As companies increasingly include an online presence, or are only located online, a common question is: do I really need a privacy policy? Unless you are operating a non-interactive website, such as a blog that has no way for users to enter any information, the answer in California is nearly always “definitely.”
Who needs a privacy policy
Under the California Online Privacy Protection Act of 2003, any operator of a commercial website, mobile application, or online service that collects “personally identifiable information” from its users is required to post a privacy policy on its site and comply with that policy. “Personally identifiable information” means any individually identifiable information about a user, and includes data such as a user’s name, address, email-address, telephone number, social security number, and any other identifiers that permit the user to be contacted physically or online. This means that if a site is collecting payment information from users it absolutely needs to have a privacy policy, but even if a site is only collecting email addresses to add users to an email list, this still requires a privacy policy.
Privacy policy requirements
In order for a privacy policy to be compliant with the law, it must:
- Identify the categories of personally identifiable information that the website collects;
- Identify the third-party persons or entities with whom the operator may share the collected personally identifiable information;
- Describe how users can review and request changes to their personally identifiable information;
- Describe how users are notified of changes to the operator’s privacy policy for the website;
- Identify the effective date of the privacy policy;
- Disclose how the operator responds to web browser “do not track” signals; and
- Be conspicuously posted on the operator’s website.
Moreover, if a site or online service is directed to children under age 13 or collects information about children under age 13, the Children’s Online Privacy Protection Rule imposes additional notice and consent requirements.
Consequences of not having a privacy policy
A website that does not have a privacy policy that collects personally identifiable information from users is in violation of the law, and therefore could be prosecuted by the government. Additionally, the California Attorney General’s Office recently released a new online form that allows website users to report sites that do not have privacy policies or whose policies do not comply with the legal requirements, which should increase the likelihood that violators will be penalized.
Not only does the privacy policy need to comply with the legal requirements, but the website owner must comply with the procedures and disclosures listed in its policy and update the policy if its procedures change. A site operator’s failure to comply with the policy could bring rise to a lawsuit by a user, and users can also report these types of violations to the Attorney General’s Office.
Conclusion
A well-drafted privacy policy not only ensures that the online company is complying with the law, but it also protects users and site owners by providing a greater level of understanding regarding how users’ information may be shared and updated. Additionally, all online companies should strongly consider posting Terms of Use on their site to make sure that they are adequately informing users about their policies and protecting themselves from potential lawsuits or intellectual property infringement.
Bend Law Group can assist online companies, including mobile application developers, by drafting privacy policies and terms of use that accurately describe the company’s practices and comply with the legal requirements. If you would like to talk more about your online legal needs or have any questions, please give us a call at (415) 633-6841 or send us an e-mail at info@bendlawoffice.com.
Disclaimer: This article discusses general legal issues and developments. Such materials are for informational purposes only and may not reflect the most current law in your jurisdiction. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. No reader should act or refrain from acting on the basis of any information presented herein without seeking the advice of counsel in the relevant jurisdiction. Bend Law Group, PC expressly disclaims all liability in respect of any actions taken or not taken based on any contents of this article.