Do’s and Dont’s of Website Privacy Policies
DO’S AND DON’TS OF WEBSITE PRIVACY POLICIES
By Marc Reiner
Whether or not such an approach was advisable, laws enacted in the dominant markets of the European Union – the General Data Protection Regulation (GDPR) – and California – the California Consumer Privacy Act (CCPA) – as well as laws regarding marketing to children – the Children’s Online Privacy Protection Act (COPPA) – have effectively mandated that companies disclose their privacy policies and take great care in drafting those policies. We have prepared many of these policies on behalf of our clients and want to share our observations on best practices for these detailed, and often inscrutable, policies.
- DO write the policy in plain English
- DO ensure that you comply with any and all applicable data protection laws
- DON’T forget to ask for consent
- DON’T ignore how your vendors and partners use customer data
Under CCPA and GDPR, a business may be held financially liable for failure to perform due diligence on third parties that process customer data. Marriott Hotel Group was fined $123 million by UK authorities as the result of laxity in this area. Companies should be cautious when reviewing data processing agreements with its vendors and partners to make sure that those companies’ data policies are consistent with their own such policies.
- DO designate a Data Protection Officer (DPO)
With something as important and legally fraught as data protection, it is important to centralize responsibility. Naming a DPO can ensure that a complicated and regulated area is given the attention that is warranted.
* * * * *
Marc Reiner’s current practice includes General Commercial Litigation; the registration of trademarks; litigation and counseling in the areas of trademarks, copyrights, false advertising, cybersquatting, and violations of the rights of privacy and publicity.