Jurisdiction: Federal
Description
Website Privacy Policy
Website Privacy Policy Preparation Form (Coming Soon). However, if you would like to see an example, Laditum currently uses our Website Privacy Policy.
Summary – Website Privacy Policy
This website privacy policy is for online businesses in connection with the collection, storage, use, and disclosure of personal information. Online businesses may also use this policy for selling goods or services to site users and contacting users with direct marketing information.Details
Website Privacy Policies
A website privacy policy notifies users about the website operator’s practices concerning the collection, storage, use, and disclosure of information, including personal information.
Online businesses and websites should use this Website Privacy Policy as a model for a website that collects basic personal information (for example, name, address, and credit card information) from users of the site in an online application or registration form for purposes that may include:
- Providing goods or services, including content and information.
- Using interactive features or social media applications.
- Direct marketing.
However, no model privacy policy works for all or even most websites. Instead, operators should carefully draft their website privacy policy to specifically reflect the company’s actual or anticipated information collection and privacy practices.
Legal Issues
Websites that collect user information should post a privacy policy on the site to disclose the site operator’s information collection and privacy practices. In the US, website privacy policies must comply with applicable privacy and data security laws, including:
- The Federal Trade Commission Act, regulating unfair or deceptive business practices and providing guidance on consumer privacy disclosures;
- The Children’s Online Privacy Protection Act (COPPA), regulating the online privacy of children under 13;
- The Gramm-Leach-Bliley Act (GLBA), regulating personal information held by financial institutions;
- The Health Insurance Portability and Accountability Act (HIPAA), regulating health and medical information held by healthcare providers and other healthcare entities; and
- State privacy laws, particularly in California.
However, even where the law does not specifically require a website privacy policy, posting an accurate and well-drafted policy can reassure website visitors that the site operator does not use their personal information irresponsibly.
A website privacy policy should always state its effective date and address the following privacy principles:
- Notice. The policy should clearly inform visitors about the types of personal information collected. Additionally, the policy should describe in detail how personal information is collected, used, and shared.
- Choice and consent. Online businesses and websites should draft the policy such that it provides visitors with choices regarding how their personal information is used or disclosed. Additionally, websites may need to obtain consent if users’ personal information is used for purposes unrelated to the business’s interaction with the visitor.
- Access. The policy should describe how users can access, correct, and remove any personal information collected by the site.
- Security. The policy should describe the steps taken by the site operator to protect personal information.
International Considerations
Although compliance with foreign privacy and data protection requirements is outside the scope of this Website Privacy Policy, US-based website operators that collect personal information from website visitors residing outside of the US or that operate in foreign jurisdictions (for example, by storing or hosting personal information in non-US jurisdictions) may be subject to privacy and data protection laws in those jurisdictions.
Users of this document should be aware that some foreign jurisdictions, such as the EU, may:
- Have comprehensive privacy and data security laws that are more stringent than US laws including the EU General Data Protection Regulation (GDPR) and EU Privacy and Electronic Communications Directive (E-Privacy Directive).
- Require prior, explicit user consent for:
- certain data collection techniques, such as the use of cookies; and
- the collection and use of certain sensitive information.
- Place restrictions on the transfer of personal information to other countries.
Assumptions
This website privacy policy assumes that:
- The website operates only in the US and only collects personal information from US residents. If the website operates in more than one jurisdiction (which may include storing or hosting data in that jurisdiction) or collects personal information from website visitors located outside of the US, the website operator must determine whether it is subject to the laws of those foreign jurisdictions and, if so, take steps to comply with those jurisdictions’ laws, including any personal information transfer restrictions.
- The site operator is not subject to the privacy and data security requirements of GLBA or HIPAA. Financial institutions subject to GLBA and healthcare providers and other entities subject to HIPAA should review those regulations because they should ensure that their website privacy policies comply with relevant requirements.
- The website is not subject to COPPA. If the website is directed to or knowingly collects information from children under 13, the website operator must ensure that the privacy policy and its practices comply with COPPA’s requirements.
Other Considerations
To maximize enforceability, a website privacy policy must be:
- Easy for the intended website users to read and understand.
- Clearly and conspicuously accessible on the website. A link to the policy must be conspicuously placed wherever personal information is collected, preferably on every website page. Some site operators use a layered notice format, pairing a short summary with a detailed disclosure, to simplify a complex privacy notice.
- Consistent with the website terms of use and any other notices, statements and representations on the site.
- Consistent with the site operator’s actual business operations and information handling practices. The policy should not make any promises the site operator cannot or does not intend to keep.
Where particularly sensitive personal information is collected, obtaining explicit acknowledgment or consent from the user may also be required. Common consent methods include the use of click-through agreements, where the user is prompted to click on an icon or check a box indicating that policy was read and the user and assents to its terms.
To ensure the privacy policy accurately reflects the website’s current and anticipated information handling practices, technical features, and content, before posting it to the site it should be reviewed by:
- Senior management.
- Business and technical employees responsible for operating the site.
- Operating units responsible for controlling access to and use of personal information collected from the site.
- Information technology groups responsible for security.
- Legal counsel.
The website operator’s legal counsel should periodically audit the business’s compliance with the privacy policy. The site operator should also periodically verify the site’s compliance with the practices outlined in the privacy policy. Particularly, this might include any choices and methods given to users to opt-out of certain uses or disclosures. For example, one common practice may include the ability for a user to unsubscribe from a mailing list. This is important because failing to implement effective procedures and technology to comply with user opt-out requests exposes the site operator to potential liability for failing to comply with its privacy policy.
Additional Documents
Legal Disclaimers
Important Legal Disclaimers
Helix Compliance, LLC (“Helix”) is not a law firm, and Helix’s employees and representatives are not acting as your attorney. Helix provides a technology-based platform for those seeking to prepare their own legal documents. Using Helix’s system-generated documents does not create an attorney-client relationship between you and Helix or any Helix employee or representative. Therefore, your communications with Helix do not constitute privileged communications. Likewise, neither the attorney-client privilege nor the work product doctrine protect your communications with Helix. Helix is not your lawyer in any way, shape, or form.
Using Helix’s documents is not a substitute for the expertise of an attorney. Thus, you should not use Helix’s system-generated documents as a substitute for legal advice. Additionally, you should not construe Helix’s system-generated documents as legal advice. Helix does not review any information provided to it for legal accuracy or sufficiency. Helix does not apply the law to the facts of your situation, and Helix does not draw legal conclusions. Further, Helix does not provide opinions about your selection of documents. Users seeking legal advice should consult a qualified licensed attorney.
Even though Helix seeks to ensure that document content is up-to-date, laws change rapidly. Therefore, Helix does not guarantee that each document is completely current. The law differs in each legal jurisdiction and may be applied differently depending on your factual circumstances. If you are unsure whether your situation requires a specific document or whether the document’s contents are legally sufficient for your specific purposes, you should consult a qualified licensed attorney.
Comments from the Author
Website Privacy Policy