Browse by Category

Posts by Month

Subscribe by Email

Your email:

Follow D&L

Articles

Current Articles | RSS Feed RSS Feed

Guidelines for a Good Privacy Policy

A privacy policy is a policy adopted by a Website owner to govern the Website's collection, use, and disclosure of private information about the Website's users.  Every Website that collects or uses such information should have a clear, written privacy policy prominently displayed on the Website.

Legal Regulation.  Many foreign countries impose explicit and sometimes demanding regulations on how Websites use private information.  The United States is different.  Federal law and state laws impose some regulations, but leave a lot of the specifics to the Website operator.  A Website owner should be generally familiar with the laws of any jurisdictions with which the operator does business.

Federal Law.  So far, the United States has not adopted a single uniform law to regulate the content of online privacy policies.  Instead, federal privacy protection consists of different federal laws and regulations.  Websites are subject to the regulatory authority of the Federal Trade Commission.  Although the FTC has not yet promulgated comprehensive privacy policy regulations, it has taken action against Website owners that published privacy policies but did not follow them. (See In re GeoCities, Inc., File No. 9823015 (FTC Consent Order entered August 13, 1998.)

In 1999, Congress enacted the Children's Online Privacy Protection Act (COPPA) to regulate the collection of personal information about children under the age of 13. (15 U.S.C.A. §§6501-6506.) It also passed regulations to implement the statute. (16 C.F.R. §§312.1-312.12.)  As a result of this law, Websites that collect personal information about children under the age of 13 must follow specific notice and consent procedures before they can obtain, use, or disclose this information.

A variety of other federal laws may affect the use of private information depending upon the kind of Website.  For example, Websites that obtain or use health information may be subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPPA), which imposes privacy and security requirements on the collection and maintenance of personal medical record information. (45 C.F.R. §164.312 (2004).)  Website operators that qualify as "financial institutions" may be subject to the Gramm-Leach-Bliley Act and may have to post privacy statements regarding their collection of financial information. (15 U.S.C. §6801 et seq.)

California Law.  California law, unlike federal law, imposes specific requirements on the posting and maintenance of privacy policies, through the California Online Privacy Protection Act of 2003. (Cal. Bus. & Prof. Code §§22575 et seq.) The requirements are not onerous.

European Law.  The European Union has taken a more hands-on role in role than the United States in protecting consumer privacy in Website use.  In 1995 the European Union adopted the Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (commonly known as the EU Privacy Directive). Directive No. 95/46/EC (Oct. 24, 1995).)  The EU requires Website operators to obtain express consent to collect a Website user's personal data.  It also requires Websites to take certain steps to protect the quality of data obtained from their users. 

The European Union does not regard United States law as adequately protecting data privacy, so compliance with American laws may be insufficient if an American Website owner collects data from citizens of EU member countries.  The EU has adopted "safe harbor" guidelines, whereby U.S. businesses that voluntarily adhere to certain privacy principles may be entitled to a presumption that their policies provide an adequate level of privacy within the meaning of the EU Privacy Directive. (U.S. International Trade Administration Electronic Commerce Task Force, "Safe Harbor Principles" (Nov. 4, 1998), .)

Guidelines.  To meet the requirements of applicable state and federal law and to be consistent with sound, accepted industry practices, a Website operator should draft and post an explicit written policy concerning the use and disclosure of private personal information about Website users.  A good privacy policy should follow the following guidelines:

  1. A privacy policy is necessary for any Website that collects "personally identifiable information" about its users.  "Personally identifiable information" means information such as name, address, email address, telephone number, social security number, any other "identifier that permits the physical or online contacting of a specific individual", or any "information concerning a user that the Web Site or online service collects . . . from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision." (Cal. Bus. & Prof. Code §22577(a).)
  2. If the Website collects personally identifiable information about persons under the age of 13, it must comply with the additional requirements of COPPA (see below).
  3. The Web site operator must identify the categories of personally identifiable information that the operator collects through the Web site or online service about users who use or visit the Web site.
  4. The Web site operator must describe the process by which a user may review and request changes to any personally identifiable information collected, if the operator provides such an option.
  5. The Web site operator must describe the process by which the operator will notify consumers who use or visit its site or service of material changes to the policy.
  6. The Web Site operator must identify the policy's effective date. (16 C.F.R. §312.4.)

            COPPA regulations:  Websites that collect personally identifiable information about children under the age of 13 must, in addition to the foregoing, do the following:

  1. It must provide notice in a "clear and prominent place and manner" of what information the Website collects, how it uses that information, and what its disclosure practices are;
  2. It must obtain verifiable parental consent prior to any collection, use, or disclosure of personal information about a child;
  3. It must provide, upon the request of a parent, a description of information collected or used, the opportunity to refuse to permit the use of the information, and a means for the parent to review any personal information collected. (16 C.F.R. §312.4.)

The above guidelines are general guidelines for what a Website should include in its privacy policy; they should not be construed as legal advice.  Additional or different provisions may be advisable or required in a specific situation.  If you are seeking legal advice regarding privacy policies you should contact an attorney.  The attorneys at Davis & Leonard LLP can be reached at (916) 362-9000.

Tags: ,