Do’s and Dont’s of Website Privacy Policies

 

DO’S AND DON’TS OF WEBSITE PRIVACY POLICIES

By Marc Reiner

 

As direct-to-consumer marketing and sales have exploded in recent years, there has also been an explosion of website privacy policies.  It is unlikely that you could find a popular site that does not have a privacy policy on the web today.  Yet as late as 1998, only 14 percent of websites made any disclosures as to their data gathering or use of that data even though over 90 percent of websites collected great amounts of personal information about their users.

Whether or not such an approach was advisable, laws enacted in the dominant markets of the European Union – the General Data Protection Regulation (GDPR) – and California – the California Consumer Privacy Act (CCPA) – as well as laws regarding marketing to children – the Children’s Online Privacy Protection Act (COPPA) – have effectively mandated that companies disclose their privacy policies and take great care in drafting those policies.  We have prepared many of these policies on behalf of our clients and want to share our observations on best practices for these detailed, and often inscrutable, policies.

1. DON’T fail to have a privacy policy

Although privacy concerns might seem like a secondary issue that need not be focused on either at the launch of a business or later, they are not.  As discussed above, there is significant regulatory pressure both in the U.S. and in the E.U. that requires that data collection, maintenance, and processing be treated in a particular manner.  A clear, well-drafted privacy policy is essential in ensuring that regulatory requirements are being met.

2. DO write the policy in plain English

This suggestion may be surprising coming from an attorney considering our profession invented “Legalese” and uses it far too often.  But the proper goal of a privacy policy is for users to understand what they are agreeing to.  Clarity is a primary objective of any privacy policy.  Not only is this best practice, but the GDPR makes clear that privacy policies that do not use clear and plain language are not in compliance with that law.

3. DON’T hide your privacy policy where it cannot be found

For a privacy policy to have the most effect, it must be easy to find.  This ensures any presumption and argument that the website user either read it or deliberately chose not to do so.  A common location for the privacy policy is in the website’s footer space.  This selection is acceptable though best practice is to have your privacy policy be accessible from all pages of the website.  In addition, is it is advisable to have a link to the privacy policy on any pop-ups that seek consent to that privacy policy.

4. DO ensure that you comply with any and all applicable data protection laws

Although the previous guidelines are important, obviously complying with the applicable laws is of paramount importance.  The GDPR effectively applies to any website that collects personal information from European residents.  A privacy policy may choose to make clear that certain rights and remedies that are required under the GDPR apply to any individuals that reside in the E.U.  Similarly, for businesses subject to the CCPA a separate section applying to California residents is applicable.  Finally, COPPA applies for websites that are targeted to children under the age of 13 and has its own requirements for what such a website’s privacy policy must contain.

5. DON’T forget to ask for consent

Not only is your company’s privacy policy most effective when users truly read and understand it, but they must also make an informed consent to it.  Consent may not be assumed, although that used to be the practice.  Now, the GDPR can require an affirmative action from the user, such as clicking on an “I Accept” button on a pop-up that discloses, and preferably links to, the privacy policy or at least clicking to close a notification pop-up.

6. DO update your privacy policy as your data collection practices change

Many companies hire us to draft their privacy policy when they set up their website for the first time and then we do not hear from them again.  To put it mildly, this is not best practice.  Privacy policies should include a date for when it was last modified.  If it has been over a year since the policy was last modified, then it should certainly be reviewed to see if it complies with current laws governing data protection and also whether it truly reflects the company’s current data practices.

7. DON’T use the same privacy policy for vastly different users

Some business, such as those in the Software as a Service (SaaS) space, have several different types of users.  These may be customers, developers, and partners.  Each of these different types involves a different type of use of data.  The privacy policy should reflect these differences.  Instead of having just one privacy policy, an alternative is to have a different policy applicable to each of the key categories of users.

8. DO make sure your team knows what is in your privacy policy

A privacy policy is only effective to the extent that it reflects your company’s actual privacy practices.  It is important that your team knows of your policy and ensures that it is followed as written.  The privacy policy is more than just a document of best practices.  It should track closely with your company’s actions.

9. DON’T ignore how your vendors and partners use customer data

Under CCPA and GDPR, a business may be held financially liable for failure to perform due diligence on third parties that process customer data.  Marriott Hotel Group was fined $123 million by UK authorities as the result of laxity in this area.  Companies should be cautious when reviewing data processing agreements with its vendors and partners to make sure that those companies’ data policies are consistent with their own such policies.

10. DO designate a Data Protection Officer (DPO)

With something as important and legally fraught as data protection, it is important to centralize responsibility.  Naming a DPO can ensure that a complicated and regulated area is given the attention that is warranted.

*     *     *     *     *

Drafting a privacy policy is an important and often difficult task.  It requires navigating the legal requirements for these policies while still keeping in mind that the readers of the policies are generally not trained lawyers.  If you need assistance in this area or have any questions, please feel free to reach out to Marc Reiner at HBA mreiner@hballp.com.

 

Marc Reiner’s current practice includes General Commercial Litigation; the registration of trademarks; litigation and counseling in the areas of trademarks, copyrights, false advertising, cybersquatting, and violations of the rights of privacy and publicity.