Privacy Policies and Legal Compliance

If you are a business owner in the year 2019 chances are you have a website, and regardless of whether you use your website to sell products or market services you likely collect some personally identifiable information (“PII”) from those who visit your site.  PII may include a person’s name, email or home address, phone number, or even financial information used to make purchases; essentially, any information that may identify a person is considered PII.  A privacy policy details how PII is collected, stored, and distributed.  Though privacy policies are not required by federal law in the United States, there are several states who do require them.  Additionally, many federal laws dictate the use and collection of PII and should be considered when drafting a privacy policy. 

Depending on the type of business that you run you may need to consider federal law when writing your privacy policy.  Relevant federal laws include the: Americans With Disabilities Act; Cable Communications Policy Act of 1984; Children’s Internet Protection Act of 2001 (updated in 2013); Computer Fraud and Abuse Act of 1986; Computer Security Act of 1997; Consumer Credit Reporting Control Act; and Children’s Online Privacy Protection Act.  (International law, such as the EU Data Protection Regulation is not discussed in this blog but should also be considered if your website has a global reach.)  State laws regarding PII range in scope from the very specific (i.e. Arizona’s e-reader law which requires that a public library not disclose the PII of patrons including materials obtained from the library electronically or otherwise), to the very broad (i.e. California’s law discussed below). 

The most prominent and far reaching state law regarding privacy policies in the United States is the California Online Privacy Protection Act (“CAOPPA”).  It is important to note that regardless of where your business is physically located, if the website reaches users in California and potentially collects PII from such users then you must comply with CAOPPA.  CAOPPA requires a privacy policy to contain the following information: the type of personal data collected; affiliated organizations data may be shared with; a list of any third parties who collect PII through the website; information regarding how users can request amendments to PII collected; the company’s process for informing users of changes to the Privacy Policy; and the effective date of the Privacy Policy.  CAOPPA also requires a Privacy Policy to detail what happens if a user makes a “Do Not Track” request.  Website owners are not required to comply with such a request, but the privacy policy must be clear on how a request will be handled.

A privacy policy should be written in plain English and be simple enough for the typical user to understand its contents.  At a minimum, it should include:

  • Name of the business;
  • Contact information for the business;
  • Type of PII collected, the reason why it is collected, and how it will be used (by the company or third-party affiliates);
  • Reason why PII is collected;
  • Type of PII, if any, shared with third party affiliates; and
  • How a user may opt out of the collection of their PII. 

More importantly, a company must practice what it preaches when it comes to use of PII.  In other words, it is imperative that PII is only collected, stored, and used in the manner described in the privacy policy.

Model privacy policies are available all over the web these days, but there is no substitution for solid legal advice and research when it comes to compliance with the law.  Further, established privacy policies should be reviewed regularly to ensure compliance with the ever-changing laws regarding PII and data collection.  For help with drafting a privacy policy, or reviewing an existing policy, contact The Wladis Law Firm.


Leave a reply