Understanding your Website Privacy Policy

Posted by Thomas E. Sowers on

We are regularly asked by clients to prepare privacy policies for their websites.  In our experience, many of these companies do not really understand the purpose of the policy, or important issues relating to the policy, and simply treat it as a check the box item.   

Part of the reason for the lack of understanding may be the fact that there are few laws directly aimed at privacy protection on the Internet and really no federal law requiring websites to have a privacy policy (except for websites of companies in a couple of industries; see Section 5 below).  Thus, because there is no federal statute directing us as to what should be in our website privacy policies, it leads to uncertainty as to the purpose of the policies. 

In the U.S., the main federal law that governs Internet privacy policies is the Federal Trade Commission Act (the “FTC Act“), with the 2006 SAFEWEB Amendments.  Section 5(a) of the FTC Act states that “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”  Many of the cases brought by the FTC against companies due to their website privacy policies involve claims that a company’s privacy policy is deceptive, false, or misrepresents the facts because the actual practice of the company differs from what is described in the privacy policy.

So, with that brief summary as to the (lack of) law governing privacy policies as a backdrop, here are some things you should be mindful of with respect to your website privacy policy:

1.  The Main Objective of the Policy Should Be Transparency and Accurate Disclosure
You should view your privacy policy as a disclosure document designed to get the consent of website visitors to your stated policies regarding the collection and usage of information from the visitors.  With this in mind, your privacy policy will only effectively serve as a consent from users to your data collection processes and usage of the data if the privacy policy accurately describes the collection and usage.  As mentioned above, many of the cases concerning privacy policies concern a company not doing what it says it will do in its privacy policy, leading to a claim by the FTC under Section 5(a) of the FTC Act. 

What should your privacy policy describe for users? First, the policy should describe the information collected from a visitor using your website, including the personally identifiable information voluntarily provided by the user (such as a name or email address) and the information that is automatically collected from the user’s use of the website.  The automatic collection of information includes the information collected through the use of analytics tools or tracking cookies. 

Second, the policy should describe the reasons you collect the information you do. In other words, for all of the information collected, whether voluntarily or involuntarily, you should explain to the user how you will use the information collected.   It may be as simple as stating that a user’s email address will be used to communicate with the user or that the information collected from analytics tools will be used in an attempt to enhance the user’s experience on your website by understanding how the user uses your website. 

Third, your policy should describe the information collected that will may be shared with third parties as well as the identities of the third parties. This includes more than just disclosing whether you will sell information to third parties.  You should strive to make the user aware of every third party who may come into contact with the user’s information.  Thus, if you plan to use third party service providers who will have access to the user’s information for hosting or IT maintenance or to send emails to users, the user should be made aware of this.

Fourth, the policy should describe the user’s ability to control or alter the personally identifiable information collected, or to delete an account.

Finally, the policy should describe what you do to protect the information collected by your website.  All security measures, including those taken to protect the physical security of any servers holding information, or those taken to protect transmissions, such as encryption, should be described to the user.  Again, the goal of the policy should be total transparency into how your website collects and uses information, and how it protects the information it receives. 

2.  A Company’s Privacy Policy Must Be Specifically Tailored to the Activities of the Company
Privacy policies are not cookie-cutter documents and should be drafted with extreme care and caution. Because the main objective of a privacy policy is transparency and accurate disclosure, your privacy policy needs to accurately reflect the data collection policies of your company.  The only way to have an accurate privacy policy is to have the necessary people in your company actively involved in the preparation of the policy.  In many instances one person in an organization is not going to know exactly what data is collected from users, how the organization uses the data or to which third parties the data is available. The process of preparing the policy should include members from all departments of an organization that uses data collected from the website. For example, IT personnel should be interviewed for an understanding of where data is stored and how it is protected, and accounting personnel should be interviewed to determine exactly what happens with credit card information if your website allows customers to pay online by credit card.

3.  Your Privacy Policy May Only Be Enforceable Against You (And Not Against the User)
There are basically two ways that website privacy policies are presented to users.  “Browsewrap” agreements are those in which the terms of the policy are posted on the website, typically through a link at the bottom of the home page.  “Clickthrough” agreements are those in which the user is required to click a button acknowledging his consent to the terms of the policy.

