Tucked away at the bottom of almost all websites is an important – and often overlooked – document about how the website will treat the personal information of the people who visit that website: the “Privacy Policy” or “Privacy Notice.” Certain industries, including banking, health care, and education, are subject to federal privacy requirements that may affect their requirements to post a notice to their website about how they treat consumers’ data. And websites that target children under the age of thirteen are subject to the Children’s Online Privacy Protection Act, or “COPPA.” However, many websites are not subject to any specific federal requirement to post a privacy notice.
In the absence of such a federal requirement, certain states, namely California and Delaware, have enacted legislation requiring a posted website privacy notice, at least as it pertains to residents of those states. These state laws require website operators, subject to certain exemptions, to provide clear notice to consumers of how the business will collect, use, share, and store the individual’s personal information.
And, while there is no general federal requirement to post a privacy notice, Section 5(a) of the Federal Trade Commission Act (“FTC Act”) prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC has relied on this provision to gain federal oversight of website privacy practices. As noted on the FTC’s website under the “Consumer Privacy” section:
Think your company doesn’t make any privacy claims? Think again — and reread your privacy policy to make sure you’re honoring the promises you’ve pledged. Consumers care about the privacy of their personal information and savvy businesses understand the importance of being clear about what you do with their data.
The FTC has also taken actions against companies for not implementing commercially reasonable measures to protect the personal information it collects and stores.
For many website operators, it is easy to treat the website privacy notice as an afterthought. Companies sometimes take a “copy-and-paste” approach using the privacy notice of another website. Or companies are taking advantage of one of a number of “free policy generators” that have cropped up. However, both of these approaches can leave the website operator in a position of not accurately describing how it will treat consumers’ data. First, copying-and-pasting a privacy policy/notice from another website can subject a website owner to liability under the FTC Act and state laws because the policy almost certainly will not be accurate for the website that copied it.
Additionally, the reliability of policies created by these “free policy generators” is difficult to assess for most website operators. Policies created by automated policy generators can include provisions that are out-of-date, or include provisions that create unnecessary liability for a website operator by including statements or provisions that are not required for a privacy notice.
The lesson here can be summed up by the old adage: “You get what you paid for.” Website privacy notices should be created proactively and with experienced legal counsel to guide website operators through a complex patchwork of legal requirements and consumer expectations.