CLIENT PAGE
Privacy Policy 101
What every website owner should know.
By Mike Young
Maintaining a website means understanding the nuances of privacy
policies and establishing those that build trust with visitors, protect
users’ information, and comply with complex laws. This is vital
information for protecting yourself from lawsuits and government
investigations.
General Information About
Website Privacy Policies
A website privacy policy is a legal document that describes the
privacy rights of site visitors. A good one builds trust between the
site owner and visitors. Although not all jurisdictions require websites
to have them, some countries and states do. The problem is that most
sites don’t restrict access by geographic location, which means that if
you’ve got a site with visitors from another state where privacy
policies are required, you have potential liability issues even if the
location where your site is hosted doesn’t have such requirements.
Borrowing policy provisions from a big company’s website like Google or
Amazon is intellectual property theft and can lead to a copyright
infringement lawsuit or at least a cease-and-desist demand letter from
corporate attorneys representing the copyright owner of the privacy
policy you stole from.
Different Kinds of
Privacy Rights
There are many legal variables at play in e-commerce. For example, the
extent of protection under the law varies by visitors’ age groups.
Minors who are 13 to 17 years old have some legal safeguards under the
law that are unavailable to adults. The Children’s Online Privacy
Protection Act, which applies to children under 13, is complex to comply
with even if you’re an experienced attorney. It’s important to note your
view of who your website visitors are may be different from that of the
Federal Trade Commission or a state attorney general’s consumer
protection office when trying to protect minors.
Additional protections exist for personally identifiable information,
or PII, that can be used to identify or track an individual visitor.
This commonly includes a visitor’s full name, credit card number, and
home address. You want to make it clear in your policy that other
visitors who read PII, which is sometimes posted in blog comments or
forum posts, can’t abuse it. You’ll want to prohibit or severely limit
the circumstances under which they can use such information without the
proper consent.
Other protected information includes that of a visitor’s health. In the
United States, there are complex rules affecting website privacy
promulgated under the Health Insurance Portability and Accountability
Act of 1996, or HIPAA, and the Health Information Technology for
Economic and Clinical Health Act of 2009. These laws and rules are
particularly important to professional health care providers when it
comes to protecting patient privacy.
Transparency Is Essential
Your website’s privacy
policy should be fully transparent about what data is collected and how
it is shared with third parties by an individual visitor or in
aggregate. You should also state what you are not doing with the
information collected. For example, if you are not selling or sharing
data with third parties, let visitors know.
Privacy and Email Marketing
If a visitor can opt into an email list through your website, you
should explain the privacy rights related to the use of his or her email
address. You should address whether you self-host the list or use a
reputable third-party autoresponder service and whether you use
co-registration—opting provided email addresses into multiple lists.
Privacy policies should also detail the protection of email addresses
visitors post on your site. Is there a reasonable expectation of
privacy? Or can others who see it email the person directly?
Legal Documents
How other legal documents on your website relate to the privacy policy
is something you need to decide and make clear within the policy
itself. For example, if there’s a conflict between your website’s terms
of use and the privacy policy, which one supersedes? And although it’s
possible to lump together the privacy policy, terms of use, refund
policy, etc., as a practical matter, the standard practice for liability
is to split these out into separate documents linked in your website’s
footer. The FTC and other government agencies dislike what they consider
to be deceptive trade practices. Consumer protection lawyers make a lot
of money suing over actions like hiding legalese in the fine print.
You’ll want the footer links to your privacy policy and other documents
to be at least the same size as the main text in the body of the page,
and you’ll want the color to contrast with the background rather than
blending into it.TBJ
This article originally appeared on the author’s blog and has been edited and reprinted with permission. Read more at mikeyounglaw.com/website-privacy-policy-faqs.
![]() |
MIKE YOUNG is a Plano-based solo practitioner focused on internet law. |