Many companies are still confused about whether they need a website Privacy Policy or not. In fact, some businesses are still under the (mistaken) impression that they don’t need a Privacy Policy at all, or that their existing Privacy Policy – the one they use for other business reasons, is sufficient to cover their website or app activities (it generally isn’t).

Let’s get this out of the way right here – in the United States, Canada, the United Kingdom and in many other countries, privacy policies that cover online personal data collection are required by law. 

Some companies do already have a Privacy Policy on their website. In many cases however, the policy hasn’t been updated in several years. Where there is an existing Privacy Policy, it often doesn’t even include the basic requirements required by law.  In fact, we’ve found that most existing website privacy policies don’t include clauses that cover personal data collection from new online activities such as social media.

Often, we find that a company’s website Privacy Policy has been created using a very generic template, with little customization specific to the company, its website or its data collection methods. The result is a nonspecific, overly broad Privacy Policy that often doesn’t comply with current laws, is barely useful in explaining to users how their information will actually be used, and does little to protect the company in the event of a lawsuit.

A poorly written (or non-existent) app or website Privacy Policy can expose a company to regulatory sanctions and fines, customer lawsuits, and significant reputational damage.

In this post, we’ll discuss exactly what a website Privacy Policy is, the regulations that describe what a Privacy Policy must include, specific details of what a website Privacy Policy should cover, and we’ll also provide examples of website privacy policies that are effective, well-written and comply with applicable laws.

A Website Privacy Policy is an agreement that’s published on a business website which describes how a company collects, stores and distributes the personal data of its users.

If you’re a company that operates in the United States and have a website, a website Privacy Policy is mandatory if you’re collecting any type of information that’s personal.

At a minimum, this includes any commercial website that has simple contact forms, email links or other ways for users to communicate with the company. If you provide any type of online mechanism for a website visitor to contact you, you’re collecting personal information – either a name, phone number or email address. That information is considered personal data and since you’re receiving and collecting that data (to communicate with the website user), you must publish a Privacy Policy that describes how that data will be collected, stored and used.

Under Chapter 22 of the California Business and Professions Code, Internet  Privacy Requirements [22575-22579], the following specific provisions relate to online privacy and describe how a business must include its website privacy policy:

1. A business that collects personally identifiable information via a website or online service must be conspicuously post a privacy policy on its website
2. The privacy policy must:
   1. Identify the personal information that’s collected – “Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.”
   2. If you have a process in place, provide a description for users to make changes to their personal data – “If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.”
   3. Describe how changes will be made to the privacy policy – “Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.”
   4. Identify its effective date.
   5. Describe how the website responds to “do not track” – “Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”
   6. Describe 3^rd-party relationships related to user data collection – “Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
   7. If applicable, provide a link to further information on “do not track” program – “An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

Did you know that the Federal Trade Commission (“FTC”) has enforced the law against numerous companies that are not in compliance with federal regulations related to consumers’ privacy? Since 2002, the FTC has brought multiple enforcement actions against many companies, addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing, and mobile.

The FTC oversees consumer protection regulation in the United States. With regard to online advertising and communications, the FTC has issued guidelines for websites and apps the companies should follow when writing a Privacy Policy. The FTC’s guidelines help your business to comply with truth-in-advertising standards and basic privacy principles. The FTC also recognizes that there isn’t a “one-size-fits-all” approach that works for every company.

