Websites and internet-based startups are booming. Many startups thrive by collecting data about their online users’ age, gender and geography and interpreting that data to predict consumer preferences and demand. In addition, many third party marketing services pay a premium for useful consumer data. Startups often find that data is their single most valuable asset.

But with big data comes big responsibility. Most websites and online services are obligated to disclose their privacy practices. Failure to do so can raise concerns for potential investors or acquirors and could even result in lawsuits or the attention of state regulators. Overbroad privacy disclosures, or borrowing disclosures from other websites, may also inhibit a startup from evolving its data monetization strategy as its business model evolves. Each startup needs a tailored approach to privacy to prevent these risks and maximize the value of its consumer data.

A privacy policy is a statement that discloses the ways that a website or online service collects, uses and manages the data of its users. There is no comprehensive law addressing privacy policies, but California’s privacy policy requirements are the most stringent and apply to all commercial websites and online services that collect personally identifiable information (“PII”) from individual California residents who use the website or online service. PII may include a user’s first and last name, physical address, email address, phone number, social security number or any potential contact information.

Since most commercial websites and online services will have California users, startups that collect PII online should account for the following California requirements when designing a privacy policy:

  1. Conspicuously Posted
  • The privacy policy must be easy to find. Make sure users can quickly locate the website or online service’s privacy policy before they are prompted to provide any PII.
  1. Identify Categories of PII Collected and Who Else Sees It
  • The privacy policy should tell users what types of PII are collected on the website or online service.
  • The privacy policy should also describe the categories of third parties with whom the PII is shared. The privacy policy does not need to list specific names, just the overarching category.
  1. Describe the Website or Online Service’s Process for Individual Users to Review and Revise Their PII (if such a process exists)
  • For example, websites with registered users often have individual account pages where users can log in to review and revise their PII. Other websites have a specific email address for users to request revisions to their PII, such as “updatemyinfo@startup.com”.
  1. Describe the Website or Online Service’s Process to Notify Users of Material Changes to the Privacy Policy
  • For example, Facebook notifies users of privacy policy changes through several outlets, including email.
  1. Identify the Privacy Policy’s Effective Date
  2. Disclose How the Website or Online Service Responds to “Do Not Track” Signals Regarding a User’s Online Activities Over Time and Across Different Websites
  • Tools like Google Analytics track users’ online activity, including which websites they visit. Website and online service operators can use this information to learn more about the people visiting their site.
  • Some users select a “Do Not Track” option to request that websites and online services not collect this information. The privacy policy should inform users how the website or online service responds to these requests.
    • The website or online service isn’t required to honor “Do Not Track” requests, but the privacy policy must be open and straightforward about the response.
  • A hyperlink to a description of the website or online service’s “Do Not Track” policy can satisfy this requirement.
  1. Disclose Whether Other Parties May Collect a User’s PII from the User’s Activity on the Website or Online Service
  2. Special Rules for Certain Websites and Online Services
  • Startups in certain sectors have more stringent privacy policy requirements. These sectors include:
    • Financial Institutions
    • Healthcare or anything with Health Information
    • Telecommunications
  • Startups that collect PII from children under the age of 13 must obtain verifiable parental consent before collecting, using or disclosing such PII.

These points should provide a good starting point for a startup’s privacy policy, but privacy policies are not one-size-fits-all documents. Every website and online service is unique, and each company should have a privacy policy tailored to the data it collects, how it uses the data and how it might use the data in the future.