Our Feed

Introduction

A common staple of any business’s website is the business’s website privacy notice or privacy policy. In a landscape of increasing enthusiasm for openness about businesses’ collection and use of personal information from regulators and consumers alike, businesses must stay cognizant of the content of their privacy notices. Not only do Federal and state consumer protection laws require privacy notices to accurately disclose businesses’ practices with respect to collecting and handling consumers’ personal information, but numerous industry-specific Federal laws and generally applicable state laws actually require businesses to provide privacy notices that include specific content on their website. Failure to comply with applicable privacy laws, including maintaining a privacy notice that does not reflect the business’s actual practices, can result in significant civil penalties and fines, damages from private lawsuits, and potential harm to consumer goodwill.

Keep reading for a discussion of information that businesses should include in their website privacy policies and the laws and potential legal ramifications for failing to include legally-required information or maintaining an inaccurate privacy notice.

The Privacy Notice’s Purpose and What it Includes

Fundamentally, the purpose of a website privacy notice is to simply inform website users and potential customers of the type of personal information the business collects and how it is used, shared, and stored. In that regard, the Federal Trade Commission (the “FTC”), which regulates and enforces federal laws governing consumer privacy, has issued guidance to businesses on best practices for handling personal information and providing notice to consumers on the collection and use of personal information. While such FTC guidance, which is premised on the “fair information practice principles,” is not law or constitutes rules that businesses must legally adopt or comply with, it has formed the basis of a number of Federal, industry-specific laws relating to mandatory privacy notices. For that reason, businesses should consider adopting FTC guidance when evaluating whether they need to create or update a privacy notice.

Generally, a privacy notice should notify consumers of:

• Who collects their personal information. The business should clearly and accurately notify consumers of precisely who is collecting their personal information. When the information is collected online through a business’s website, this may mean identifying the business entity that owns the website. Another possibility is that a third-party payment processor actually collects certain information, like credit card information and billing address, while the website owner collects other information, such as email addresses for disseminating promotional materials or otherwise communicating with customers.
• The types of personal information collected. Businesses routinely collect various types of personal information, including through their websites. This may include consumers’ names, email addresses, telephone numbers, and credit card information for processing consumers’ online purchases. More passively, the website may collect information about a consumer’s Internet activity through the use of “cookies” or similar tools, which should also be disclosed. Businesses must conduct a thorough inventory of all information collected from consumers to create an accurate privacy notice.
• How personal information is collected. Closely related to informing consumers of the types of information collected, businesses must also inform consumers about how it collects the personal information. Many times, consumers provide their personal information to businesses as part of conducting a transaction or requesting to receive promotional emails or other news from the business. Other times, as mentioned above, certain information may be collected by a website operator through “cookies” or other means of tracking consumers’ online activities. Disclosing the methods of how personal information is collected is important for also informing consumers how they may avoid or “opt-out” of such collection if they wish.
• How the business uses personal information. Once the consumer knows which information is collected and how, a business should next disclose how it uses the information. For example, the business may collect consumers’ email addresses for sending promotional notifications or news updates. It may also simply request an email address strictly for communicating about consumers’ transactions with the business, such as for sending receipts or tracking information.
• Whether the business shares consumers’ personal information with others and, if so, with whom. Businesses’ practices of sharing or selling consumers’ personal information with third parties are especially significant to Federal and state regulators, and should accurately be disclosed in any privacy notice. This may include the entity that owns the website sharing such information with an outside marketing agency, or with an affiliate or licensee. For example, a franchisor that owns and operates a website through which consumers order food to be prepared at a franchise location may share the consumer’s name, credit card, and other personal information with the third-party franchisee with whom the order will ultimately be placed. Under this scenario, the franchisor should disclose this practice to consumers in the franchisor’s website privacy notice.
• Whether consumers may elect not to have their personal information collected. The business should inform consumers of how they may “opt-out” or choose not to have the business collect or share their personal information. This may include providing contact information for a representative of the business who consumers may contact to opt-out or elect to have their information deleted.
• How the businesses stores and protects the privacy of the personal information collected. Businesses should disclose how consumers’ personal information is stored once collected. For example, consumers should be informed whether the information is stored on a computer at the business’s headquarters or local office or on a remote server. Relatedly, businesses should communicate the nature of any security measures taken to protect consumers’ personal information. At the very least, businesses should be taking commercially reasonable measures to prevent data breaches of consumers’ personal information, and have a plan in place to respond to any such breaches and notify interested parties. This may mean different things, depending on the nature of the personal information and the industry.
• How consumers may receive notification of any changes in the privacy policy. Businesses must inform consumers of any material changes to their privacy practices and notices. In that regard, consumers must be made aware of how they will be notified of such changes, including through email.
• Contact of representative who may field questions or concerns from consumers about the collection, use, or storage of their personal information. Finally, the privacy notice should provide a contact for consumers to submit questions about the business’s privacy practices or details on the personal information already collected from the consumer. Any contact the business provides must be legitimate and actually responsive to consumer inquiries.

