DOs and DON’Ts for Website Privacy Policies

susan
By Susan J. Lutzker
Privacy, Artificial Intelligence and Cybersecurity

It is easy to become lost in the quagmire of privacy obligations for your website. In the absence of a comprehensive federal privacy law in the United States, individual states are enacting their own privacy laws. For a while it was only California, but now many other states either have enacted laws or have pending legislation. And if your website collects any personal information from a resident of the European Economic Area, you have to contend with GDPR. To work through this maze, we have come up with some DOs and DON’Ts for website owners.

  • DO take a hard look at the privacy policy on your website. If your website does not have a privacy policy, DO hop on this immediately! DON’T ignore these new obligations.
  • DO make sure your privacy policy includes at a minimum sections providing the following information:
    • What personal information is collected by the website and how it is collected
    • How the website uses personal information
    • How long personal information is retained
    • With whom personal information is shared
    • Security of the personal information
    • User-generated content (if applicable)
    • The consumer’s choices
    • Cookies and other identifiers
    • Do Not Track (if applicable)
    • State-specific privacy rights
    • International users
    • Children
    • Third party links
    • Changes to the Privacy Policy
    • Contact information
  • DO be sure the link to the privacy policy is prominently displayed. DON’T bury it in or underneath a morass of other information.
  • DO have a banner on your home page requiring affirmative acceptance of cookies.
  • DO be sure you have the technical capability to do what you have said you will do. For example, DO make sure you can process “do not sell” requests and “opt-out of the sale/share” requests.
  • DO be sure you have implemented internal training controls.
  • DO be aware of what “personal information” means and DO know that sometimes information that is not otherwise personal can become so when combined with other information.
  • DO be sure you have a cookie policy either as part of your privacy policy or otherwise accessed via a prominent link.
  • DO have a banner on your home page requiring affirmative acceptance of cookies.
  • DON’T forget about the policy once you have posted it. DO review it annually. If you make any material changes, DO provide advance notice on your home page. DO change the Last Updated date on the policy.
  • If you are a California business, DO have a separate Do Not Sell form.
  • DO be aware of the privacy law, if any, in any state in which you are doing business (even online), whether it applies to your business/organization and, if so, what it requires. DO consider including appropriate provisions from state privacy laws as a matter of good business practice even if not legally applicable.
  • If you collect data from any resident of the European Economic Area, DO be sure you are complying with GDPR, which provides additional rights to such residents.
  • DON’T use deceptive designs such as “dark patterns” that might confuse consumers when making a choice.
  • DO check your vendor agreements for inclusion of privacy obligations where the vendor will have access to personal information.
  • DO be sure you have an unsubscribe option for receipt of any communications from the website.
  • DON’T forget that your website needs to include Terms of Use and a Copyright Policy as well as a Privacy Policy.
  • DO consider whether your website needs to be accessible under the Americans with Disabilities Act and, if so, what that requires.
  • DO follow best practices even when the letter of the law does not require a particular action.
  • DO seek legal assistance if you need help drafting or revising an appropriate Privacy Policy or other website legal policies.