Website Privacy Policy Agreements: What the Law Requires

A good internet law attorney will advise you that your Privacy Policy is perhaps the most important part of your website agreement package.  Sure, you need Terms of Use (TOU) also known as Terms of Service (TOS), a copyright policy and specific terms in those portions of your website agreements.  But the Privacy Policy is fundamentally different in that there are laws which govern what needs to be included in privacy policies if, in fact, you do business or have website visitors in different countries.  Here are the basics you need to understand about your Privacy Policy.  You should contact a lawyer that specializes in website agreement drafting, website agreement forms and specifically Privacy Policy drafting guidelines.

• – In the United States, we don’t have specific laws which govern requirements or terms which must be included in a Privacy Policy.  There are a variety of different statutes which do affect the information which will go in your Privacy Policy such as the Children’s Online Privacy Protection Act (COPPA) and certain other statutes for both the financial market and health care records.  Some states in the United States have implemented regulations for privacy policies such as California, who passed the Online Privacy Protection Act of 2003.  The Online Privacy Protection Act in California requires “any commercial website or online services that collect personal information on California residents to a website to conspicuously post a Privacy Policy on their site.”  Both Nebraska and Pennsylvania also have statutes which govern misleading statements in privacy policies.  A variety of different states have consumer protection statutes which might also be used by a lawyer on behalf of a website visitor to bring litigation against your company if your Privacy Policy isn’t drafted appropriately.

• – The European Union (EU) has potentially the most strict data protection and data privacy rules which affect the Privacy Policy you need to post on your website.  The EU policies must be met by any United States business operating in the European Union, as well as any website that collects information from citizens of the EU.  There is a Safe Harbor Program which allows United States companies or websites doing business in the EU some latitude in compliance.  The EU Safe Harbor Provision will allow you to comply with the EU privacy regulations as long as you follow certain general rules and guidelines for your online website Privacy Policy.  In general, you must inform website visitors that their data is being collected and tell them how you will use that data.  You have to give website visitors a choice and an option to opt-out of the collection or the use of data by third-party partners of that website.  You can’t forward information to third parties who haven’t also complied with the EU Safe Harbor provisions.  You definitely have to make reasonable efforts to provide security over the data and ensure that the data is reliable.  One of the most difficult provisions is that you have to allow individuals and website visitors to access information related to them.

Companies doing business in the EU, which is any website really that reaches EU citizens, need to certify their Safe Harbor compliance.  A good Privacy Policy attorney or law firm can help you gain certification.

The EU privacy directives tend to set the bar for all companies doing business on the internet.  In drafting a Privacy Policy for your website, you should take the International Safe Harbor Privacy Principles into account.