Except for a handful of laws that apply to specific industries, such as health and financial services, there is no comprehensive federal law that requires companies to have a privacy policy. However, some states, including California, have laws that require privacy policies. For example, the California Online Privacy Protection Act of 2003 (“Cal OPPA”) requires that every owner of a commercial website or online service that collects personal data from California residents must prominently post a privacy policy that meets certain requirements on its website.  Even if you are not legally required to do so, you may wish to develop a privacy policy to increase your credibility, and help build trust, with your users.

Your Privacy Policy Must Accurately Reflect Your Company Practices

According to the Federal Trade Commission (“FTC”), a company that does not comply with its own privacy policy is violating Section 5 of the Federal Trade Commission Act.  The FTC actively pursues companies that have violated their privacy policies and has brought general privacy lawsuits against companies.

For example, in December 2013, the FTC settled charges brought against Goldenshores Technologies, the maker of a popular flashlight app whose privacy policy promised it would collect information from users’ mobile devices for certain internal housekeeping purposes, but failed to disclose that the app also transmitted the device’s location, precise device ID, and other device data to third parties, including mobile advertising networks.  The settlement required Goldenshores to delete all personal data it had collected through the mobile app and prohibits Goldenshores from continuing to misrepresent how it collects and shares personal data.

As a result, it is important that your privacy policy be accurate in all respects.  Your policy may state the ceiling, not the floor, on what you will do with your users’ personal data.  For example, it is acceptable for your privacy policy to state that you may share personal data with specified categories of third parties, such as service providers, even though you are not currently sharing personal data with any third party.  On the other hand, it is not acceptable for you to disclose personal data to third parties if your privacy policy does not disclose that you may do so.  In order to avoid the need to continuously revise your privacy policy, you should draft it to disclose data collection, use, and sharing that you can reasonably foresee engaging in within the first 6 to 12 months of the effective date of the policy, or any revised version of the policy.

Rules for Posting Your Privacy Policy

Cal OPPA requires that every owner of a commercial website or online service that collects personal data from California residents must post its privacy policy conspicuously on the company’s website.  According to Cal OPPA, a privacy policy is conspicuously posted when:

  • The policy appears on the home page of the website; or
  • The policy is directly linked to the home page via an icon that contains the word “privacy,” and such icon appears in a color different from the background of the home page; or
  • The policy is linked to the home page via a hypertext link that contains the word “privacy,” is written in capital letters equal to or greater in size than the surrounding text, is written in a type, font or color that contrasts with the surrounding text of the same size, or is otherwise distinguishable from surrounding text on the home page.

What Needs to be in Your Privacy Policy

Generally, your privacy policy should cover:

  • What user personal data you collect;
  • How you use the personal data you collect;
  • What personal data you disclose and to whom you may disclose such data; and
  • How you collect and manage such personal data.

For personally identifiable information collected about California residents, Cal OPPA requires that privacy policies include the following:

  • A list of the categories of personal data that you collect.
  • A list of categories of third parties with whom you may share personal data.
  • A description of the process by which you notify consumers of material changes to the privacy policy.
  • The effective date of the policy, or any revised version.

Cal OPPA also requires the privacy policy disclose how you respond to “do not track” signals or other mechanisms that provide consumers with the ability to exercise choice regarding the collection of personal data about the individual’s online activities over time and across third party websites or online services (if your company engages in that collection) or to include a link in the privacy policy to a location that describes your company’s program or protocols.  

Collecting Personal Data from Children under 13 or Other Age Related Data

The Children’s Online Privacy Protection Act (“COPPA”) applies to companies that operate commercial websites and online services directed to children under 13 that collect, use or disclose personal data from children.  COPPA also applies to companies that operate general audience websites or online services who have actual knowledge that they are collecting, using or disclosing personal data from children under 13.  As a result, if you are collecting age related data (e.g., birth year, age, etc.), you will need to comply with COPPA,unless you take affirmative action to fall outside of COPPA.  The FTC has generated FAQs that provide guidance on the actions that general audience websites must take to avoid being required to implement COPPA protections.  These FAQs are available here.   In particular, you should review Section G, Question 3: “Can I block children under 13 from my general audience website or online service?”

Implementing Third Party APIs

If you are using APIs licensed by Facebook, Twitter, or other social networking services, you must comply with the Facebook Platform Policies, the Twitter Developer Rules of the Road and any similar rules for any other social networking service with which your website is connecting.  As of August 2014, Facebook and Twitter both require that (a) developers must display and comply with a privacy policy that clearly discloses what the developer is doing with personal data that it collects from users; (b) if the service supports cookies, the privacy policy must disclose that third parties may be placing and reading cookies on the systems of the developer’s users in the course of providing content to them; and (c) the privacy policy should also provide information about user options for cookie management and the “do not track” setting in supporting web browsers.  The Twitter rules also require that developers clearly disclose when they are adding location information to a user’s Tweets, whether as a geotag or annotations data.

Sharing Personal Data with Third Parties for Direct Marketing Purposes

California’s Shine the Light law, California Civil Code Section 1798.83, requires that businesses with 20+ employees that share personal data with third parties for the third parties’ direct marketing purposes must either: (a) provide customers, upon request, a list of the categories of personal data that was shared with third parties for direct marketing purposes during the preceding calendar year and the identity of the third parties with whom it was shared, or (b) inform customers of their right to either opt-in or opt-out of such information sharing.

Updating Your Privacy Policy

While Cal OPPA only requires your privacy policy to contain a description of the process by which your company notifies consumers of material changes to the privacy policy, you should be aware that the FTC Staff Report on Self-Regulatory Principles for Online Behavioral Advertising (2009) recommends that before a company can use previously collected data in a manner materially different from the promises that the company made at the time it collected the data, it should obtain affirmative express consent from affected users. If you wish to comply with these guidelines, any changes you make to the privacy policy that impact the way data is used should only apply prospectively unless you obtain the affirmative, opt-in consent of your users.

Getting Help with Drafting Your Privacy Policy

Cooley GO provides a basic privacy policy generator that is available here. You should contact an attorney if you have any questions, need a privacy policy more closely tailored to the needs of your company, or need a more complex privacy policy, such as a policy that complies with European Union Safe Harbor requirements.