- Promising Not to Sell Your Customers’ Personal Information
- Guaranteeing Your Users’ Personal Information Will Be Secure
- Inadvertently Collecting Information From Children
- Complying With Global Privacy Laws
In this article, I’ll explain 7 mistakes through which website owners subject themselves to fines, lawsuits, or compliance problems. I’ll also suggest ways to avoid legal problems.
For purposes of this article, personal information includes but is not limited to name, email address, physical address and phone number.
1. Promising Not to Sell Your Customers’ Personal Information
If you were to do so without the express consent of your customers, you could find yourself facing a lawsuit from the Federal Trade Commission (FTC) in the U.S. or from other global regulatory agencies if you live in a country other than the U.S. If that isn’t bad enough, your users have the right to sue you as well. Unless you contact your entire customer list and get your customers’ permission to sell their information, you cannot legally do so. And the chances of them agreeing to the sale of their information are small.
How does bankruptcy affect selling customer’s personal information?
Because bankruptcy courts can modify a company’s debt obligations to help them reorganize, selling off valuable assets (e.g., a customer database) can be crucial to the debtor as a way of generating money. If a company’s database of customers is large enough, it could be worth a lot of cash.
Some website and business owners believe that if their company files for bankruptcy, some laws apply differently. In the case of privacy laws, the same laws apply whether you are selling your business to another party or filing for bankruptcy.
Both Toysmart and Radio Shack learned this in bankruptcy court when they were prohibited from selling their customers’ information because their privacy policies stated that they would never sell or share this information. The Federal Trade Commission sued Toysmart to prevent the sale of its customers’ information. Although both companies eventually worked out a solution for selling their customers’ information, the new buyers had to follow specific privacy guidelines as part of the sale.
2. Guaranteeing Your Users’ Personal Information Will Be Secure
Here is a common provision some website privacy policies use:
Our website uses secure information collection, storage, processing, and other security procedures to prevent unauthorized access, disclosure, and destruction of your personal information stored on our servers and website. Your personal information is safe and secure with us and will not be disclosed to anyone other than authorized personnel.
The FTC does not discriminate in terms of who it goes after for privacy violations it considers misleading or deceptive. As past FTC enforcement actions have shown, Google is no exception. In fact, Google has paid one of the largest settlements ($22.5 million) in FTC history for violating the privacy of online consumers.
4. Inadvertently Collecting Information From Children
The Children’s Online Protection Privacy Act (COPPA) requires you to obtain parental consent before collecting information from children under the age of 13. Most websites state in their terms and conditions and privacy policies that they are not designed or intended for children under the age of 13.
Some of those websites ask users to enter their birthdate as part of their screening process, known as “age-gating.” This seems like an excellent screening process. What happens when users enter a date of birth showing that they are under the age of 13? If you have good programming in place, these users will not be able to proceed to your website because of their age.
In the case of Yelp, its website did not have a mechanism in place to stop a user under the age of 13 from signing up for its services. Although the website clearly stated it was not directed toward children under the age of 13 and although it asked users to enter their date of birth to register, Yelp did not have an operational mechanism in place to prevent users who entered a birthdate that would have placed them under the age of 13 from signing up.
Because of this flaw in the website, thousands of users signed up for Yelp even though they had entered a date of birth clearly showing that they were younger than 13 years of age. Yelp proceeded to collect personal information from several thousand users under 13, including their names, locations, email addresses, and other information. Since Yelp collected personal information from users who had provided a birthdate specifying that they were younger than 13 years of age, the Federal Trade Commission (FTC) alleged that Yelp had “actual knowledge” that it was collecting information from children and violating COPPA.
This flaw in Yelp’s website platform cost the company $450,000 in civil penalties. In addition, Yelp was required to comply with all COPPA regulations, including compliance monitoring procedures and proper recordkeeping, and to provide compliance reports directly to the FTC.
The lesson here is clear; websites that use an age gate to prevent entrance by children younger than 13 should make sure they have a mechanism in place that prevents an underage child from entering his or her personal information and signing up for the website’s services.
When using specific software for your website, test, test, test to make sure it is functioning properly.
In other words, you need customers’ consent before you can sell their information. A non-response from them is not sufficient; they must respond by telling you that they accept the selling of their personal information. If you don’t get your customers’ express affirmative consent to sell their information, you could face lawsuits and fines.
Consider for a moment all the notices you get from companies telling you about changes to their privacy policies and acceptance procedures. They send these notices because the privacy law requires them to do so if the new changes are to be effective.
(A) Includes the word “privacy.”
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
California’s common law is clear; you cannot bind a website user to inconspicuous contractual provisions contained in a document (terms and conditions and privacy policies) of which they are unaware and whose contractual nature is not obvious.
Although a California law, you are required to comply with this privacy law and regulations no matter where you or your business is located if your website can reach users in California.
7. Complying With Global Privacy Laws
If your website reaches users in other countries, you must obey the privacy laws of those countries. For example, if you do business and live in the United States, you are required to obey the privacy laws of countries such as Canada, the United Kingdom, Australia, and the countries of the European Union. Although currently it is difficult for countries to enforce their privacy laws outside of their jurisdictions, that will change in the future. Countries are continuing to expand global relationships with one another to enforce privacy laws. If your website reaches global users, it is best to comply with global privacy laws now rather than risk compliance problems and possible enforcement in the future.
Some Final Thoughts
Privacy laws apply to mobile app operators just as they do to website owners. In the U.S., mobile apps are under close scrutiny from the state of California and the Federal Trade Commission (FTC). Both the FTC and the state of California have filed lawsuits against mobile app operators for various privacy violations. Mobile apps that collect information about a user without his or her knowledge, such as by tracking a user’s location using GPS, are especially susceptible to compliance problems. If you operate a mobile app, you should pay special attention to the regulations governing mobile apps. You can download an excellent free guide about complying with mobile app privacy laws and disclosures here.
Complying with Google, Facebook, the App Store, and others
Avoid free privacy policies
It may be the most important document you’ll ever post to your website and the law requires you to comply with it. Read it, understand it, and obey it.