Checklist of Issues for Website Privacy Policies
February 2, 2012
By: John A. Leonard
5. Federal Laws. With one exception (the FTC, discussed below), the federal government has not enacted broad-based privacy laws. Instead, the federal government has opted to regulate privacy for certain industries. The federal laws are:
(a) Gramm-Leach-Bliley (GLB) applies to financial institutions—which are broadly defined—must give customers annual notices, are restricted to whom and how private information may be transferred to unrelated third parties and must give notices of breaches.
(b) The Health Insurance Portability and Accountability Act (HIPAA) applies to certain “Covered Entities” and has various rules regarding privacy, security and how data can be shared with business associates and when notices of breach must be sent. HIPAA applies to any entity that is: a health care provider; or a health care clearing house; or a health plan.
7. International Laws. Businesses that have international operations or who simply have foreign customers must frequently observe foreign privacy laws that are more stringent than laws in the United States. For example, if a business obtains data from customers (either directly or through cookies) there are important notice, choice and privacy laws that should be evaluated, including the EU Privacy Directive; the FTC/EU Safe Harbor; and the May 25, 2011 Cookie Rule.
11. Location Information. Many sites track GPS coordinates or physical locations of use, such as Wi-Fi locations or cell towers. Some website owners opt out to disable such tracking, some website operators provide express “opt in” permission to track, while other website owners simply describe the practice and leave it to the user to give its implied consent by using the website.
12. How is Information Stored and Why it Matters. Many state laws have enacted data security breach notice laws. The laws vary from state to state; however, the common theme is that the duty to provide notification of a security breach will not arise unless: (a) data is associated with each other (for example, a name associated in the same file as a Social Security number) and (b) the data is not encrypted. Therefore, website owners can reduce potential liability by developing data security procedures which address applicable state and federal laws.
13. Website Owner Liability for User Generated Content. Some websites permit users to post a variety of user generated content (UCG). Some content may violate the rights of others. Moreover, because of the nature of electronic commerce, a website owner may have little control over what is posted. The law relating to UCG and website owner liability continues to develop, and laws are frequently inconsistent. For example, complying with a law relating to copyright may increase liability with other laws. Two laws that provide protection for website owners are the Digital Millennium Copyright Act (DMCA) and the Communications Decency Act (CDA). There is a rule under the DMCA which protects “service providers,” where a website user publishes infringing content. In order to obtain a DMCA defense, the DMCA requires that the service provider “expeditiously” remove materials once it receives actual knowledge or gains awareness that such infringing content has been published on its website. There are detailed rules under the DMCA regarding how the takedown notice must be published and communicated. Similarly, the CDA shields internet service providers from speaker/publisher torts, such as defamation, misinformation, or infliction of emotional distress, threats, etc., based upon content created or developed by an unrelated user. The CDA requires certain conduct, otherwise the internet service provider will not receive CDA protections.
14. E-Mail Laws and Spam. Website owners that send unsolicited commercial e-mail, must comply with the federal CAN-SPAM Act. Senders must comply with the following: (a) e-mails must have a mechanism to “unsubscribe”; (b) the content must be reflected in the regarding line and labeled if the content is adult; and (c) the message cannot contain a false or misleading header.
This checklist is for general informational purposes only, not legal advice. No one should act upon information contained in this checklist without obtaining professional advice. No attorney-client relationship is created between you and Fairfield and Woods, P.C., as a result of your viewing this information or as a result of any e-mail or other communications you may send to us. Unless we have previously reached an agreement with you to represent you, any communication from you to us by e-mail or otherwise may not be treated as confidential or privileged.
Copyright © 2012 Fairfield and Woods, P.C. ,ALL RIGHTS RESERVED
John is chair of the corporate practice group at Fairfield and Woods, P.C. He specializes in the legal aspects of financing, running and selling business. He can be reached at firstname.lastname@example.org or (303) 830-2400.