Checklist of Issues for Website Privacy Policies
February 2, 2012
By: John A. Leonard
1. What Information is Collected? Although every business is different, the starting point in evaluating a new or existing privacy policy is the same: the business needs to list the type of information it collects, how the information is collected, how the information is used internally, how the information is used by someone other than the business that collected it, what industry the business engages in, what state or country jurisdictions the business operates in, how the information is stored and what happens to the information once the business closes or is sold, or will no longer retain the information. Based on this list, the various laws, regulations and business considerations can be evaluated and applied.
2. Is a Terms of Service or Click Through Agreement Needed in Addition to a Privacy Policy? Posted terms of service and “click through” agreements complement a website’s privacy policy. Posted terms of service will frequently state that by using a website, the user agrees to the terms contained in the company’s privacy policy. Thus, by posting a website’s terms of use, a website owner can attempt to create an implied contract to the posted terms. Some web sites, particularly those that market alcohol, tobacco, and content not suitable for children, may also require a user to confirm that the user is not a minor prior to viewing the website. Finally, many websites that sell goods and services will have a click through agreement which sets forth the terms of sale, limits liability, establishes jurisdiction, and discusses payment and return issues. At the end of these agreements, the user must click a button to accept the terms stated in the click through agreement. One of the more important terms is that the user accepts the terms of the company’s privacy policy.
3. What is Personally Identifiable Information and Why is it Important? Most privacy laws relate to data which is associated with a particular person. A phone number is just a phone number. A phone number associated with a particular person may be regulated Personally Identifiable Information (PII). And, PII, if encrypted, may cease to be regulated in certain circumstances. Thus, understanding what data is collected, how it is used, and how it is stored are all necessary to know in order to determine which laws may apply to a company’s privacy policy.
4. State Laws, Jurisdiction: “Doing Business” and “Long-Arm” Statutes. Most privacy laws are state laws. Around 30 states have Data Disposal laws and 46 states have Security Breach Notification laws. Other states have laws relating to other aspects of privacy such as Transfer to Third Parties. Determining which laws apply to a business is an important step in determining what should be in a privacy policy. The state of incorporation/formation and the state in which the principal office is located are common states in which a business must comply with state laws. In addition, every state has a law regarding when a business must file a notice that it is doing business in the state. Typically, a business would file a Statement of Foreign Corporation in the office of the Secretary of Sate when it has employees or contractors who physically come into a state to sell goods or services, or in cases where a business maintains employees, service centers, distribution centers and other significant contacts. In addition, states can permit its citizens to sue nonresidents for breach of contract and torts (intentional or negligent harm) caused in the state. Some state privacy laws (for example, California) have a “private right of action” that permits a private citizen to sue an offender for violation of a privacy law. Thus, determining which state laws apply and how to comply will require that a company examine its place of formation, places of operation, where servers are located, and where harm is more likely to occur than other places.
5. Federal Laws. With one exception (the FTC, discussed below), the federal government has not enacted broad-based privacy laws. Instead, the federal government has opted to regulate privacy for certain industries. The federal laws are:
(a) Gramm-Leach-Bliley (GLB) applies to financial institutions—which are broadly defined—must give customers annual notices, are restricted to whom and how private information may be transferred to unrelated third parties and must give notices of breaches.
(b) The Health Insurance Portability and Accountability Act (HIPAA) applies to certain “Covered Entities” and has various rules regarding privacy, security and how data can be shared with business associates and when notices of breach must be sent. HIPAA applies to any entity that is: a health care provider; or a health care clearing house; or a health plan.
(c) The Children’s Online Privacy Protection Act (COPPA) applies to websites or online services that are directed to children under the age of 13. Requirements include that website owners comply with a variety of provisions, including posting a privacy policy, providing direct notice to parents to obtain verifiable parental consent before collecting personal information from children, and to maintain the confidentiality, security, and integrity of the information collected from children.
6. Federal Trade Commission and Similar State Laws. The Federal Trade Commission (FTC) is very active in the privacy area and has a number of privacy publications on its website and initiatives it promotes. As part of its role to address unfair and deceptive trade practices, the FTC responds to consumer complaints and prosecutes website owners who do not follow its posted privacy policies. The FTC publishes on its website a listing of actions, including fines and consent orders which obligate offenders to engage independent privacy auditors to review privacy compliance. Thus, website owners who either are required to have a published privacy policy or choose to have a privacy policy must “say as they do and do as they say” or risk an FTC enforcement action. The FTC is also a reason to be very circumspect in what is said in a privacy policy. A privacy policy is not a “marketing moment.” For example, Rite Aid, a large national pharmacy, was the subject of an FTC enforcement action. On one hand, Rite Aid promised in its website privacy policy that it “takes its responsibility for maintaining your protected health information in confidence very seriously” and on the other hand, disposed un-shredded personal data into public dumpsters. The FTC action was not based on violation of a data disposal law. Instead, it was based on Rite Aid’s failure to “do as it said” in its privacy policy.
7. International Laws. Businesses that have international operations or who simply have foreign customers must frequently observe foreign privacy laws that are more stringent than laws in the United States. For example, if a business obtains data from customers (either directly or through cookies) there are important notice, choice and privacy laws that should be evaluated, including the EU Privacy Directive; the FTC/EU Safe Harbor; and the May 25, 2011 Cookie Rule.
