Clients often ask whether their website needs a privacy policy. If your website collects personal information from its users, then yes, you need a privacy policy.  (This applies also to apps, so pay attention!)

What Laws Regulate Online Privacy?

The US regulates children’s online data privacy through the Children’s Online Privacy Protection Act.  Unlike Europe with its comprehensive data privacy law, the US does not have a national law.  Instead, it is up to each state.  Some, such as California, Nevada, Delaware, and Vermont enacted privacy laws, but they are considerably variable.

While they are not laws, don’t overlook platform requirements. Apple, Microsoft, Google, and others require app sellers to disclose your privacy practices before you are permitted to sell your app on their platforms.

Similarly, if you use API’s licensed by a social media platform (such as Facebook or Twitter), you must comply with their privacy policy disclosures.  The specific requirements vary by platform, but in general require at, a minimum, the items noted about in What Should a Privacy Policy Include? (see, below).

Finally, there are special laws pertinent only to specific industries.  The Health Insurance Portability and Accountability Act (HIPAA) regulates the privacy of some healthcare business websites and apps.  The Gramm-Leach-Bailey Act applies to certain businesses in the financial industry.

What Should a Privacy Policy Include?

While each policy depends upon how users interact with your website or app, there are some general terms all privacy policies should include.

• What personal information your company collects.
• How you collect the information.
• How you store personal information (your security practices).
• How you use the information (do you sell it, analyze user behavior, advertise, etc.?).
• How you share, distribute, or sell the personal information.
• How users can review the information you have collected about them.
• Whether and how users can opt-out of data collection.
• Whether and how users can delete the personal information you collected.

Remember, though, your privacy policy must accurately describe your privacy practices.  If you recall past privacy scandals, you know that users are generally okay with data collection; they just get very upset when a company falsely claims to protect user privacy.

What is Personal Information?

Before you write a privacy policy, you need to know what “personal information” is.  Personal information (also called personally identifiable information) is information about a website or app user that can identify an individual or is linked to an individual.

Personal information typically collected by websites and apps include:

  • Name, address, telephone number, e-mail address, date of birth, and social security number
  • Biometric data (such as fingerprint, facial, and voice recognition)
  • Internet Protocol (IP) address, device identification, and location data
  • Mother’s maiden name
  • Medical records
  • Financial records
  • Employment and education information
  • Browsing habits
  • and much, much more

How Do I Know If My Site Collects Personal Information?

In some instances, it is obvious.  If you sell items or services, then you are collecting the user’s name, e-mail, telephone, and other related information.

If you use Google Analytics or similar services, you are collecting data (even though you might be unable to specifically identify a user, the analytics company can).

If you allow users to post content on your site (comments, images, videos, etc.), then you are collecting personal information.

When in doubt, your policy should simply state that your business “may” collect personal information.  This allows you to increase or decrease data collection without having to amend your policy each time you do so.

Looking For Help?

Due to the variation between the laws, it is helpful to consult an attorney well-versed in online data privacy laws. The extent to which any data privacy law applies depends on how users interact with your website and app and the information you collect and share.

Luckily for you, Christine Kuntz with Concerto Law has drafted many privacy policies (and terms of service policies) for website owners and app sellers.  Contact us today.