6 Things You Should Know About Website Privacy Policies
Privacy is an enormous topic and complicated matter. Say you ask a person for his name and home address and he gives the data to you. He’s going to be angry if something bad comes of that, or he’s going to be happy if something good comes of it. It all depends on what you promised him you would do with his name and home address. If your promise is on your website, it is referred to as your Privacy Policy. Here are a few things you should know about Privacy Policies.
- If you don’t take any personal information from visitors to your website, you don’t need a Privacy Policy. But be sure that no personal information is in fact collected. For example, ask the designer of your website if it deposits cookies that keep track of any data that a user would consider personal, like the ID and GPS location of their hand-held device while they are on your site.
- A Privacy Policy is a contract between you, the person who owns or operates an interactive website, and the people who use that website. You get something from the users—their information—in return for a promise you must keep—how you will use that information. If you don’t keep your promise, you will be subject to what amounts to breach of contract, and in this case you will be liable for the consequences of that breach. For example, if you misuse a person’s name and home address by selling that information to solicitors, you will have to reimburse that person for all the damage that misuse causes. Bottom line: Tell users truthfully how you will treat their personal data, and do what you tell them you will do.
- In most states and most circumstances, even if you take personal data, you are not required to have a written Privacy Policy, but you should have one if you collect personal data. (If any of your customers are in California, then your website is subject to the law requiring a Privacy Policy there, and if you collect personal data from children you are subject to a federal law called Children’s Online Privacy Protection Act.) That is because you cannot totally escape liability for misuse of personal data by simply not having a privacy policy. As is the case in many contractual situations, an unwritten privacy contract might be inferred from the way you do business with users. For example, if a person gives you his name and home address so you can ship to him something he bought from your website, that person has a reasonable expectation that shipping the item is the only reason for you to take his name and home address. So if you sell that data to third parties you violate that reasonable expectation and may be held liable for the consequences, just as if you had a written Privacy Policy saying you would not sell that data.
- Your Privacy Policy should state (1) what personal information is collected, and (2) how that personal information is used and to whom it is given, (California users also must be told how they can view and change their personal data). A blanket statement that you will not give the data to anyone else is unwise. After all, the data is probably coming to you via your internet service provider, so it is already passing through the hands of “others.” And credit card data will surely be sent on to your merchant services provider. If your website hands the user off to another entity to collect and process their data, make that clear as well.
- Except in very specific circumstances, your Privacy Policy can tell your users that you will give their personal data to certain other persons or entities. But telling users that you will be cavalier with their personal data will probably not get you many customers. Connecticut and Michigan are examples of states that prohibit “unlawful disclosure” of social security numbers collected in the course of business. One might argue that disclosure is not “unlawful” if your Privacy Policy frankly tells users that you will sell their SSN to the highest bidder, but I wouldn’t recommend testing that theory.
- Dealing with children’s personal data is an entirely different matter. Requirements for keeping children’s data private comes under a federal law:. It is strict, as you would hope it to be.
As more websites become interactive in order to provide visitors with a personal experience, more personal data is going to be collected. You should consider creating a Privacy Policy for your interactive website and posting it conspicuously. Think of your Privacy Policy as a contract with your site’s users in which you promise them exactly how you will treat their data in return for the trust they place in you. Then keep your promises!