8. Industry and Industry Standards. A company’s industry matters because of the federal laws (HIPAA, GLB, COPPA) discussed above regulate how certain industries treat data. In addition, certain industries have self regulated and, intentionally or simply by consensus, developed industry standards relating to data and privacy. For example, in 2006, the payment card industry issued security standards and reporting requirements for organizations which handle bank cards (PCI DSS). In some instances, certain industries require by contract that certain privacy policies be agreed to and posted publicly. For example, when purchasing Google Analytics, Google requires that the business customer agree to certain privacy rules and post such rules on the customer’s public privacy policy. Still other industries, because of customer concerns, or the desire to be seen as a leader in privacy issues, have gone beyond what is required by law and developed enhanced privacy, security and choice policies and procedures—some of which are monitored by independent auditing companies such as TRUSTe and others. Finally, industry standards are important because standards may be used to determine whether negligence has occurred. In other words, if the industry standard becomes common practice, it can become a duty for all in the industry to follow. Businesses should consider whether there are industry standards and whether compliance is mandatory or beneficial.
9. Industry Standard for Minimum Website Privacy Policy. Absent specific provisions which may be required by state or federal law, website owners have generally developed a privacy policy format. Typical headings include: (a) information we collect; (b) how we use Collected Information; (c) use of cookies and other automated methods of collecting information; (d) sharing of information with related or unrelated parties; (e) how users can exercise choice; (f) access to PII and ability to change; and (g) how to contact the company.
10. Cookies; Behavioral Advertising; Consent. Information regarding a user can be collected automatically. For years, privacy policies have described how a website owner may use cookies in order to understand who a user is and improve website service. For example, a website operator may use cookies to determine which portions of its website are used more than others and, with respect to a particular user, which language to display information. Properly drafted privacy policies describe what a cookie is and how the website owner uses information gathered by cookies. Cookies can now be ordinary cookies, flash cookies, HTTP cookies, HTML5 cookies and cache cookies—which are used for a variety of purposes. Some purposes may be acceptable to users (enhancing the user experience on the website by remembering the language the user uses when viewing), while other uses may not (behavioral advertising). Choice and consent have increasingly become an important privacy issue for many website operators. When and how should consent be granted? For example, many browsers permit a user to control cookies. Thus, some website operators state in their privacy policies that browsers can be adjusted, and consent is therefore implied by users of the website. Other website owners believe that consent must be express and will honor a user’s request to “opt out” of the data collection methods and uses noted in a website. Finally, other website owners believe that the choice and consent should be subject to the user’s express “opt in.” Website owners can use certain third-party tools to quickly enable opt out of behavioral advertising. For example, the Network Advertising Initiative (NAI) has developed a tool in conjunction with its members for the express purpose of allowing consumers to opt out of behavioral advertising delivered by member companies. Likewise, companies can conform to self-regulatory programs developed by the Digital Advertising Alliance (DAA) and use Evidon, an analytical company, that enables website owners engaged in on-line behavioral advertising to provide consumers with transparency into and control over how consumers’ data is collected and used.
11. Location Information. Many sites track GPS coordinates or physical locations of use, such as Wi-Fi locations or cell towers. Some website owners opt out to disable such tracking, some website operators provide express “opt in” permission to track, while other website owners simply describe the practice and leave it to the user to give its implied consent by using the website.
12. How is Information Stored and Why it Matters. Many state laws have enacted data security breach notice laws. The laws vary from state to state; however, the common theme is that the duty to provide notification of a security breach will not arise unless: (a) data is associated with each other (for example, a name associated in the same file as a Social Security number) and (b) the data is not encrypted. Therefore, website owners can reduce potential liability by developing data security procedures which address applicable state and federal laws.
13. Website Owner Liability for User Generated Content. Some websites permit users to post a variety of user generated content (UCG). Some content may violate the rights of others. Moreover, because of the nature of electronic commerce, a website owner may have little control over what is posted. The law relating to UCG and website owner liability continues to develop, and laws are frequently inconsistent. For example, complying with a law relating to copyright may increase liability with other laws. Two laws that provide protection for website owners are the Digital Millennium Copyright Act (DMCA) and the Communications Decency Act (CDA). There is a rule under the DMCA which protects “service providers,” where a website user publishes infringing content. In order to obtain a DMCA defense, the DMCA requires that the service provider “expeditiously” remove materials once it receives actual knowledge or gains awareness that such infringing content has been published on its website. There are detailed rules under the DMCA regarding how the takedown notice must be published and communicated. Similarly, the CDA shields internet service providers from speaker/publisher torts, such as defamation, misinformation, or infliction of emotional distress, threats, etc., based upon content created or developed by an unrelated user. The CDA requires certain conduct, otherwise the internet service provider will not receive CDA protections.
14. E-Mail Laws and Spam. Website owners that send unsolicited commercial e-mail, must comply with the federal CAN-SPAM Act. Senders must comply with the following: (a) e-mails must have a mechanism to “unsubscribe”; (b) the content must be reflected in the regarding line and labeled if the content is adult; and (c) the message cannot contain a false or misleading header.
15. Transfer of Information when Company Closes. A company should consider what will happen to information it collects if the company is sold or goes out of business. If the company wants to ensure it has the right to transfer information after it ceases business, it may be prudent to say so in its privacy policy.
This checklist is for general informational purposes only, not legal advice. No one should act upon information contained in this checklist without obtaining professional advice. No attorney-client relationship is created between you and Fairfield and Woods, P.C., as a result of your viewing this information or as a result of any e-mail or other communications you may send to us. Unless we have previously reached an agreement with you to represent you, any communication from you to us by e-mail or otherwise may not be treated as confidential or privileged.
Copyright © 2012 Fairfield and Woods, P.C. ,ALL RIGHTS RESERVED
John is chair of the corporate practice group at Fairfield and Woods, P.C. He specializes in the legal aspects of financing, running and selling business. He can be reached at jleonard@fwlaw.com or (303) 830-2400.