Preparing an Online Privacy Policy

Written by Julia Siripurapu

What is a Privacy Policy? Also referred to as a “privacy statement”, a privacy policy informs users of a website or an online service about the information collection and privacy practices of the operator of the website or online services.

Why do you need a Privacy Policy? Even a startup company in its earliest stages should develop a privacy policy for its online service (including mobile apps) or website collecting information, including personal information, from individuals. Posting a privacy policy is considered a best practice for online operators and will reassure nervous e-consumers weary about data breaches and identity theft that their information will be used responsibly.  For certain online services, a privacy policy may even be required by law. For example, the Children’s Online Privacy Protection Act (COPPA) requires operators of websites directed to children to develop and post a privacy policy and the California Online Privacy Protection Act of 2003 (CalOPPA) requires operators of commercial web sites and online services that collect personally identifiable information about California residents to conspicuously post a privacy policy and comply with it. 

When should a privacy policy be prepared? Don’t wait to think about privacy and crafting a privacy policy until your operations are in full swing, instead, build privacy and security in the design of your online service or website.  Craft your policy before your website/online service is deployed and make appropriate updates as your company and services evolve.   

Guiding Principles. Here are some guiding principles when preparing a privacy policy for your online service or website-guidelines specific to privacy policies for mobile apps will follow in a separate blog post:

1.    Consider your audience.  Whether a service is “targeted to children” may seem like a simple concept generally, but it can be difficult to apply to specific examples, particularly in the realm of games and entertainment.  As we describe in our guide to compliance with the amended COPPA Rule, there are a number of factors that should be considered when determining whether a website or online service or portion thereof is directed to children.

2.    Accuracy and adherence are key.  Privacy policies are not “one size fits all” and should never be borrowed wholesale from sample materials.  A privacy policy must be specifically tailored to reflect your actual and ongoing business practices. And just as important, your day-to-day processes and procedures must adhere to the letter of your policy! With that in mind:

  • Identify which website(s)/ services are covered by your policy and provide the effective date of the policy.

  • List the categories of information is collected on the website/service. It is not sufficient to simply state that information is or may be collected on your website/service, you must also inform users what information is being collected, why it is collected, how it is collected, and when it is collected. Where information is collected automatically (e.g., cookies or other tracking technologies), disclose in detail the methods used to collect the information and describe how individuals can prevent the automatic collection.

    • Clearly describe how the information collected is used, including if and when the information collected will be provided to any third party. 

      • Where applicable, give users the choice of whether or not to have their information disclosed to third parties (e.g., your commercial partners) or used for certain purposes (e.g., to receive marketing communications). Opt-in methods are customer friendly and encouraged, however, if opt-out methods are used (e.g., unsubscribe button), ensure that they actually work. 

        • Describe how users will be informed about changes to your privacy policy and make sure that you follow through after making revisions. Implement processes to notify users, and in certain cases, obtain their consent before using or sharing their information in a manner that is materially different than the practices described in your privacy policy. 

  • Provide contact information that can be used to ask questions or provide comments about your privacy practices. 

  • Before sharing personal information collected on the website/service with a service provider or other third party, do your diligence to determine what the service providers’ or third parties’ data practices are for maintaining the confidentiality and security of the information and preventing unauthorized access to or use of the information. Release the personal information only to service providers and third parties capable of maintaining its confidentiality, security, and integrity and get those assurances in writing.

3.    Collect and retain only the personal information required to provide the website/service. Minimize what you collect, keep personal information only as long as reasonably necessary to fulfill the collection purpose, and securely delete personal information you no longer need to retain. The easiest way to reduce your risk profile is to limit what you collect and retain.

4.    Aim for readability and visibility.  Privacy policies should be easy to read and conspicuously posted on your website/service.  Limit the legal jargon and find a user-friendly format.  Prominently display a link to the privacy policy on your home page and link to it on all pages where information is collected.  

5.    Access & Updates.  Empower your users by giving them the opportunity to access and review their information collected on the website/service and to request changes to the information. CalOPPA requires covered websites/online services to describe in the privacy policy the process for giving California consumers' access to their own personal information.

6.    Security. Describe the security measures you have in place to safeguard the personal information collected on the website/service. Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected on the website, commensurate with the sensitivity of the data collected. Reassess your security measures periodically. 

7.    Keep it fresh.  Conduct periodic reviews of your privacy policy and make necessary updates to reflect current and evolving operations. 

8.    The enforcement risks are real.  The Federal Trade Commission (“FTC”) has already demonstrated a willingness to bring enforcement actions against companies with misleading privacy policies or practices which are inconsistent with statements made in their privacy policy. To date, the FTC has brought hundreds of privacy and data security cases addressing a wide range of issues against well-known companies such as Google, Facebook, and Microsoft as well as against small companies. A deceptive or inaccurate privacy policy may also violate state laws prohibiting unfair or deceptive business practices.  Being on the wrong end of an FTC or state enforcement action could result in statutory fines, high legal costs, and prolonged government oversight, which may include a requirement to implement and maintain a comprehensive privacy program and obtain independent privacy assessment for a long period of time. 

9.    International Considerations.  Be aware that if you operate in other countries or collect personal information from residents of other countries, your business may be subject to the privacy and data protection laws of such countries, which may be more stringent than U.S. laws. You should consult with legal counsel in the applicable jurisdictions to determine compliance obligations. 

 

Below are some additional resources that you may find helpful as you design your website or online service and craft your privacy policy:

1. U.S. Small Business Administration’s 7 Considerations for Crafting an Online Privacy Policy   

2. FTC’s Report: Protecting Consumers in an Era of Rapid Change

3. California’s Attorney General Office: How to Read a Privacy Policy

4. California Office of Privacy Protection: Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements

5. California’s Attorney General Office: Making Your Privacy Practices Public-Recommendations on Developing a Meaningful Privacy Policy

Be sure to also check our Privacy and Security Matters blog for other resources and up to date information on privacy and security.