The law is less than certain in this area, but, in terms of enforceability, clickthrough agreement are definitely the preferred method.  The key consideration for a court deciding whether to enforce an Internet agreement, such as a website privacy policy, involves whether there is adequate evidence that the user has assented to the terms of the policy.  Most courts deciding whether to enforce a clickthrough agreement have found that the act of clicking on an “Ok” or “I Agree” button is enough to show that the user assented to the terms of the agreement.  It is difficult for the user to argue that he did not agree to the terms of the policy when the evidence shows that the user clicked the button stating “I Agree.”  

With browsewrap agreements, however, there is no action required of the user, such as clicking an “I Agree” button, that allows a website to be able to claim that the user definitely consented to the terms of the agreement.  In general, the enforceability of a browsewrap agreement will depend upon whether the user had actual or constructive knowledge of the terms of the agreement.  This involves a fact specific analysis as to whether the actual or constructive knowledge exists.   The basic test is whether a reasonably prudent person would be aware of the existence of the policy. Factors considered by courts include whether the link to the policy is conspicuous and stands out on the webpage (i.e., whether the link is hidden in a group of other links) and whether the link is apparent when the home page is first opened, as opposed to a user having to scroll to the bottom of the home page to find the link.

For many businesses the decision as to whether to use a mandatory clickthrough policy for website visitors, as opposed to having a browsewrap agreement, depends on the companies litigation risk profile and the importance of having to enforce certain terms of the policy.  If you make the decision to go with a browsewrap policy, then you should consider whether you should take certain steps to make it more likely that your policy will be enforced, by making the links to the policy more conspicuous, such as locating the link to the policy at the top of the webpage where a user does not have to do any scrolling to see the link, having the link show up on more webpages than just the home page (ideally all web pages), and, where appropriate, making mention of the policy throughout the website. For example, if you sell goods on your website, a prominent statement somewhere during the checkout procedure that use of the site and all sales are subject your terms of use and privacy policy would seem to go a long way toward your being able to claim that the user was on notice of the policy.

Where does it leave you if you do not have an enforceable policy? Likely with a policy that has a one-way binding legal effect against you. Thus, while you will not be able to benefit from the disclaimers and delimiters in the policy that you would like to use, you will be required to abide by the terms of the policy dealing with your use of a website visitor’s information.

4.  Be Mindful of Issues Relating to Changing Your Policy
You should draft your policy to be as flexible as possible to minimize future updates.  If it is possible to anticipate future shifts in your policies for collecting or using information, then you should draft your policy to account for the future changes.  If you materially alter the way your organization uses or shares data that is collected from a user, you must receive the user’s consent to use any data collected under the previous version of the policy in the manner set forth in the new policy, which would like be a very difficult effort. 

Amending a privacy policy is also not nearly as easy to do as you might think.  Many privacy policies attempt to bind users to policy modifications with statements in the policy that any changes automatically bind the users, but this would likely not be effective.  There are cases holding that posting new terms on a company website is not sufficient notice to the user. In general, whether or not a privacy policy amendment will be binding on the user will follow the same analysis as set forth in Section 4 above regarding assent and actual or constructive knowledge. 

If the changes to the privacy policy are material and adverse to the user, the best course of action would be to notify the user by mandatory clickthrough, or, in the case of browsewrap policies, notifying the user by email of the changes.  Also, posting a revised version of the new policy, together with a redlined version of the old policy or a detailed summary of the changes may be helpful. You should also consider giving as much time as possible (a minimum of 30 days) after notice to the user before the policy becomes effective. Coupling any of these steps with a statement in the revised policy that such steps result in the user’s acceptance of the amendment should put you in a good position to be able to enforce the amendment.

5.  Special Considerations
If, through your website, you collect personal information from California residents then you must comply with California Online Privacy Protection Act. In addition to requiring that the privacy policy be posted on your homepage (or linked to your homepage with the word “privacy”), this act requires the policy to state the type of personal information being collected, the process for users to be able to change their personal information, list the types of third parties with whom the you share personal information, inform users as to how they will be notified of privacy policy changes and includes the effective date of the policy.

If your website directs services to children under age 13 then you must comply with the detailed requirements of the Children’s Online Privacy Protection Act.  If your website is not intended to be used by children under age 13 you should state this clearly in the policy.

If you provide health care services (HIPAA) or financial services (Gramm-Leach-Bliley Act) then there are statutes specifically addressing requirements for websites of companies in these industries.

Finally, if the nature of your company’s business means that your website is viewed by many users in the European Union and Australia then you need to be mindful that they have detailed laws regarding consumer privacy that must be adhered to.