• Internet Rules of the Road II: Web Site Privacy Policies
  • September 26, 2008 | Author: Anne Davies Newman
  • Law Firm: Pepper Hamilton LLP - Harrisburg Office

    Until 2004, Web sites were not required to have privacy policies, unless they were governed by specific regulations (such as those applicable to the financial services or health care industries), were aimed at children, or sought to comply with the Safe Harbor Program designed to permit those in the European Union (EU) to transfer personal data to the U.S. But California passed a law, effective in 2004, requiring owners of commercial Web sites or online services to post a privacy policy meeting certain requirements, if the sites or services collect personally identifiable information about individual consumers residing in California.

    A. California Law

    Most Web sites cannot isolate their visitors from California, so they must comply with California law for all their visitors. For this reason, California’s requirements have become the standard in the U.S. for Web site privacy policies. What follows is a thumbnail sketch of those requirements. (See also the article “California Privacy and Security Legislation Affects Entire Nation”).


    California law requires that a privacy policy (a) disclose the categories of information that identifies persons (“personally identifiable information”) that a Web site collects and the categories of third parties with whom that information will be shared, (b) describe how a user can review and request changes to the personally identifiable information on file with the Web site, if such a process is available, (c) identify the effective date of the policy and (d) describe how users will be notified of changes to the policy.

    A Web site owner must understand what is deemed “personally identifiable information” under the law, in order for its Web site privacy policy to be accurate. California law defines personally identifiable information as name, address, telephone number, e-mail address, Social Security number, any other identifier that permits the physical or online contacting of a specific individual, and any information about a user that a Web site collects and maintains in combination with one of the other types of information listed here.

    A privacy policy must be “conspicuously posted,” and the law offers a number of ways to meet this requirement. On the home page (or the first significant page after entering the Web site), Web site owners may post the privacy policy itself, or a link to the Web page on which the privacy policy is located. A link may take the form of (i) text that includes the word “privacy” or is distinct from the text around it in font or color, or appears in capital letters equal to or larger in size than the text around it; (ii) an icon that includes the word “privacy” and is distinguishable in color or otherwise from the material around it; or (iii) any other “so displayed that a reasonable person would notice it.” It is a good idea, in addition, to post the link in question at any spot on the Web site where the user is asked for personally identifiable information, such as shopping carts, e-mail forms, etc.

    Cal. Bus. & Prof. Code §22577

    Data Security

    But posting a privacy policy is not the end of a business’ obligations regarding personal information it gathers. Since 2005, California law has required businesses that own or license personal information about California residents to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information,” to protect that information from unauthorized access, destruction, use, modification and disclosure. (“Own or license” is intended to include personal information that a business retains as part of its internal customer accounts, or to use in transactions with customers.)

    In addition, if a Web site owner contracts for services (such as Web hosting, credit card processing, etc.) with an unaffiliated third party who will see a user’s name in combination with his or her (i) Social Security number, (ii) driver’s license or California identification card number or (iii) an account number, credit or debit card number together with a security code, access code or password that would permit access to the user’s financial information, then the Web site operator needs to require by contract that the third party implement and maintain the security procedures and practices described above.

    This requirement does not apply to certain health care providers, financial institutions, entities that are “covered entities” under HIPAA, entities that obtain information under California’s Vehicle Code, and entities regulated by laws providing greater protection to personal information than that provided by California’s law.

    Cal. Bus. & Prof. Code §1798.81.5

    Information Disclosed to Direct Marketers

    Likewise, since 2005, California has required that if a business with twenty or more employees discloses personal information regarding customers who are residents of California to a third party for the third party’s direct marketing purposes, the business must either:

    (i) adopt a policy of not disclosing such information to third parties (for the third party’s direct marketing purposes) without the advance agreement of its customers, or give its customers the option, without charge, of “opting out” of such disclosures, and must publicly disclose the policy or option (for example, in its Web site privacy policy), or

    (ii) annually, upon request, identify the categories of personal information disclosed during the previous year and the names and addresses of any third parties to whom the information was disclosed, together with information sufficient to identify the nature of the third parties’ businesses.

    Unlike the California statutes identified above, this one defines “personal information” quite broadly, to include race, religion, political party affiliation, occupation, education, medical condition, height, weight, number and names of children, certain financial information, etc. “Third Parties” is also broadly defined, to include affiliates of the business that are separate legal entities, for example. There is also a lengthy list of exceptions to the statute.

    Cal. Bus. & Prof. Code §1798.83

    B. The Federal Trade Commission

    The Federal Trade Commission (FTC) has jurisdiction over unfair and deceptive practices aimed at consumers. It does not dictate the data collection, use and disclosure practices of a Web site owner or the content of a privacy policy. However, it can bring an enforcement action in response to a claim that a Web site owner does not adhere to the privacy policy it posts, however. For this reason, a privacy policy should reflect a Web site owner’s actual practices, should avoid raising users’ expectations about privacy and security (for example, with phrases like “we never …” or “we always …”) and should alert users to the fact that no security measures are 100 percent effective against hackers or identity thieves.