The following guidelines from the FTC should be considered by every company that has or intends to build a website or app:

• Build privacy considerations in from the start. The FTC calls this “privacy by design.”  What does it mean?  Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need.  Apply these principles in selecting the default settings for your app and make the default settings consistent with what people would expect based on the kind of app you’re selling.  For any collection or sharing of information that’s not apparent, get users’ express agreement.  That way your customers aren’t unwittingly disclosing information they didn’t mean to share.
• Be transparent about your data practices.  Even if you need to collect or share data so your app can operate, be clear to users about your practices.  Explain what information your app collects from users or their devices and what you do with their data.  For example, if you share information with another company, tell your users and give them information about that company’s data practices.
• Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared.  It’s good business to apply the “clear and conspicuous” standard to these choice mechanisms, too.  Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.
• Honor your privacy promises. “But we don’t make any promises.”  Think again and reread your privacy policy or what you say about your privacy settings.  Chances are you make assurances to users about the security standards you apply or what you do with their personal information.  At minimum, website and app developers — like all other marketers — have to live up to those promises.  The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises in the day-to-day operation of their business.  The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other website and app developers.  What if you decide down the road to change your privacy practices?  You’ll need to get users’ affirmative permission for material changes.  Just editing the language in your privacy policy isn’t enough in those circumstances.  And while you’re taking another look at your privacy promises, read them with users in mind.  Is the language clear?  Is it easy to read on a small screen?  Are you using design elements — color, fonts, and the like — to call attention to important information?
• Protect kids’ privacy.  If your website or app is designed for children under 13 and collects personal information, you have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule.  But COPPA compliance doesn’t end there.  Regardless of the kind of website or app you sell, if you know you’re collecting personal information from children under 13 — or if you know you’re collecting personal information from another website or online service (including another app) that’s designed for kids under 13 — COPPA applies, too.
• What does COPPA require? Under COPPA, you have to clearly explain your information practices, provide direct notice to parents about those practices, and get parental consent before collecting personal information from kids.  These obligations apply to you when third parties (like ad networks or plug-ins) collect personal information through your app.  COPPA also requires that you keep “personal information” collected from children confidential and secure.  The rule defines that term to include a first and last name, an address, a telephone number, online contact information, a screen name or user name that functions like online contact information, geolocation information, or a persistent identifier that can be used to recognize a user over time and across different websites or online services (such as device identifier, cookie identifier, serial number, or IP address).  Visit the FTC’s COPPA site for compliance advice.
• Collect sensitive information only with consent.  Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.  It’s a mistake to assume they won’t mind.
• Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information?  Under the law, you still have to take reasonable steps to keep sensitive data secure.
  • One way to make that task easier:   If you don’t have a specific need for the information, don’t collect it in the first place.
  • The wisest policy is to:

1. collect only the data you need;
2. secure the data you keep by taking reasonable precautions against well-known security risks;
3. limit access to a need-to-know basis; and
4. safely dispose of data you no longer need.

These principles apply both to information you ask users to give you and to any information your software collects.  If you work with contractors, make sure they abide by the same high standards.

While a website Privacy Policy is required by law, it can also help show your users and customers that you value their privacy and to build confidence in your business practices.

It’s also becoming more commonplace for third parties, including social networks, app stores and large technology vendors, to require that you have a Privacy Policy before you can create an account or establish an online relationship with them.

• Apple’s App Store Review Guidelinesstates that apps that intend to collect personal information from users without consent and proper notification will be rejected. Check the Privacy Policy agreement for any iOS apps.
• The Google Play Store’s Developer Distribution Agreementrequires that you have “privacy procedures and notices in place”. Take a look at the Privacy Policy requirements for Android apps for more information.
• Microsoft and Windows Phone apps are also required to have an app Privacy Policyfor their apps as part of the “10.5.1” rule requirement from Windows Phone Store Policies.
• Facebook requires you to have a Privacy Policy for any Facebook apps you may develop.
• If you want to use Login with Amazon, Amazon is also requiring you have this agreement ready and published online before you can use the sign-in functionality.

Recommendations on Writing an Effective Website Privacy Policy

We recommend that a Privacy Policy give the company maximum flexibility to operate within the law and the bounds of propriety. Don’t make changes that limit your company’s operating flexibility and, in some instances, remove provisions that are required by California Business and Professions Code Sec. 22575(b). For example, deleting our recommended opt-out language, required by B&PC Sec. 22575(b)(5).

