What should be in a Privacy Policy?
The content of a business's Online Privacy Policy will depend on what state or country's laws apply and how personal information is collected and used.
Most legal requirements focus on notifying a user about one or more of the following:
- What information is collected.
- Who collects the information and how to contact them.
- How the information is collected.
- The legal basis for collection.
- How the information is stored.
- Who, including any third parties, can access and use the information.
- Any rights a user has over their information.
Some places have more extensive requirements and place certain duties on website owners. For example, under the European Union's General Data Protection Regulation (GDPR), users must be able to easily:
- Withdraw consent to their data usage at any point in time.
- Correct personal information held by a company.
- File complaints with governmental authorities.
Additionally, GDPR-compliant Online Privacy Policies have to be drafted with certain style guidelines in mind to be more understandable to users.
Another consideration is how customers agree to the policy. Some laws, such as those in the U.S., have an opt-out standard where customers implicitly agree to data collection unless they inform the website owner otherwise. In other countries, such as across the EU, there is an opt-in standard. This requires customers to "check the box" and explicitly permit data collection. Some laws, like California's Consumer Protect Act (CCPA), employ a hybrid approach.
What privacy and data protection laws do businesses need to follow?
Figuring out what laws apply to you or your website can be tricky, especially since data privacy laws continuously evolve, but still lags behind technological advancements. It is a good idea to ask a lawyer to get the most current information for your area, and to understand what actions you may need to take to be compliant.
Countries around the world and states throughout the U.S. have their own data privacy regulations. Some privacy regulations, such as the GDPR, CCPA, and COPPA, apply based on the location of the user or the business. This means that if either the business, website, or the user are located in a place where a data privacy law applies, the business or website must follow it.
Given the global nature of the internet, a website based out of one country serving customers in that country alone may still need an Online Privacy Policy that is compliant with more than one country's laws.
Uniquely, the United States does not have a general data privacy law at the federal level other than for websites that:
- Knowingly collect the information of children under 13 years of age (COPPA).
- Are "significantly engaged" in financial activities (GLBA).
- Are regulated by the Health Insurance Portability and Accountability Act (HIPAA).
Nevertheless, websites not subject to the above may still need an Online Privacy Policy. The Federal Trade Commission (FTC) may punish "deceptive or misleading practices." The FTC may fine businesses if their websites fail to disclose how personal information is used.
States are also stepping in and filling the gap with their own privacy policy laws, starting with the California Online Privacy Protection Act (CalOPPA) and California Consumer Privacy Act. Similar to the GDPR, these laws require websites to make certain disclosures as well as provide consumers the right to delete personal information or opt out of data collection.
But they go even further by prohibiting businesses from discriminating against a consumer who has exercised their data privacy rights.
What are the penalties for data privacy violations?
The penalties for violating data protection laws can be severe. For example, in California a business may face $2,500 in damages for every time a non-compliant mobile app was downloaded by a California resident. Under federal law, COPPA violations may result in fines up to $40,000 for each child whose information is improperly collected. The GDPR allows for up to 4% of a company's annual turnover (revenue) as a penalty for non-compliance.
Does an Online Privacy Policy apply to employees?
Employee personal data is subject to many of the same protections as customer personal data, including the disclosure requirements noted above. A privacy policy for employees may be included in the Employee Handbook.
But that does not mean your customer-facing Online Privacy Policy can be copied over into your Employee Handbook. As discussed above, most data privacy laws require a specific purpose for collecting information. The purpose of keeping an employee's personal information differs from the purpose of keeping a customer's information. Additionally, when health information is collected about employees, more stringent and complex privacy issues may apply.
A company's Privacy Policy tells a customer, client, or employee how information is collected, stored, protected, and used. It is a notice and disclosure more than anything else. Data privacy laws, however, impose restrictions on how that data is protected, transferred, used, and monetized.
To get help with your Online Privacy Policy or your entire data privacy compliance strategy, reach out to a Rocket Lawyer On Call® attorney.
This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.