7 Ways Your Website’s Privacy Policy Can Put You at Risk

James Chiodo, Certified Information Privacy Professional CIPP/US

Privacy Policy






  • Promising Not to Sell Your Customers’ Personal Information
  • Guaranteeing Your Users’ Personal Information Will Be Secure
  • Making Exaggerated and Misleading Statements in Your Privacy Policy
  • Inadvertently Collecting Information From Children
  • Changing Your Privacy Policy and Not Getting Consent From Users
  • Not Posting Your Privacy Policy Correctly to Comply With the Law
  • Complying With Global Privacy Laws

Did you know that a website privacy policy is required by law and that you can be held legally liable for the promises you make? Have you thoroughly read your website’s privacy policy to fully understand what you are responsible for?

In this article, I’ll explain 7 mistakes through which website owners subject themselves to fines, lawsuits, or compliance problems. I’ll also suggest ways to avoid legal problems.

For purposes of this article, personal information includes but is not limited to name, email address, physical address and phone number.

Here are 7 areas you should pay special attention to when developing your website privacy policy.

1. Promising Not to Sell Your Customers’ Personal Information
It sounds like the right thing to say in your privacy policy—that you will not sell your customers’ personally identifiable information (PII) to anyone. After all, this is what most of your customers want to hear and to receive assurance about when they sign up for your products or services. And you, as a website owner, want your customer list to grow because this is an important business asset.

What happens if, years later, you have a large, valuable database of customer information and decide to sell your business? And what if the sale of your business includes all your customers’ information because it adds significant value to the sale price? You may be in for a rude awakening when you find out that you cannot sell your valuable database of customer information because you did not have a provision in your privacy policy stating that you could sell your customers’ information in connection with the sale of your business.

If you were to do so without the express consent of your customers, you could find yourself facing a lawsuit from the Federal Trade Commission (FTC) in the U.S. or from other global regulatory agencies if you live in a country other than the U.S. If that isn’t bad enough, your users have the right to sue you as well. Unless you contact your entire customer list and get your customers’ permission to sell their information, you cannot legally do so. And the chances of them agreeing to the sale of their information are small.

How does bankruptcy affect selling customer’s personal information?
Because bankruptcy courts can modify a company’s debt obligations to help them reorganize, selling off valuable assets (e.g., a customer database) can be crucial to the debtor as a way of generating money. If a company’s database of customers is large enough, it could be worth a lot of cash.

Some website and business owners believe that if their company files for bankruptcy, some laws apply differently. In the case of privacy laws, the same laws apply whether you are selling your business to another party or filing for bankruptcy.

An improperly drafted website privacy policy can cause the sale of your customer database to come to a dead stop.

Both Toysmart and Radio Shack  learned this in bankruptcy court when they were prohibited from selling their customers’ information because their privacy policies stated that they would never sell or share this information. The Federal Trade Commission sued Toysmart to prevent the sale of its customers’ information. Although both companies eventually worked out a solution for selling their customers’ information, the new buyers had to follow specific privacy guidelines as part of the sale.

You cannot legally sell your customers’ information unless your privacy policy clearly states that you can sell it along with the sale of your business. Should you decide to sell your business or file for bankruptcy, a simple provision in your privacy policy can pave the way to selling your customer’s PII without problems.

2. Guaranteeing Your Users’ Personal Information Will Be Secure
Here is a common provision some website privacy policies use:

Customer Data PrivacyOur website uses secure information collection, storage, processing, and other security procedures to prevent unauthorized access, disclosure, and destruction of your personal information stored on our servers and website. Your personal information is safe and secure with us and will not be disclosed to anyone other than authorized personnel.

Should something happen, like the hacking of your website or database, employee or vendor theft, or another event in which your customers’ information is disclosed to the public, you could be held legally liable even if the information’s disclosure was not your fault. Because you had the type of provision shown above in your privacy policy, promising your customers’ information would be secure, the Federal Trade Commission (FTC) could sue you for violating Section 5 of the FTC Act, which prohibits deceptive and unfair practices in commerce. Other countries have similar privacy laws and enforcement for disclosure of personal information.

Should this happen, your problems won’t end with the FTC. Your customers also have the right to sue you for not protecting their personal information after you promised, in your website’s privacy policy, to do so. Along with the promises you make in your privacy policy, you are required to take reasonable steps and precautions to protect your customers’ PII and maintain its security.

