Mark Evans

Online privacy and data security are ever present concerns in today’s business. Your company’s website probably has an online privacy policy, but have you ever considered what it says? For that matter, have you even read it? A number of state and federal statutes apply to online privacy and require that your privacy policy meet certain conditions. If your business utilizes other online services, such as mobile applications, online privacy requirements apply to those services as well.  

Protecting Children Online

For example, the Children’s Online Privacy Protection Act of 1998 and the FTC’s Children’s Online Privacy Protection Rule apply to web sites or online services that are “directed to children” under the age of 13 or operators who have actual knowledge that they are collecting or maintaining personal information from a child. The Rule requires such operators to post a comprehensive privacy policy describing their information practices for personal information collected online from children, and creates other requirements such as parental consent and notification about collection of children’s information. The Rule also requires that operators take certain steps to protect such information and to retain such information for only so long as is necessary.

Online Presence

Businesses with an online presence are also subject to an array state regulations. Prominent among them is California’s Online Privacy Protection Act (CalOPPA), which is one of the more comprehensive state statutes. CalOPPA applies to any operator of a website or online service that collects personally identifiable information about consumers residing in California—in other words, potentially anyone with a significant online presence. CalOPPA contains a comprehensive list of requirements about the placement, visibility, and contents of online privacy policies, including disclosure requirements about how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information.

Because of its wide applicability and comprehensive requirements, CalOPPA is seen as a benchmark for online privacy statutes and operators of online services strive to adhere to it. Further, California has recently expanded its protection of online privacy by enacting the California Consumer Privacy Act of 2018. When it becomes effective on January 1, 2020, the new Act will require additional disclosures to be included in online privacy policies, and will allow California consumers to request that businesses disclose what personal information is collected, request the deletion of such information, and opt out of having their personal information sold.

Enforcing Policy

It is not enough just to have a privacy policy that is compliant with state and federal law. Your company must also follow through with the promises it makes in its privacy policy. The Federal Trade Commission can, and recently has, brought enforcement actions against companies who deceive consumers by misrepresenting what actions they do and don’t take in their online privacy policies. If you have never given much thought to what your privacy policy says – or what it should say – now may be the right time to review the policy and your company’s online privacy practices to ensure compliance.

Mark L. Evans, Partner