VW Blog

Privacy Policies: Why They Are Crucial for Every Website

May 29, 2014   |   By Vela Wood

Here at Vela Wood, we work with new startups on a daily basis. For the most part, our focus is on forming their entity and getting the proper documents in place for them to get their business started. However, often times, the startup is also looking to launch a website/mobile application for their company, therefore we get a lot of questions about terms of service and privacy policies. This blog focuses on the importance of a privacy policy for your website and mobile application. The importance of the website terms of service will be addressed in a subsequent blog.

What is a Privacy Policy and why does my website need one?

A privacy policy is a document telling visitors to your site what information you collect and what you do with that information. Basically it is a disclosure document—the purpose of which is to inform (and therefore protect) consumers. The privacy policy should address specific points to ensure that you are protecting your business interests and site visitors. It is important that it reflects your sites actual privacy practices and not those of another site.

Since many state laws require privacy policies, as well as federal law, it is crucial that every website include a privacy policy. If you chose to not include a privacy policy, it can cause issues with state and federal regulators, not to mention privacy watch groups that are more than happy to report you to the authorities.

What does my Privacy Policy need to include?

The exact things needed for your privacy policy may vary depending on your website, but some of the basics include:

  • Legal business and/or site name. Your address and contact information should also be included. If you are running a home business, we recommend opening a PO Box or hiring a mail forwarding service to protect your privacy.
  • Exactly what information is collected. If you collect visitors’ names, email addresses, physical addresses, telephone numbers or any other sensitive or personal information, this should be disclosed.
  • Categories of third parties with whom your company shares information. Examples of such third parties include: the site hosting company, the user’s own ISP, the courier delivering any purchases, the banks clearing credit card payments, etc.
  • How the consumer can review and request changes to the information collected by the company. Examples include allowing the consumer to opt out of email communications, not signing up for an account, etc.
  • The effective date of the privacy policy.
  • How the company notifies the consumer of changes to the privacy policy
  • The state the policy will be legally enforced. This will be the state where your business is physically located. It should also include the legal remedies available to site visitors in the event that you violate a portion or all of your privacy policy.
  • Whether there are third party cookies or other tracking mechanisms such as advertising cookies. If your site will include cookies, you need to include the following:
    • Brief description of what cookies are
    • What information is collected by the cookies
    • What is done with the information
    • How to reject/delete/accept the cookies
    • Explanation that there are no harmful technical consequences/risks

Where should the privacy policy be located?

The most popular option is to have a link at the bottom of the homepage that contains the words “privacy policy.” However, you can also have an icon on the homepage that contains the word “privacy,” or the entire policy can be located on the website’s homepage (not the most aesthetically pleasant option). The key here is to make sure it is located somewhere that a consumer can easily find it.

Beyond the Basics

You also need to consider more complex issues that are associated with privacy policies.

  • State Laws. Some states give specific guidance on what you should include in your privacy policy. California requires that any company which collects personally identifying information over the internet post a privacy policy and identify the categories of personal information collected, how consumers are notified of changes, and how to update personal information. Texas also has a similar requirement for any company which requires the disclosure of a social security number.
  • Federal Law. The Children’s Online Privacy Protection Act (COPPA) places stringent burdens on companies who knowingly collect information about children under 13. To avoid COPPA liability, companies must take active steps to avoid collecting personal information from kids. For example, when asking for a date of birth, the company can deny access to those who indicate they are under 13 years old, and have procedures in place for preventing users from signing up using a different birth year if the company finds out they are under 13.
  • European Union. The EU regulates privacy on a much broader basis. If your company transfers information from the EU to the US, you must either comply with EU law or EU “safe harbor” principles. For more information see the US Commerce Department’s guidance on what to include in your privacy policy to comply with EU safe harbor provisions.

 Key points to remember

Companies are not permitted to sell private information and must always disclose any mailing lists upon which customers will be placed as a result of signing up or purchasing products.

The privacy policy should also notify users that some of the pages may take them away from the existing website. If users chose to follow links to other resources or to outside sales pages, then they must understand that the privacy policy from the original site is no longer in force, and they should read the terms of service and privacy policy of the other website where they landed.

Again, transparency is key here. It is important that you disclose all of your practices, but do NOT copy from another website. Your privacy policy will be most effective and offer you the most protection if you make it specific to your company. Also, we always recommend that you list an email address where your visitors or users can get in touch with you.

Conclusion

Having a privacy policy for your website/mobile application is crucial. If you are interested in having an attorney draft a privacy policy for your website/mobile application or have any questions regarding privacy policies, please contact us at (214) 821-2300.


Posted in Privacy, Startups
Vela Wood
Vela | Wood is a boutique corporate law firm that focuses on small businesses, entrepreneurs, and startups.