We are regularly asked by clients to prepare privacy policies for their websites. In our experience, many of these companies do not really understand the purpose of the policy, or important issues relating to the policy, and simply treat it as a check the box item.
1. The Main Objective of the Policy Should Be Transparency and Accurate Disclosure
Second, the policy should describe the reasons you collect the information you do. In other words, for all of the information collected, whether voluntarily or involuntarily, you should explain to the user how you will use the information collected. It may be as simple as stating that a user’s email address will be used to communicate with the user or that the information collected from analytics tools will be used in an attempt to enhance the user’s experience on your website by understanding how the user uses your website.
Third, your policy should describe the information collected that will may be shared with third parties as well as the identities of the third parties. This includes more than just disclosing whether you will sell information to third parties. You should strive to make the user aware of every third party who may come into contact with the user’s information. Thus, if you plan to use third party service providers who will have access to the user’s information for hosting or IT maintenance or to send emails to users, the user should be made aware of this.
Fourth, the policy should describe the user’s ability to control or alter the personally identifiable information collected, or to delete an account.
Finally, the policy should describe what you do to protect the information collected by your website. All security measures, including those taken to protect the physical security of any servers holding information, or those taken to protect transmissions, such as encryption, should be described to the user. Again, the goal of the policy should be total transparency into how your website collects and uses information, and how it protects the information it receives.
There are basically two ways that website privacy policies are presented to users. “Browsewrap” agreements are those in which the terms of the policy are posted on the website, typically through a link at the bottom of the home page. “Clickthrough” agreements are those in which the user is required to click a button acknowledging his consent to the terms of the policy.
With browsewrap agreements, however, there is no action required of the user, such as clicking an “I Agree” button, that allows a website to be able to claim that the user definitely consented to the terms of the agreement. In general, the enforceability of a browsewrap agreement will depend upon whether the user had actual or constructive knowledge of the terms of the agreement. This involves a fact specific analysis as to whether the actual or constructive knowledge exists. The basic test is whether a reasonably prudent person would be aware of the existence of the policy. Factors considered by courts include whether the link to the policy is conspicuous and stands out on the webpage (i.e., whether the link is hidden in a group of other links) and whether the link is apparent when the home page is first opened, as opposed to a user having to scroll to the bottom of the home page to find the link.
Where does it leave you if you do not have an enforceable policy? Likely with a policy that has a one-way binding legal effect against you. Thus, while you will not be able to benefit from the disclaimers and delimiters in the policy that you would like to use, you will be required to abide by the terms of the policy dealing with your use of a website visitor’s information.
4. Be Mindful of Issues Relating to Changing Your Policy
You should draft your policy to be as flexible as possible to minimize future updates. If it is possible to anticipate future shifts in your policies for collecting or using information, then you should draft your policy to account for the future changes. If you materially alter the way your organization uses or shares data that is collected from a user, you must receive the user’s consent to use any data collected under the previous version of the policy in the manner set forth in the new policy, which would like be a very difficult effort.
5. Special Considerations
If your website directs services to children under age 13 then you must comply with the detailed requirements of the Children’s Online Privacy Protection Act. If your website is not intended to be used by children under age 13 you should state this clearly in the policy.
If you provide health care services (HIPAA) or financial services (Gramm-Leach-Bliley Act) then there are statutes specifically addressing requirements for websites of companies in these industries.
Finally, if the nature of your company’s business means that your website is viewed by many users in the European Union and Australia then you need to be mindful that they have detailed laws regarding consumer privacy that must be adhered to.