We advise that the language of your Privacy Policy provide flexibility for the future. For example, you should retain the right to share information in the event of a merger. If you don’t specify this right within the policy, the information you collect could not be shared and your firm’s value in a merger could be reduced.

When it comes to emails and social media, we advise our clients to use the broadest possible language in their website Privacy Policy. This gives you the flexibility to modify your social media usage without necessarily having to continuously modify your website Privacy Policy.

For example, if users can contact you by email from your website, they will provide their contact information so you can do so. This means you should include language in your Privacy Policy that covers the fact that they are providing their email information to you specifically for the purpose of you contacting them via email.

With regard to social media, if you are collecting any kind of personal information via a social network, you should include language that in your Privacy Policy that describes that collection, and what you intend to do with that information. For example, if you collect names and email information from clients through Facebook’s messaging feature, your Privacy Policy should clearly state how you intend to keep that information private and secure.

A broad policy reduces the likelihood that you would have to modify it every time you make a small change to your online usage. Small changes that may go unnoticed could have significant consequences. We also recommend a regular review of your Privacy Policy to ensure continued compliance.

Still not convinced your website really needs a Privacy Policy? Below is a Q and A with explanation and rationale that we’ve complied based on experience and research.

Q. Does my website need a Privacy Policy?

A:  All commercial websites are required to have a Privacy Policy compliant with Federal Trade Commission (FTC) requirements and California Online Privacy Protection Act (CalOPPA) requirements.

1. What is a commercial website?
2. Simply put, any website that buys, sells or offers a service of any kind is a commercial website.

CalOPPA applies to all websites that may serve California residents. CalOPPA applies to any person or entity that owns or operates a commercial website or online service that “collects and maintains personally identifiable information from a consumer residing in California who uses or visits” said website or online service. CalOPPA does not apply to internet service providers (“ISPs”) or similar entities that transmit or store personally identifiable information for a third party.

In 2012, the California Attorney General’s Office specifically applied CalOPPA to mobile applications for smartphones and tablets that collect personally identifiable information. Hundreds of apps providers were notified that they were in violation of CalOPPA, and they were given 30 days to submit compliance plans or face fines of up to $2,500 for each time their app was downloaded.

1. My website is aimed at children, are there any special requirements for my website Privacy Policy?
2. If your business is aimed at children under the age of 13, you need to comply with the Children’s Online Privacy Protection Rule (COPPA). COPPA is a federal law which requires websites to have a parent’s permission before collecting any personal information from children under 13.

Q. Can I use a standard Privacy Policy generator?

A:   Yes, as a start. In fact, every Privacy Policy should probably start by looking at how other websites and apps have designed their privacy policies. It would probably be far too costly for most businesses to start writing a Privacy Policy completely from scratch.

However, every “standard” privacy policy will need to be customized to suit your business uses and needs.

That’s true even if your website is really simple. If you collect, track or store consumer data, user behavior or information in any manner, including using cookies, tracking geolocation, contact forms, newsletter subscriptions etc., you’ll need to customize that standard privacy policy accordingly.

However, just like every business website is different from the next to reflect the company, its products and services, every Privacy Policy needs to be tailored to the company’s particular offerings, requirements and methods of handling its customers’ data and privacy.

The output of many Privacy Policy generators is usually so generic as to be useful only as a starting point. Most businesses will need a customized Privacy Policy that suits the features and functionality of their website.

This will vary by company and depend on the complexity of the business, website and other online services that are covered by the privacy policy. Other things to consider are regional regulations, plus how the business collects, handles, stores  and uses customer data, and how it handles do not track and opt-out mechanisms.

A template is useful as a starting point and some are better than others, however most templates are quite rudimentary and should be reviewed in any case by an attorney. It’s our experience that every Privacy Policy template needs to be customized to ensure compliance with applicable laws, while offering maximum business flexibility.

Q. Should my Privacy Policy cover our firm’s Social Media activity?

A:   Yes, if you’re collecting any kind of personally identifiable information about your users or customers, such as name, email etc.

