Privacy Policy 101

What every website owner should know.

By Mike Young

Maintaining a website means understanding the nuances of privacy policies and establishing those that build trust with visitors, protect users’ information, and comply with complex laws. This is vital information for protecting yourself from lawsuits and government investigations.


General Information About Website Privacy Policies
A website privacy policy is a legal document that describes the privacy rights of site visitors. A good one builds trust between the site owner and visitors. Although not all jurisdictions require websites to have them, some countries and states do. The problem is that most sites don’t restrict access by geographic location, which means that if you’ve got a site with visitors from another state where privacy policies are required, you have potential liability issues even if the location where your site is hosted doesn’t have such requirements.

Borrowing policy provisions from a big company’s website like Google or Amazon is intellectual property theft and can lead to a copyright infringement lawsuit or at least a cease-and-desist demand letter from corporate attorneys representing the copyright owner of the privacy policy you stole from.


Different Kinds of Privacy Rights
There are many legal variables at play in e-commerce. For example, the extent of protection under the law varies by visitors’ age groups. Minors who are 13 to 17 years old have some legal safeguards under the law that are unavailable to adults. The Children’s Online Privacy Protection Act, which applies to children under 13, is complex to comply with even if you’re an experienced attorney. It’s important to note your view of who your website visitors are may be different from that of the Federal Trade Commission or a state attorney general’s consumer protection office when trying to protect minors.

Additional protections exist for personally identifiable information, or PII, that can be used to identify or track an individual visitor. This commonly includes a visitor’s full name, credit card number, and home address. You want to make it clear in your policy that other visitors who read PII, which is sometimes posted in blog comments or forum posts, can’t abuse it. You’ll want to prohibit or severely limit the circumstances under which they can use such information without the proper consent.

Other protected information includes that of a visitor’s health. In the United States, there are complex rules affecting website privacy promulgated under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, and the Health Information Technology for Economic and Clinical Health Act of 2009. These laws and rules are particularly important to professional health care providers when it comes to protecting patient privacy.


Transparency Is Essential
Your website’s privacy policy should be fully transparent about what data is collected and how it is shared with third parties by an individual visitor or in aggregate. You should also state what you are not doing with the information collected. For example, if you are not selling or sharing data with third parties, let visitors know.


Privacy and Email Marketing
If a visitor can opt into an email list through your website, you should explain the privacy rights related to the use of his or her email address. You should address whether you self-host the list or use a reputable third-party autoresponder service and whether you use co-registration—opting provided email addresses into multiple lists. Privacy policies should also detail the protection of email addresses visitors post on your site. Is there a reasonable expectation of privacy? Or can others who see it email the person directly?


Legal Documents
How other legal documents on your website relate to the privacy policy is something you need to decide and make clear within the policy itself. For example, if there’s a conflict between your website’s terms of use and the privacy policy, which one supersedes? And although it’s possible to lump together the privacy policy, terms of use, refund policy, etc., as a practical matter, the standard practice for liability is to split these out into separate documents linked in your website’s footer. The FTC and other government agencies dislike what they consider to be deceptive trade practices. Consumer protection lawyers make a lot of money suing over actions like hiding legalese in the fine print. You’ll want the footer links to your privacy policy and other documents to be at least the same size as the main text in the body of the page, and you’ll want the color to contrast with the background rather than blending into it.TBJ

This article originally appeared on the author’s blog and has been edited and reprinted with permission. Read more at


Michael Young MIKE YOUNG is a Plano-based solo practitioner focused on internet law.

{Back to top}


We use cookies to analyze our traffic and enhance functionality. More Information agree