Privacy policies often include the security policy you use to protect the data you are collecting. This is typically an outline of security steps to take to safeguard the visitor data by you or vendors you use.
Am I collecting private information on my website?
Absolutely, yes. You may not realize it, but every website collects information. Any tool or plugin that collects information from your site is collecting personal information, such as:
- contact forms
- email lists
- chat widgets
- website analytics (such as Google Analytics)
Are Privacy Policies required?
No one common, general applicable law exists regarding privacy policies. However, multiple federal laws govern privacy policies in specific circumstances such as:
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) affects websites that knowingly collect information about or target at children under the age of 13.
While children under 13 can legally give out personal information with their parents’ permission, many websites—particularly social media sites, but also other sites that collect most personal info—disallow children under 13 from using their services altogether due to the cost and work involved in complying with the law.
The Gramm-Leach-Billey Act requires institutions in financial activities give clear, conspicuous, and accurate statements of their information sharing practices.
It specifically requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The privacy notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties, meaning bulk emails must have an opt-opt option.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) privacy rules require notice in writing of the privacy practices of health care services, and this requirement also applies if the health services is electronic. This act is only required for health-related fields such as but not limited to doctors, pharmacists, dentists, etc.
California Online Privacy Protection Act of 2003
- List the categories of personally identifiable information the operator collects;
- List the categories of third parties with whom the operator may share personally identifiable information;
- A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
State Specific Laws
Both Nebraska and Pennsylvania have laws treating misleading statements in privacy policies published on websites as deceptive or fraudulent business practices and is punishable by those state courts.
Federal Trade Commission (FTC)
The Federal Trade Commission (FTC) is the chief federal agency on privacy and enforcement. The agency oversees the protection of consumers’ personal information and ensures that they have the confidence to take advantage of the many benefits of the ever-changing marketplace.
Not ensuring your data is secure and you abide by privacy regulations can have consequences. The FTC has enforced punishments for companies that violate consumer privacy, regardless of their size or stature. They’ve taken action against a long list of companies including Facebook, Equifax. Google and Youtube for failing to disclose how they secured their customer’s data.
European Union (EU) General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the European Union (EU) privacy initiative. It obligates organizations anywhere, so long as they target or collect data related to people in the EU, to adhere to privacy and security standards. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
The European Union (EU) – United States (US) Privacy Shield Framework provides a method for companies to transfer personal data to the US from the EU in a way that is consistent with EU law. Privacy Shield allows US companies, or EU companies working with US companies, to meet this requirement of the GDPR. This basically means that US businesses need to follow the GDPR.
Facebook and Google
Do I also need a Terms and Conditions document?
Terms and Conditions set out the rights and responsibilities of anyone visiting the site—basically, it’s the rules of your website. The exact contents vary depending on the type of site and the services it provides. It often includes an explanation or definition of key words used in the terms, and outlines the legal limitations of responsibility of the website owner for any damages or harm incurred during usage of the site. Additionally, Terms and Conditions will typically include the following elements: Limitation of liability, copyright, country of governance, change clause, e-commerce sites, guests, and third-party links.
*As a heads up, the link for the AWB Firm is an affiliate link, so I earn a commission if you decide to purchase. I would have personally recommended this resource either way. I have purchased contracts from several different law firms and contract shops before deciding upon AWB Firm.
And Now, Some Legal Talk …
This blog post is informational about laws surrounding website privacy policies. It is to help the reader understand the legal issues surrounding digital marketing. The legal information is NOT the same as legal advice – the application of the law to an individual’s specific circumstances.
I have conducted research to ensure the information is accurate and helpful. I insist that you consult with a lawyer if you want professional assurance our information, and your interpretation of it, is accurate and complete. Please understand that I am not a lawyer and do not claim to be a legal expert.
You may not rely upon this blog article as legal advice, nor as a recommendation or endorsement of any particular legal understanding. You should regard this article as intended for entertainment purposes only.