Do Websites Need Privacy Policies?
Some of the most valuable assets of any business are its customers and the information that the business maintains about those customers. As the type and number of regulations governing consumer privacy increases, so do the risks of gathering and storing customer data. We can help you to assess those risks and craft one or multiple privacy policies designed to avoid exposure.
Privacy policies are more than an explanation of what information a business collects and what it does with that information. Increasingly, privacy policies are expected – if not required – to address how information is gathered, when and with whom it is shared, how customers may interact with it, and what is done to protect it. Certain types of businesses, including healthcare, financial, child-oriented companies, and businesses with overseas customers, EU Citizens especially face even greater regulation.
Recent FTC and various state Attorney General regulations have mandated privacy policies for all mobile apps, and they have also recommended best practices for app developers for when to provide additional notice about personal data collection. We ensure that your company stays abreast of all of the new regulations and recommended best practices.
We can help you craft a privacy policy that complies with the law and also balances your business’s need for flexibility with your customers’ wishes to have their information treated responsibly. We can also help you structure your business and website so as to make the most of your customer information resources, all while helping keep your collection, use, disclosure, and data security practices in compliance with the law.
Relevant State Laws:
California
Calif. Bus. & Prof. Code § 22575
Requires the operator of a commercial web site or online service to disclose in its privacy policy how it responds to a web browser ‘Do Not Track’ signal or similar mechanisms providing consumers with the ability to exercise choice about online tracking of their personal information across sites or services and over time. It also requires the operator to disclose whether third parties are or may be conducting such tracking on the operator’s site or service.
Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA)
California’s Online Privacy Protection Act requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an Internet Web site or online service for commercial purposes, to post a conspicuous privacy policy on its Web site or online service (which may include mobile apps) and to comply with that policy.
The law, among other things, requires that the privacy policy identifies the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the operator may share the information.
Connecticut
Conn. Gen. Stat. § 42-471
Requires any person who collects Social Security numbers in the course of business to create a privacy protection policy. The policy must be “publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.
Delaware
Del. Code Tit. 6 § 205C
Requires an operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator’s commercial internet website, online or cloud computing service, online application, or mobile application to make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application.
An operator shall be in violation of this subsection only if the operator fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance. Specifies requirements for the policy.
New York
Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT) Requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.” Small businesses of fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected.