Are elected or appointed officia...
No. Elected officials are not employees under the Earned Sick Time Act and will not be entitled to paid sick time. Appointed officials in a ...
Read MorePhone 517.381.0100
High Contrast
We are involved in our communities, our profession, and our clients' associations and activities.
A common staple of any business’s website is the business’s website privacy notice or privacy policy. In a landscape of increasing enthusiasm for openness about businesses’ collection and use of personal information from regulators and consumers alike, businesses must stay cognizant of the content of their privacy notices. Not only do Federal and state consumer protection laws require privacy notices to accurately disclose businesses’ practices with respect to collecting and handling consumers’ personal information, but numerous industry-specific Federal laws and generally applicable state laws actually require businesses to provide privacy notices that include specific content on their website. Failure to comply with applicable privacy laws, including maintaining a privacy notice that does not reflect the business’s actual practices, can result in significant civil penalties and fines, damages from private lawsuits, and potential harm to consumer goodwill.
Keep reading for a discussion of information that businesses should include in their website privacy policies and the laws and potential legal ramifications for failing to include legally-required information or maintaining an inaccurate privacy notice.
Fundamentally, the purpose of a website privacy notice is to simply inform website users and potential customers of the type of personal information the business collects and how it is used, shared, and stored. In that regard, the Federal Trade Commission (the “FTC”), which regulates and enforces federal laws governing consumer privacy, has issued guidance to businesses on best practices for handling personal information and providing notice to consumers on the collection and use of personal information. While such FTC guidance, which is premised on the “fair information practice principles,” is not law or constitutes rules that businesses must legally adopt or comply with, it has formed the basis of a number of Federal, industry-specific laws relating to mandatory privacy notices. For that reason, businesses should consider adopting FTC guidance when evaluating whether they need to create or update a privacy notice.
Generally, a privacy notice should notify consumers of:
While all businesses should generally make the above disclosures in their website privacy notices, the list is not exhaustive and additional disclosures may be necessary to accurately reflect a business’s practices or comply with an applicable privacy law.
As mentioned above, although there this no Federal law generally prescribing content for all website privacy notices, there are both 1) Federal laws applying to the privacy practices of businesses in specific industries and 2) state laws that apply generally to businesses collecting personal information of such states’ residents.
For example, the Federal Children’s Online Privacy Protection Act (“COPPA”) applies to businesses’ online collection and use of personal information of minors twelve-years-old and younger. COPPA generally applies to any business whose website either 1) is directed at children under the age of thirteen or 2) collects information from children under thirteen and the operator has actual knowledge of such collection. Any website operator fitting this description must include certain mandatory disclosures in its website privacy notice. The Federal Gramm-Leach Bliley Act, which applies to financial intuitions, also requires covered businesses to provide notice to consumers of their privacy practices.
On the state level, California has led a trend of states prescribing certain privacy-related website disclosures and practices for businesses meeting certain jurisdictional thresholds. The California Consumer Protection Act (“CCPA”), for example, requires covered businesses to incorporate specific disclosures in their website privacy notices. The CCPA applies to all businesses meeting one of three alternative thresholds:
If the CCPA applies to a business, it must, among other things, inform California consumers of:
Other states have passed similar laws requiring specific content in a business’s privacy notice, including Colorado, Connecticut, Utah, and Virginia. If a business meets any of such states’ jurisdictional thresholds, it must adopt privacy practices consistent with the applicable state statute and include any required content in its privacy notices. If a business maintains a presence in any of these states or otherwise collects personal information online from such state’s residents, it should seek legal counsel to ensure it is in compliance with applicable privacy laws.
Crucially, even if an industry or state-specific privacy law does not apply, the FTC, or a state attorney general, may still take legal action against a business whose actual practices do not reflect the disclosures made in its privacy notice. If a business provides a privacy notice on its website (as it should), the notice must accurately reflect the business’s actual practices. If not, the inaccuracies in the privacy notice could subject the business to liability for engaging in deceptive trade practices under Federal and state consumer protection laws. For example, in 2012, Google settled a legal action with the FTC for $22.5 million and with certain state attorneys general for $17 million for misrepresenting how users of the Internet browser Safari could “opt-out” of Google tracking their browsing activity through “cookies” in its privacy notice.
To avoid liability, businesses must engage with their website developer, marketing or advertising agency, I.T. department, or other relevant executives, employees, or third parties with a working or technical understanding of the business’s practices to learn, among other things, just how the business collects personal information, what types of personal information is collected, who the information is sold or provided to, what the information is used for, how it is stored, and how consumers may opt-out or otherwise disable such collection activities. Failure to accurately represent these processes or practices in the privacy notice, or failing to inform consumers of any material changes to the privacy notice, could result in litigation and potentially steep penalties.
As a quick note, while this article focuses on guidance and laws applicable to collecting personal information in the United States, businesses that operate internationally must also consider the privacy laws and regulations in other jurisdictions, such as the European Union (“EU”). The General Data Protection Regulation (“GDPR”) generally regulates the processing and controlling of personal information in the EU, but may also apply to businesses outside the EU that process or control the personal information of EU residents for the purpose of offering or selling goods or services. Any business selling or offering goods or services in the EU should consult counsel as to whether their privacy practices and privacy notice are GDPR-compliant.
In recent years, regulators and consumers have become increasingly concerned with businesses’ collection and use of consumers’ personal information. In that context, businesses either marketing or conducting transactions online cannot disregard the content of their website privacy notices, which should accurately inform consumers of, among other things, who collects consumers’ personal information on the website, how the personal information is collected, what types information are collected, whether the business shares or sells such information, how the information is stored, and the business’s security measures for protecting the privacy of the information. Various state laws, and Federal laws applying to specific industries, actually require businesses to include specific disclosures on their website privacy policies and adopt specific privacy practices. Even absent an applicable state or Federal privacy law, consumer protection laws require businesses’ website privacy notices to accurately reflect the business’s actual practices.
By: Mitchell Zolton
This publication is intended for educational purposes only. This communication highlights specific areas of law and is not legal advice. The reader should consult an attorney to determine how the information applies to any specific situation.
No. Elected officials are not employees under the Earned Sick Time Act and will not be entitled to paid sick time. Appointed officials in a ...
Read MoreA new mandatory paid sick time law will go into effect for all Michigan employers next year. After a lengthy legal battle, the Michigan Supr...
Read MoreNegotiating and drafting municipal construction contracts can be a stressful process for Board or Council members, even when ignoring the le...
Read MoreAt Fahey Schultz Burzych Rhodes PLC, we’ve been helping municipalities, franchised businesses, employers, and more with their legal needs since 2008. We’d love to learn how we can help you, too.