If you’re running contests, sweepstakes or running marketing campaigns on social media to generate or build email lists or collect customers’ personal information, make sure your website privacy policy covers that activity.

If you’re using social login functionality (connecting a social network’s login feature to your website) to obtain customer data, your privacy policy should disclose how you collect, store or use any customer data from that connection.

If you’re using instant messaging via a social network such as Facebook Messaging to communicate with your audience, you should include language in your privacy policy that covers any personal information you may collect in those types of communications.

Social Networks – Website Privacy Policy Examples

Twitter Privacy Policy – a comprehensive yet clearly written privacy policy that includes sections on Information Collection and Use, Cookies, Use of Services, Twitter for Web Data, Third-parties and Affiliates, Information Sharing and Disclosure, and Accessing and Modifying your Personal Information.

Facebook Data Policy – after some initial false starts from Facebook, the leading social network finally came up with a really robust approach to explaining how it collects and uses information from its users. This is one of the most comprehensive explanations we’ve seen online with regard to consumer data and privacy. For a simpler view, take a look at Facebook’s Privacy Basics.

LinkedIn Privacy Policy – starts out by saying “Your Privacy Matters”, and contains lots of specific details on how information is collected, used and shared, plus your choices and obligations as you use the LinkedIn site. A guided tour of the Privacy Policy is also available that shows updates since the last policy, plus a Privacy Policy video.

Google Privacy Policy – Google’s privacy policy is fairly extensive, as you would expect. However, it refrains from too much legalese and uses language that’s pretty informal and easy to understand. It also provides links to a glossary of key terms, so you can understand all the technical jargon you might come across in the policy.

Thomson Reuters Privacy Statement – comprehensive and available in multiple languages and with a large banner in the footer notifying users that the privacy statement has been updated and should be read.

Forbes Privacy Statement – checks all the boxes for privacy requirements including describing how the site tracks its visitors, opt-out mechanisms, children’s privacy and how users are notified if the statement is updated.

PepsiCo, Inc. Privacy Policy – this policy doesn’t cover all the bases and probably hasn’t been revisited in some time. There’s no effective date and no instructions for consumers who don’t want to be tracked. Time for an update.

Your website Privacy Policy should be an integral component of your governance and risk management strategy for your digital and social media activities.

A thorough review of your website, app or social media Privacy Policy is an essential step under several circumstances:

• When creating a new business website
• Redesigning or adding functionality to an existing business website
• Becoming active on a social network such as Facebook or Linkedin
• Building an app with the intention of distributing it via an app store
• Changing how customer or personal information will be collected, stored, used or shared with others
• Adding Google Analytics to measure your website traffic

In addition, a basic website Privacy Policy can generally cover the following types of website uses:

• Commercial/Promotional websites (e.g. promoting a business, organization, non-profit)
• Websites that utilize cookies, website analytics tools etc. to track users (e.g. Google analytics snippet)
• Websites that allow users to subscribe to a newsletter (e.g. collecting name and/or email address)
• May have a client login area for document sharing, uploads etc.
• May collect certain types of customer data when user completes a form on the website (e.g. contact form, download form)

We recommend further customization of a website Privacy Policy in any of the following circumstances, since these features may require additional discovery, privacy policy language and attorney review:

• May use 3rd party systems for payment processing or to collect donations (e.g. PayPal, Event.com, Active.com)
• May collect or use user-generated content (e.g. reviews, testimonials etc.)
• May collect or use imagery that is non-stock photography (e.g. images of customers etc.)
• Websites aimed at children < 13 years of age (e.g. website selling children’s toys or books)
• Websites that directly collect, use or store credit-card information from the user
• Transactional or other custom website applications/systems

If the process to create a website Privacy Policy seems overwhelming, don’t hesitate to contact us, send an email to info@allpryme.com. We create Privacy Policies for companies that meet your business needs while ensuring your business is in compliance with applicable laws.