Is a Privacy Policy Required by Law?

James Chiodo, Certified Information Privacy Professional CIPP/US

The answer is yes. In the past, certain types of websites and blogs were not required by law to have a privacy policy. However, all that has changed as of January 1, 2014. California’s new law A.B.370 requires website and blog owners to disclose how they respond to “Do Not Track” signals in their privacy policy. Law A.B. 370 has a very long reach and can be enforced against any website or blog owner, even if they live in another state.

If you have a website or blog on the Internet, a privacy statement is very important. Disclosing a visitor or customer’s personal information or using it for an unauthorized purpose can have severe consequences for your online business, especially if these actions are in violation of your website’s privacy statement.

A professional privacy statement will not only help protect you from legal liability, but it will also help instill trust and confidence in the customers who do business with you and visit your website.

See California laws and requirements for privacy policies.

What is a Website Privacy statement?

A website privacy statement is a policy that should clearly outline the type of personal information your website will collect. This information could include email addresses, phone numbers, and street addresses, for instance. The policy should also advise the customer how their information will be used. Some websites’ operations require them to share their customer’s information with third parties.

If you have a site that processes credit cards, for example, then customer information must be released to the banking institution. You must disclose this sort of information to your customers and provide details on any other third parties who will have access to your customer’s information.

What if I Don’t Have a Privacy Statement on My Website?

Quite simply, not having a privacy policy on your website could open you up to legal liability. This liability cannot only extend to legal damages, but could also result in the negative publicity that is generated by misusing your customer’s personal information. You should be aware of state and federal statutes that regulate Internet commerce and require the use of a privacy statement.

The Federal Trade Commission (FTC) has several such regulations, such as The Gramm-Leach-Bliley Act, which was created to regulate the financial industry. Another highly regulated area pertains to children and the Internet. The Children’s Online Privacy Protection Act (COPPA) was created to protect the rights of children.

This law requires websites to have a privacy statement if they have a target audience of children who are under 13 years old. There are even more regulations to come as well, as both the FTC and the US government have indicated that they intend to take further action in regulating Internet privacy laws.

Agencies like the FTC and the state of California have made examples out of companies that have violated privacy regulations. Their strong enforcement actions thus far should be an important lesson for every company that is collecting personal information on the Internet.

While the FTC has not established a specific minimum requirement for a privacy statement, they have established procedural minimums: you must communicate to your customer what data you are collecting and how you plan to use it.

Not only must this policy be in place, but also it must be actively implemented in your business practices. To be in compliance, you must clearly state your intentions in your privacy statement and then do what you say. Anything short of this smacks of “unfair and deceptive” business practices.

Your business is your livelihood, and it is just not worth taking a risk where you don’t need to.

Protect yourself as a business owner by using our attorney-drafted privacy statement for your Internet business.


New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More