3. Making Exaggerated and Misleading Claims in Your Privacy Policy
Most people think of false advertising when they hear the term “exaggerated claims.” However, legal action has also been taken against companies that have made exaggerated promises and claims in their websites’ privacy policy – claims that are misleading or deceptive, or that cannot be substantiated.

One example would be when you tell users in your privacy policy that they can opt out of online behavioral advertising (tracking) but, after the user opts out and deletes cookies, your website still tracks them using special cookies (sometimes called “super cookies” “or zombie cookies”) and other tracking mechanisms on users’ devices. See the FTC enforcement action against Ad Tech Company for deceptively tracking consumers:

The FTC can also hold you accountable for making exaggerated claims in your privacy policy about the security measures you use to protect customers’ personal information if you cannot substantiate those security measures.

The FTC does not discriminate in terms of who it goes after for privacy violations it considers misleading or deceptive. As past FTC enforcement actions have shown, Google is no exception. In fact, Google has paid one of the largest settlements ($22.5 million) in FTC history for violating the privacy of online consumers.

When creating your website privacy policy, make sure the statements and promises you make are reasonable and achievable. You are responsible for the promises and guarantees in your privacy policy, and you are required by law to obey them.

4. Inadvertently Collecting Information From Children
The Children’s Online Protection Privacy Act (COPPA) requires you to obtain parental consent before collecting information from children under the age of 13. Most websites state in their terms and conditions and privacy policies that they are not designed or intended for children under the age of 13.

Some of those websites ask users to enter their birthdate as part of their screening process, known as “age-gating.” This seems like an excellent screening process. What happens when users enter a date of birth showing that they are under the age of 13? If you have good programming in place, these users will not be able to proceed to your website because of their age.

In the case of Yelp, its website did not have a mechanism in place to stop a user under the age of 13 from signing up for its services. Although the website clearly stated it was not directed toward children under the age of 13 and although it asked users to enter their date of birth to register, Yelp did not have an operational mechanism in place to prevent users who entered a birthdate that would have placed them under the age of 13 from signing up.

Because of this flaw in the website, thousands of users signed up for Yelp even though they had entered a date of birth clearly showing that they were younger than 13 years of age. Yelp proceeded to collect personal information from several thousand users under 13, including their names, locations, email addresses, and other information. Since Yelp collected personal information from users who had provided a birthdate specifying that they were younger than 13 years of age, the Federal Trade Commission (FTC) alleged that Yelp had “actual knowledge” that it was collecting information from children and violating COPPA.

This flaw in Yelp’s website platform cost the company $450,000 in civil penalties. In addition, Yelp was required to comply with all COPPA regulations, including compliance monitoring procedures and proper recordkeeping, and to provide compliance reports directly to the FTC.

The lesson here is clear; websites that use an age gate to prevent entrance by children younger than 13 should make sure they have a mechanism in place that prevents an underage child from entering his or her personal information and signing up for the website’s services.
When using specific software for your website, test, test, test to make sure it is functioning properly.

5. Changing Your Privacy Policy and Not Getting Consent From Users
Changing your website privacy policy is standard practice and generally uneventful if done correctly. However, if not done properly, you can face lawsuits and fines. Here is a common provision in some website privacy policies:

We reserve the right to change and update our website privacy policy at any time. We suggest that you review our privacy policy each time you visit our website. We will post revisions to this policy on our website’s home page or in another obvious spot on our website, and the revision shall be effective immediately on such posting. You agree to periodically review our privacy policy posted on our website to be aware of any changes.

Many website owners assume that using such a provision covers them when they make changes to their website privacy policies and that the changes apply to all past customers. Say that when you started your website, you promised customers you would not sell their personal information. Now you decide it would be profitable to sell their information to other companies. You change your privacy policy, saying that you reserve the right to sell your customers’ information, thinking that the provision shown above will protect you with respect to this new change to your privacy policy.

It would be nice if privacy laws were simple and worked that way; however, privacy laws are not simple and they do not work that way. Your website’s privacy policy is a binding agreement with your users and laws apply to you when you make certain changes to it.

If you make significant changes in the way you treat customers’ information and want those new changes to apply to your entire database of customers, past and present, the law requires that you notify past customers about the changes to your privacy policy and give them the choice of either accepting the changes or opting out of having their personal information sold.