    FTC enforcement actions have also made clear that a privacy policy cannot be retroactively modified. That is to say, changes to a privacy policy can apply only to information collected following the change (unless existing users consent to a new use of their personal information). For this reason, Web site owners need to keep track of what data was collected under each version of its privacy policy – so that if a claim is made that the business used data other than in accord with the first policy, for example, it can prove that in fact the data in question was gathered under a second, more liberal policy.

    C. Children’s Online Privacy Protection Act

    Effective in 2000, the Children’s Online Privacy Protection Act (COPPA) and its implementing regulation impose specific requirements on operators of commercial Web sites that target and collect information from children (defined as those under 13 years of age). Operators of such Web sites are required to (i) disclose what information is collected from children, how that information is used and what its disclosure practices are, (ii) obtain verifiable parental consent prior to any collection, use or disclosure of personal information from children, (iii) upon the request of a parent, disclose the type of information collected from his child, provide a means for the parent to review any information collected, and give the parent the option of directing that information collected not be further used or stored, and that further information not be collected, (iv) not require disclosure by a child of more personal information than is necessary for the child to participate in a Web site activity and (v) establish and maintain reasonable procedures to protect the confidentiality, integrity and security of personal information collected.

    Alternatively, a Web site operator will be deemed to be in compliance with COPPA if it conforms to the requirements of FTC-approved organizations like TRUSTe, the Children’s Advertising Review Unit (CARU) or the Council of Better Business Bureaus, Inc., to name a few.

    Privacy policies for Web sites not targeted at children should make clear that such Web sites are intended for adults and do not knowingly collect personal information from those under 13.

    15 U.S.C.A. §§ 6501 – 6506; 16 C.F.R. §§ 312.1 - 312.12

    D. Communications: CAN-SPAM

    Web site operators often send their visitors or members e-mail messages using the e-mail addresses the visitors or members willingly provided. For reasons addressed in Sec. B above, a privacy policy should disclose how a Web site uses the e-mail addresses it is given. In addition to making such disclosures for purposes of accuracy, however, Web site operators should be aware of the requirements of the CAN-SPAM Act, which took effect in 2004 and regulates commercial e-mail transmissions. This article is not a detailed discussion of the CAN-SPAM Act, but Web site operators should be aware of the following:

    (i) The Act and its implementing regulations distinguish between “commercial” e-mail and “transactional or relationship messages” – that is, messages regarding membership, subscription or the purchase of goods or services. If a message contains both kinds of content and could be understood by the recipient to be “commercial,” it will be treated as commercial.

    (ii) If a Web site operator uses the e-mail addresses of its members to send a mass e-mail that is or could be interpreted by recipients as commercial, it must (i) identify the message as commercial, (ii) provide a “clear and conspicuous” notice to recipients of their right to “opt out” of future e-mailings and (iii) provide a physical address at which the sender can be contacted.

    15 U.S.C.A. §§ 7701 – 7713; 16 C.F.R. §§ 316.1 - 316.5

    For more information on the CAN-SPAM Act, please see Pepper’s Privacy and Security Law Update entitled “What’s a ‘Commercial’ E-Mail Under CAN-SPAM?” and our Privacy and Security Client Alert entitled “FTC Issues New CAN-SPAM Act Rules.”

    E. Information Gathered from Outside the United States

    This article does not discuss in detail the EU Data Directive and the laws of other countries, but Web site operators who gather personally identifiable information from jurisdictions outside the U.S. should be aware that requirements of other jurisdictions need to be considered.

    F. Are Users Bound by Privacy Policies?

    A Web site operator should obtain the consent of its visitors and members to its privacy policy. One way to accomplish this is to include a reference to the policy in the Web site’s Terms of Use, such that a user’s agreement to the Terms of Use constitutes acceptance of the privacy policy as well. But can that consent be passive (as in “your use of this Web site constitutes agreement to these Terms/this Privacy Policy”) or must it be active (where the user cannot proceed without first viewing the Terms or Policy and clicking “I agree”) to be enforceable? This question has not been answered definitively by the courts. What is a Web site operator to do? The answer depends on the level of risk to which a particular Web site is exposed and in, certain heavily regulated industries, on the existence of applicable regulatory requirements. Operators of social networking Web sites, sites that need to verify the age of their members and other sites with a high level of potential liability, should require active consent to the Terms of Use and Privacy Policy, (i) through “click through” agreements, or (ii) by requiring users to complete and submit an online form containing an electronic signature, or (iii) by requiring users to print, sign and return the signed Terms of Use and Privacy Policy.