April 2010 – Online Insights: Legal Issues

Website Privacy Policies and Terms of Use

A privacy policy is a legal notice on a website providing information about the use of consumers’ personally identifiable information by the website owner. While there currently is no general federal law requiring any website operator to post a privacy policy, there is a California state law (discussed below). Moreover, the Federal Trade Commission (FTC) and other state attorneys general regularly investigate and pursue legal action against website operators who collect personal information without consent and share that information with third parties. Thus, if you own a website that involves e-commerce, facilitates social networking, or you otherwise engage in the online collection and/or sharing of your customers’ personally identifiable information, you should post a privacy policy on the homepage of your website.

“Personally identifiable information” generally means any information collected online about an individual consumer, such as his/her name, street address, e-mail address, telephone number, social security number or any other information that permits the physical or online contacting of a particular individual.

In 2004, California became the first state to enact a law mandating a privacy policy to be posted on any commercial website that collects personally identifiable information about California residents. The California Online Privacy Protection Act (“OPPA”) also extends beyond California’s borders because websites all over the United States (and even globally) can be accessed by California residents who may submit their personally identifiable information at any time. OPPA requires privacy policies to set forth what information is collected and how it is shared. Those who fail to comply with OPPA risk civil suits for unfair business practices.

What Should The Privacy Policy Contain?
To comply with OPPA requirements, as well as FTC and other states’ standards, your website privacy policy should address all of the following issues:

• What type of personal information is collected on the website?
• How is the collected data used? Is it stored or discarded? Is it disclosed to third parties? If so, to whom?
• Are cookies used and if so, what type of information is recorded?
• How can consumers opt out of receiving e-mails from the website and from disclosure of their information to third parties?
• Does the website collect information from children under the age of 13? If so, how does the website obtain verified parental consent for information about their children in compliance with the Children’s Online Privacy Protection Act (“COPPA”), a federal statute?
• How does the website operator keep its server and online operations secure?
• How can a consumer review and make changes to his or her personally identifiable information, if the website allows such review and changes?
• How do consumers learn of changes made to the website privacy policy?
• What is the effective date of the privacy policy?

Most important, once you have a privacy policy in place, your company should act in accordance with it. Companies have gotten in trouble with the FTC for having a “deceptive” privacy policy–one that does not reflect the actual practices of the company. Recent litigation in this area has focused on companies that posted privacy policies promising not to share their customers’ personal information, but subsequently did disclose data to third parties.

Another trouble area arises when companies change their privacy policies without giving consumers appropriate notice and an opportunity to opt out. Most of the legal actions to date have been based on the FTC Act and state consumer protection statutes that prohibit “unfair and deceptive practices.” The FTC and state attorneys general have applied these laws to website owners that fail to comply with their own posted privacy policies.

Once you have adopted a legally compliant privacy policy that you are comfortable with, the privacy policy must be “conspicuously posted” on your website, in accordance with OPPA. This means that a link to the privacy policy should appear on the homepage of your site, contain the word “privacy” and should be written either in capital letters equal to or greater in size than the surrounding text, in a type, font or color that contrasts with the surrounding text of the same size, or be otherwise distinguishable from the surrounding text on the homepage.

Finally, to the extent possible, your privacy policy should be written in clear and simple language that the average consumer can understand. Certainly, legal compliance with OPPA and other laws is a key consideration; however, if your privacy policy is so filled with legal jargon and technicalities that your consumers feel confused about and distrustful of your practices, they may lack confidence in your business and will not feel comfortable providing their information to you online. Seek the assistance of legal counsel to help you draft a website privacy policy that is not only legally compliant, but also clear, concise and easy to understand.

Terms of Use
Website terms of use (a.k.a. “terms of service” or “terms and conditions”) provide information about the content of a website and what users are and are not permitted to do with the website. Posting terms of use is generally in the best interests of a website owner. Unlike a privacy policy, in which a website operator sets forth promises to protect users’ personal information, terms of use set forth terms and conditions that protect the website operator.

Your terms of use should include the following main points:

• A statement that use of the website constitutes consent to the terms of use and privacy policy;
• A disclaimer of warranties and a statement that the website is provided “as-is”;
• A limitation of liability clause;
• A statement of intellectual property ownership pertaining to copyrights and trademarks on the website;
• An arbitration, choice of law and venue clause stating that any dispute relating to use of the website will be subject to arbitration in the home state of the website owner;
• Prohibition against interfering with the website or using it for an illegal or improper purpose; and
• A statement that the terms of use and privacy policy may change at any time.

Some courts have held that merely posting a link to terms of use in small print at the bottom of a homepage is insufficient and may render the terms of use unenforceable. Accordingly, a better practice is to require users to affirmatively click an “I Agree” or similar button–posted along with the terms of use and privacy policy–in order to access the website or conduct transactions. Moreover, if important provisions such as arbitration clauses are hidden deep within the document, they are less likely to be enforceable. Arbitration clauses should be bolded or highlighted and/or listed under a separate heading (rather than buried within a “General” or “Miscellaneous” section).

In today’s digital age, websites are an essential and prominent aspect of any business owner’s operations. Enlist the expertise of counsel to help you prepare clear and concise privacy policies and terms of use that will protect your interests and ensure that you are compliant with the law.

Natasha Shabani is an attorney with Rutter Hobbs & Davidoff, a law firm based in Los Angeles. She specializes in advertising, promotions and intellectual property and can be reached at (310) 789-1858 or via e-mail at nshabani@rutterhobbs.com.