In other words, you need customers’ consent before you can sell their information. A non-response from them is not sufficient; they must respond by telling you that they accept the selling of their personal information. If you don’t get your customers’ express affirmative consent to sell their information, you could face lawsuits and fines.

Consider for a moment all the notices you get from companies telling you about changes to their privacy policies and acceptance procedures. They send these notices because the privacy law requires them to do so if the new changes are to be effective.

6. Not Posting Your Privacy Policy Correctly to Comply With the Law
ComplianceYou can have the best website privacy policy money can buy, but if you don’t post it correctly on your website, you may have little or no protection. For your privacy policy to comply with the law and be enforceable, you must post it “Clearly and Conspicuously” on your website. Putting it in the footer of your website in a smaller font like many websites do will not satisfy the legal requirements for posting privacy policies.

Ideally, you will place the privacy policy above the fold of the page so that it shows on all pages of your website. Also, the law requires that the link to your privacy policy say “Privacy” at a minimum; better would be “Privacy Policy.” The font size of the link must be at least as big as the font size of the surrounding links and text. Ideally, it should be in a larger font or a contrasting color.

Here is a partial list of requirements for posting your website privacy policy, from the California Business and Professions Code 22575 (The California Online Privacy Protection Act [CalOPPA]).

(a) An operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site shall conspicuously post its privacy policy on its Web site.

(b) The term “conspicuously post” with respect to a privacy policy shall include posting the privacy policy through any of the following:
(2) A hyperlink to a Web page on which the actual privacy policy is posted and the hyperlink contains the word “privacy.” The hyperlink shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:
(A) Includes the word “privacy.”
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.

California’s common law is clear; you cannot bind a website user to inconspicuous contractual provisions contained in a document (terms and conditions and privacy policies) of which they are unaware and whose contractual nature is not obvious.

Although a California law, you are required to comply with this privacy law and regulations no matter where you or your business is located if your website can reach users in California.

Here is just one example of a privacy policy posted “Clearly and Conspicuously”





7. Complying With Global Privacy Laws
If your website reaches users in other countries, you must obey the privacy laws of those countries. For example, if you do business and live in the United States, you are required to obey the privacy laws of countries such as Canada, the United Kingdom, Australia, and the countries of the European Union. Although currently it is difficult for countries to enforce their privacy laws outside of their jurisdictions, that will change in the future. Countries are continuing to expand global relationships with one another to enforce privacy laws. If your website reaches global users, it is best to comply with global privacy laws now rather than risk compliance problems and possible enforcement in the future.

Some Final Thoughts

Mobile apps
Privacy laws apply to mobile app operators just as they do to website owners. In the U.S., mobile apps are under close scrutiny from the state of California and the Federal Trade Commission (FTC). Both the FTC and the state of California have filed lawsuits against mobile app operators for various privacy violations. Mobile apps that collect information about a user without his or her knowledge, such as by tracking a user’s location using GPS, are especially susceptible to compliance problems. If you operate a mobile app, you should pay special attention to the regulations governing mobile apps. You can download an excellent free guide about complying with mobile app privacy laws and disclosures here.

Complying with Google, Facebook, the App Store, and others
Aside from privacy laws, some big Internet companies maintain requirements. Even if you have a privacy policy that complies with the privacy laws, you are still required to comply with the terms of service of Internet companies such as Google, Facebook, Bing, and the App Store. In the case of Google, it requires you to include specific provisions in your privacy policy if you are using Google Analytics, AdSense, or the AdWords remarketing service.

Avoid free privacy policies
free privacy policy
All the websites offering free privacy policies and generators on the Internet would have you believe that you can plug in a little information and in seconds generate a compliant privacy policy for your website. Unfortunately, these websites have no understanding whatsoever of privacy law and promote misinformation that could hurt their users.

In our analyses of the free privacy policies being given away on the Internet, we have yet to find one that complies with current privacy laws and protects the website owner. Not only do they not comply with current privacy laws, some of them had language that could have put the website owner at increased legal liability. It pains me to say this but it is better to have no privacy policy at all than to use the free policies on the Internet.

Read your privacy policy
It may be the most important document you’ll ever post to your website and the law requires you to comply with it. Read it, understand it, and obey it.



New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More