Are Website Privacy Policies Required by Law?

James Chiodo, Certified Information Privacy Professional CIPP/US

Yes. And operating your website or blog without one, could subject you to fines and/or enforcement action from regulatory agencies if you do not comply with the new privacy laws.

Not only are you required by law to have a website privacy policy, but you are required to have one with the specific disclosures. You should also have one with provisions that are going to protect you rather than put you at risk for legal liability. And the free privacy policies being offered on the Internet are not the answer. However, a website privacy policy drafted by an experienced Certified Information Privacy Professional or an Internet attorney is.

We have listed some of the laws that require you to have a privacy policy posted correctly on your website, blog, or in your mobile app. In most cases we have included a brief synopsis or relevant section(s) of the law that is related to website privacy policy requirements. If you would like to read the entire law, just click on the link related to each law.

The California Online Privacy Protection Act (CalOPPA)
http://goo.gl/hvKCSY


California was the first state to pass a law that required commercial websites and online services to have a privacy policy with specific disclosures posted on their website in a clear and conspicuous place. The California Online Privacy Protection Act took effect in 2004.

California Business and Professions Code 22575
http://goo.gl/hvKCSY

Here is a partial list of the legal requirements from the California Business and Professions Code 22575:

(a) An operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site.
(b) The term “conspicuously post” with respect to a privacy policy shall include posting the privacy policy through any of the following:

(1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site.
(2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:
(A) Includes the word “privacy.”
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.

Law AB 370 amended to the California Business and Professions Code
http://goo.gl/jThAhR

Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires the privacy policy identify the categories of personally identifiable information the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.

This bill AB 370 would require an operator to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different Web sites or online services. The bill would require the operator to disclose whether other parties may collect personally identifiable information when a consumer uses the operator’s Web site or service.

Other State Laws That Affect Website Privacy Policies

The Delaware Online Privacy and Protection Act
http://goo.gl/LB0ELE

The bill requires the operator of an Internet service to make its privacy policy conspicuously available on its Internet service if the Internet service collects personally identifiable information from Delaware residents for commercial purposes, and it requires the operator to comply with that privacy policy.  The bill, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Internet service and third parties with whom the operator may share the information. This law becomes effective January 1, 2016.

Nebraska Stat. § 87-302(14)
http://uniweb.legislature.ne.gov/laws/statutes.php?statute=87-302

Nebraska prohibits knowingly making a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, about the use of personal information submitted by members of the public.

Pennsylvania 18 Pa. C.S.A. § 4107(a)(10)
http://goo.gl/SwTXRS

A person commits an offense if, in the course of business, the person: knowingly makes a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public

Global Privacy Laws

United Kingdom and European Union Privacy Laws
https://goo.gl/KxvJ6U

http://goo.gl/H76GnR
http://goo.gl/41cuin

Most websites are accessible worldwide; you are obliged to obey the privacy laws of the countries where your website is accessible to customers and visitors of those countries, even if you do not live there. As an example: if you live and operate a website in the U.S., you are required to obey the privacy laws of Australia, the United Kingdom, European Union, Canada and other countries that have privacy laws if visitors and users in those countries can interact and use your website.

Canadian Privacy Laws
http://entreprisescanada.ca/eng/page/2764/
https://www.priv.gc.ca/information/pub/guide_org_e.asp#s209

The Personal Information Protection and Electronic Documents Act PIPEDA, is the Canadian law that governs privacy rights and regulations. This Act is also called the Digital Privacy Act. In June of 2015, the Digital Privacy Act (DPA) officially became law in Canada.

Like other countries, there is a similar theme with Canadian privacy laws that govern websites that collect any type of personal information.

There are some things consider when doing business on the Internet. You should completely understand how your website business complies with the Canadian privacy law requirements. If your website collects personal information, you should create a legally compliant privacy policy and post it in a place on your website that is easily visible to your users. If your website uses cookies or other tracking identifiers to track visitors, you should explain this in your privacy policy as well.

Australian Privacy Laws
http://goo.gl/Zg1M07
http://goo.gl/vUzlZC

Australian privacy laws commonly relate to the protection of an individual’s personal information.

Personal information is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable. Common examples are an individual’s name, address, telephone number, signature date of birth, bank account information, medical records, details and commentary or opinion about a person.

Website Privacy Policy Requirements from Major Companies

Although not required by law, there are several large companies requiring website and mobile app owners to have a privacy policy with specific disclosures posted on their website or inside their mobile app. You are required to post your privacy policy to comply with their terms of service. Some of these companies include, Google, Bing, Amazon, and Facebook. Not complying with their privacy requirements could get you banned from their programs.

Other Laws You May Not Know About That Could Affect You

California Business & Professions Code Section 17538(d)

Section 17538(d) states that in any transaction involving a buyer located in California, a vendor, before accepting any payment, must disclose to the buyer in writing or by electronic communication (e.g. e-mail or on-screen notice): (1) the vendor’s return and refund policy; (2) the legal name of the vendor; and (3) the complete street address from which the vendor’s business is conducted.

(d) A vendor conducting business through the Internet or any other electronic means of communication shall do all of the following when the transaction involves a buyer located in this state:
(1) Before accepting any payment or processing any debit or credit charge or funds transfer, the vendor shall disclose to the buyer in writing or by electronic means of communication, such as e-mail or an on-screen notice, the vendor’s return and refund policy, the legal name under which the business is conducted and, except as provided in paragraph (3), the complete street address from which the business is actually conducted.
(2) If the disclosure of the vendor’s legal name and address information required by this subdivision is made by on-screen notice, all of the following shall apply:
(A) The disclosure of the legal name and address information shall appear on any of the following: (i) the first screen displayed when the vendor’s electronic site is accessed, (ii) on the screen on which goods or services are first offered, (iii) on the screen on which a buyer may place the order for goods or services, (iv) on the screen on which the buyer may enter payment information, such as a credit card account number.

In May 2014, Kamala Harris, California’s Attorney General, released “Making Your Privacy Policy Public.” These important guidelines were drafted to help website, blog and mobile app operators to comply with the new “Do Not Track” requirements that took effect January 1st, 2014 and the CalOPPA (California Online Privacy Protection Act.) The guidelines supplied by the California Attorney General are intended to help website, blog, and mobile app operators comply with the new laws and regulations.

Click here to download the free privacy guidelines from the California Attorney General.

Enforcement Actions
The California Attorney General has put online operators on notice that it will pursue enforcement against those who do not comply with the law. Those who do not comply with the law could be subject to a $2,500 fine per incident. Enforcement actions vary from country-to-country. However, there is a common theme; fines.

This list of privacy laws that affect website owners is by no means complete.

privacy_policy

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More
Privacy
Notice
Menu
DisclaimerTemplate.com
Menu