Internet Privacy RulesMost Internet-based businesses collect user data.  Some data elements are deliberately collected to identify a specific a user (name, address, contact information, etc.), while others are not (IP address, browser type, search term, to name a few).  The collection and use of personally identifiable information (“PII”) raises numerous privacy issues, which, over the course of the last decade, has caught the attention of state and federal regulators.

Thanks to the California Online Privacy Protection Act of 2003 (“CalOPPA”), most websites are required to disclose the manner in which they collect, use and manage user data in a written privacy policy document.  CalOPPA applies to all commercial websites and online services that collect PII from individual California residents who use a website, and because most websites have (or will have) California users, they’re under the obligations imposed by the State of California.

With that in mind, any website operator should include the following five key provisions when designing a privacy policy:

1. Make it easy to locate.  Most websites include a link to their privacy policy link in the footer.  Those which collect PII should also include a link with any online form.

2. Identify the specific elements of PII collected (name, address, etc.) even if they’re obvious.

3. Describe who who has access to PII. If if the data is passed on to third parties, they do not have to be specifically identified; a description of their business (i.e., “marketing partners”) will suffice.

4. Identify the date when the policy became effective, and include dates that it is updated. If any update includes a material change, users should be notified of it via email or a message on the site.

5. Disclose how the site responds to “do not track” signals regarding a user’s online activities over time and across different websites (i.e., Google Analytics).  If your site offers no response to those signals, simply say so.

The guidance in this article is not intended to be comprehensive.  There are other considerations that companies should consider including, and certain types of companies (financial institutions, healthcare companies, and online services for children) have more stringent requirements.

The bottom line is, don’t just cut and paste.  Your company is unique, and should have a privacy policy specifically tailored to how it operates.

Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.