Website Privacy Policies
- Providing goods or services, including content and information.
- Using interactive features or social media applications.
- Direct marketing.
- The Federal Trade Commission Act, regulating unfair or deceptive business practices and providing guidance on consumer privacy disclosures;
- The Children’s Online Privacy Protection Act (COPPA), regulating the online privacy of children under 13;
- The Gramm-Leach-Bliley Act (GLBA), regulating personal information held by financial institutions;
- The Health Insurance Portability and Accountability Act (HIPAA), regulating health and medical information held by healthcare providers and other healthcare entities; and
- State privacy laws, particularly in California.
- Notice. The policy should clearly inform visitors about the types of personal information collected. Additionally, the policy should describe in detail how personal information is collected, used, and shared.
- Choice and consent. Online businesses and websites should draft the policy such that it provides visitors with choices regarding how their personal information is used or disclosed. Additionally, websites may need to obtain consent if users’ personal information is used for purposes unrelated to the business’s interaction with the visitor.
- Access. The policy should describe how users can access, correct, and remove any personal information collected by the site.
- Security. The policy should describe the steps taken by the site operator to protect personal information.
Users of this document should be aware that some foreign jurisdictions, such as the EU, may:
- Have comprehensive privacy and data security laws that are more stringent than US laws including the EU General Data Protection Regulation (GDPR) and EU Privacy and Electronic Communications Directive (E-Privacy Directive).
- Require prior, explicit user consent for:
- the collection and use of certain sensitive information.
- Place restrictions on the transfer of personal information to other countries.
- The website operates only in the US and only collects personal information from US residents. If the website operates in more than one jurisdiction (which may include storing or hosting data in that jurisdiction) or collects personal information from website visitors located outside of the US, the website operator must determine whether it is subject to the laws of those foreign jurisdictions and, if so, take steps to comply with those jurisdictions’ laws, including any personal information transfer restrictions.
- The site operator is not subject to the privacy and data security requirements of GLBA or HIPAA. Financial institutions subject to GLBA and healthcare providers and other entities subject to HIPAA should review those regulations because they should ensure that their website privacy policies comply with relevant requirements.
- Easy for the intended website users to read and understand.
- Clearly and conspicuously accessible on the website. A link to the policy must be conspicuously placed wherever personal information is collected, preferably on every website page. Some site operators use a layered notice format, pairing a short summary with a detailed disclosure, to simplify a complex privacy notice.
- Consistent with the site operator’s actual business operations and information handling practices. The policy should not make any promises the site operator cannot or does not intend to keep.
Where particularly sensitive personal information is collected, obtaining explicit acknowledgment or consent from the user may also be required. Common consent methods include the use of click-through agreements, where the user is prompted to click on an icon or check a box indicating that policy was read and the user and assents to its terms.
- Senior management.
- Business and technical employees responsible for operating the site.
- Operating units responsible for controlling access to and use of personal information collected from the site.
- Information technology groups responsible for security.
- Legal counsel.
Important Legal Disclaimers
Helix Compliance, LLC (“Helix”) is not a law firm, and Helix’s employees and representatives are not acting as your attorney. Helix provides a technology-based platform for those seeking to prepare their own legal documents. Using Helix’s system-generated documents does not create an attorney-client relationship between you and Helix or any Helix employee or representative. Therefore, your communications with Helix do not constitute privileged communications. Likewise, neither the attorney-client privilege nor the work product doctrine protect your communications with Helix. Helix is not your lawyer in any way, shape, or form.
Using Helix’s documents is not a substitute for the expertise of an attorney. Thus, you should not use Helix’s system-generated documents as a substitute for legal advice. Additionally, you should not construe Helix’s system-generated documents as legal advice. Helix does not review any information provided to it for legal accuracy or sufficiency. Helix does not apply the law to the facts of your situation, and Helix does not draw legal conclusions. Further, Helix does not provide opinions about your selection of documents. Users seeking legal advice should consult a qualified licensed attorney.
Even though Helix seeks to ensure that document content is up-to-date, laws change rapidly. Therefore, Helix does not guarantee that each document is completely current. The law differs in each legal jurisdiction and may be applied differently depending on your factual circumstances. If you are unsure whether your situation requires a specific document or whether the document’s contents are legally sufficient for your specific purposes, you should consult a qualified licensed attorney.