While all businesses should generally make the above disclosures in their website privacy notices, the list is not exhaustive and additional disclosures may be necessary to accurately reflect a business’s practices or comply with an applicable privacy law.

Potential Minimum Disclosures Required by State and Industry-Specific Statutes

As mentioned above, although there this no Federal law generally prescribing content for all website privacy notices, there are both 1) Federal laws applying to the privacy practices of businesses in specific industries and 2) state laws that apply generally to businesses collecting personal information of such states’ residents.

For example, the Federal Children’s Online Privacy Protection Act (“COPPA”) applies to businesses’ online collection and use of personal information of minors twelve-years-old and younger. COPPA generally applies to any business whose website either 1) is directed at children under the age of thirteen or 2) collects information from children under thirteen and the operator has actual knowledge of such collection. Any website operator fitting this description must include certain mandatory disclosures in its website privacy notice. The Federal Gramm-Leach Bliley Act, which applies to financial intuitions, also requires covered businesses to provide notice to consumers of their privacy practices.

On the state level, California has led a trend of states prescribing certain privacy-related website disclosures and practices for businesses meeting certain jurisdictional thresholds. The California Consumer Protection Act (“CCPA”), for example, requires covered businesses to incorporate specific disclosures in their website privacy notices. The CCPA applies to all businesses meeting one of three alternative thresholds:

• The business has a gross annual revenue of at least $25 million;
• The business buys, receives for commercial purposes, or sells the personal information of at least 50,000 California residents, households, or devices; or
• The business derives at least 50% of its annual revenue from selling California residents’ personal information.

If the CCPA applies to a business, it must, among other things, inform California consumers of:

• What personal information is being collected about them, including the categories of personal information, categories of the sources of personal information, the business’s commercial purposes for collecting the information;
• Whether their personal information is sold or disclosed, and to whom;
• How they may exercise their right to “opt-out” of the business selling their personal information;
• How they may exercise their right to have the business delete their personal information; and
• The contact information for submitting questions or concerns about the business’s privacy policies, requesting to know what information the business has collected, and requesting to either delete the personal information or opt-out of its collection.

Other states have passed similar laws requiring specific content in a business’s privacy notice, including Colorado, Connecticut, Utah, and Virginia. If a business meets any of such states’ jurisdictional thresholds, it must adopt privacy practices consistent with the applicable state statute and include any required content in its privacy notices. If a business maintains a presence in any of these states or otherwise collects personal information online from such state’s residents, it should seek legal counsel to ensure it is in compliance with applicable privacy laws.

Business Must Actually Implement Practices Recited in a Privacy Notice to Avoid Potential Liability

Crucially, even if an industry or state-specific privacy law does not apply, the FTC, or a state attorney general, may still take legal action against a business whose actual practices do not reflect the disclosures made in its privacy notice. If a business provides a privacy notice on its website (as it should), the notice must accurately reflect the business’s actual practices. If not, the inaccuracies in the privacy notice could subject the business to liability for engaging in deceptive trade practices under Federal and state consumer protection laws. For example, in 2012, Google settled a legal action with the FTC for $22.5 million and with certain state attorneys general for $17 million for misrepresenting how users of the Internet browser Safari could “opt-out” of Google tracking their browsing activity through “cookies” in its privacy notice.

To avoid liability, businesses must engage with their website developer, marketing or advertising agency, I.T. department, or other relevant executives, employees, or third parties with a working or technical understanding of the business’s practices to learn, among other things, just how the business collects personal information, what types of personal information is collected, who the information is sold or provided to, what the information is used for, how it is stored, and how consumers may opt-out or otherwise disable such collection activities. Failure to accurately represent these processes or practices in the privacy notice, or failing to inform consumers of any material changes to the privacy notice, could result in litigation and potentially steep penalties.

International Implications

As a quick note, while this article focuses on guidance and laws applicable to collecting personal information in the United States, businesses that operate internationally must also consider the privacy laws and regulations in other jurisdictions, such as the European Union (“EU”). The General Data Protection Regulation (“GDPR”) generally regulates the processing and controlling of personal information in the EU, but may also apply to businesses outside the EU that process or control the personal information of EU residents for the purpose of offering or selling goods or services. Any business selling or offering goods or services in the EU should consult counsel as to whether their privacy practices and privacy notice are GDPR-compliant.

Conclusion

In recent years, regulators and consumers have become increasingly concerned with businesses’ collection and use of consumers’ personal information. In that context, businesses either marketing or conducting transactions online cannot disregard the content of their website privacy notices, which should accurately inform consumers of, among other things, who collects consumers’ personal information on the website, how the personal information is collected, what types information are collected, whether the business shares or sells such information, how the information is stored, and the business’s security measures for protecting the privacy of the information. Various state laws, and Federal laws applying to specific industries, actually require businesses to include specific disclosures on their website privacy policies and adopt specific privacy practices. Even absent an applicable state or Federal privacy law, consumer protection laws require businesses’ website privacy notices to accurately reflect the business’s actual practices.

By:  Mitchell Zolton

This publication is intended for educational purposes only. This communication highlights specific areas of law and is not legal advice. The reader should consult an attorney to determine how the information applies to any specific situation.