How to Write Your Website Privacy Policy

Online-Privacy-Abstract-Backgr-3279462On May 21, 2014, the California Attorney General offered recommendations on how businesses should comply with the California Online Privacy Protection Act of 2003 (“CalOPPA”).  The AG’s announcement is especially useful for website operators who are confused about how CalOPPA effects them, and how to draft a compliant privacy policy for their web properties.

As detailed in a previous post, CalOPPA requires any company that collects personally identifiable information from a California resident online, whether via a commercial website or a mobile application, to draft and comply with a privacy policy that conforms with the law’s guidelines.  In  provided in it. A recent amendment to CalOPPA requires website operators to include information in their privacy policies on how they respond to Do Not Track requests passed on by web browsers, and to state whether third parties can collect personally identifiable information (PII) about site visitors.

Here is breakdown of the minimum requirements necessary for a valid privacy policy under CalOPPA.

Scope:  Include a paragraph explaining what the policy covers.  State whether it is limited to online data collection or also covers offline use, and state which entities (i.e., subsidiaries and affiliates) that the policy covers.

Availability:  Make certain your policy is readily available and accessible.  Incorporate a conspicuous link somewhere on the home page, and on every page that collects personal information, and be certain to format it so it can be printed in legible format.  If you’re collecting PII via a mobile application, post a link the policy on the base platform page so users can review it prior to download.

Plain English:  Draft your policy so it can be read and understood by the average consumer.  This means you should avoid technical language and legalese wherever possible.  Use graphics and icons, and try using tooltips ?

Disclosures:  Be certain to prominently disclose all of the following:

     – How you collect PII on users or visitors, and the technologies behind them (i.e., cookies, web beacons).

     – How you respond to Do-Not-Track (DNT) requests.  First, start by stating whether you track your users online activity.  If you don’t track, you probably don’t respond to DNT requests, so be certain to let your visitors know that.  If you do employ tracking technology, describe how it works.  Do you track users’ activity over time?  If so, provide the time frame.  Do you track both before and after they visit your site?  What do you do with the tracking information you collect?   Regardless of how you deal with DNT requests, be certain to provide a prominent link to a program that offers consumers a choice about online tracking, and describe how the program works.   If you don’t respond to DNT signals, ake and then state whether you honor DNT requests.

     – Let visitors know whether third parties may be collecting PII while they visit your site, and how you work with those parties.

     – Inform vistors on how you use and share data:  Describe(a) what PII you collect from users; (b) how you use it; and (c) how long you retain that information.  List the categories of companies with which you share customer personal information (i.e., service providers, marketing partners, affiliates, etc.)  Explain any uses of PII not related to fulfilling a customer transaction, or other basic function of an online service.  If possible, provide a link to the privacy policies of third parties with whom you share PII.

Describe ChoicesDescribe the choices visitors have regarding the collection, use, and sharing of their personal information, and how you comply with them.  At the very least, you should offer your visitors an opportunity to correct or even delete the information you’ve collected.

Security:  Describe the safeguards you employ to secure PII.

Date:  Include the date that the privacy policy went into effect, and provide visitors with access to previous versions so they can see what, if anything, has changed.

Address Concerns:  Provide contact information to which visitors can use to direct their questions and concerns regarding your privacy policy, and train customer service staff on how to respond to these queries.

 The fact that the California AG has provided these guidelines should serve as a warning that she is and will continue to be highly aggressive in the enforcement of CalOPPA


Author: Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.
Skip to content