extends its jurisdiction over any website or app that gathers data on European users. Accordingly, because there are no borders on the internet, many developers have instituted blanket privacy pop-ups or geographically coded consent notices to pop up only for European IP addresses.
Risks of having an inadequate privacy policy
Fallout from inadequate privacy practices and/or privacy policies is normally two-fold: regulatory discipline followed by a loss of consumer confidence. FTC disciplinary actions are part of the public domain and, importantly for startups, could be a massive red flag for potential investors. FTC enforcement can range from implementation of mandatory compliance reports to large monetary penalties.
Recently, the FTC has started reviewing companies that misrepresent their compliance with Privacy Shield principles or that still claim safe harbor applies. These companies, small and large, can find themselves subject to significant burdens that can stifle growth.
KEY POINTS TO REMEMBER
- Transparency is the key to good privacy practices. A trending principle for privacy legislation is privacy by design. Users should be informed and should be permitted to make decisions about what you collect and how you use it. To anticipate legislative trends, companies should err on the side of more user control.
- Again, it is important that your privacy policy discloses YOUR practices. Do NOT copy policies from another website or app. Your privacy policy will be most effective and offer you the most protection if you make it specific to your company.
- Finally, due to the changing nature of privacy laws, and for good measure, you should perform annual privacy audits of your company to ensure that you are up-to-date with the laws and that you have maintained compliance with your own policies.
CONCLUSION
Privacy law compliance can seem burdensome due to the complex web of state, federal, and international laws and guidelines but, when done correctly, a privacy policy can be used as an effective marketing tool. People do want to feel secure when they share data. Having a privacy policy for your website/mobile application is crucial. If you are interested in having an attorney draft a privacy policy for your website/mobile application or have any questions regarding privacy policies, please contact us!
Special thanks to Vela Wood law clerk, Brandon Flowers, for his assistance with this post.