In this day and age of data breaches and heightened privacy concerns, enforcement officials are aggressively targeting businesses that aren’t complying with the growing body of privacy-related laws in the United States and elsewhere.  Below are a few practical pointers to consider as you assess the sufficiency of your web site’s privacy policy.

Post a Privacy Policy

Even though it is 2015, I come across countless web sites that still do not have posted privacy policies describing how personal and other information from users is collected and used.  This is a significant problem since most commercial web sites are legally required to post a privacy policy.  For example, California law requires commercial website operators that collect consumers’ personal information online to post a privacy policy with some relatively straightforward information (e.g., type of personal information collected, categories of third-parties with which the operator may share the information, etc.).

Don’t “Cut and Paste” Someone Else’s Privacy Policy

Even if you post a privacy policy, you must be sure that it accurately describes your privacy policies—and is not simply a policy that you copied from someone else.  A privacy policy sets forth promises that your business is making to users of your site.  Did you promise that you would only share personal information with marketing partners if the user opted-in to such use?  Are you keeping this promise?  Are you telling users that you don’t collect any information about them, but fail to mention that you are using “cookies” to track their behavior online?  The Federal Trade Commission (“FTC”) can and does initiate enforcement actions to make sure that businesses uphold these types of promises (and others).  For example, the FTC can charge businesses with violating Section 5 of the FTC Act which bars unfair and deceptive practices.

“Audit” Your Own Privacy Policy

Sit down with your marketing, legal, and IT staff and go through your privacy policy to make sure that it accurately reflects your current procedures and policies.  A policy that was drafted eight years ago may not accurately describe your current practices or comply with applicable laws.  A self-audit now—before an enforcement agency decides to conduct its own “audit”—can identify potential issue that you can, hopefully, remedy.

New Legal Requirements Regarding Behavioral Advertising

In response to concerns about behavioral advertising (where businesses are able to use “cookies” and other tracking technologies to monitor a user’s visit to a site (or elsewhere on the Internet)), California amended its online privacy law in 2013.  The amended California law requires a website privacy notice to disclose how the site responds to “Do Not Track” signals from web browsers (where “Do Not Track” signals are a means by which to turn-off at least some tracking technologies).  To be clear, the amended law does not prohibit behavioral advertising; it simply requires an operator to disclose a specific practice related to such advertising.  Indeed, a simple statement added to a Privacy Policy that the web site “does not currently recognize automated browser signals regarding tracking mechanisms, which may include ‘do not track’ instructions” may go a long way to satisfying this requirement.

Be Careful in the EU

European Union (EU) countries are extremely protective when it comes to data privacy and, therefore, US companies doing business in the EU must be extra careful if they collect online personal information from persons in the EU.  However, there is a method for US companies to transfer personal data outside the European Union in a way that is consistent with the EU requirements.  Specifically, a US company can self-certify to the US Department of Commerce that it complies with EU standards.  Indeed, many businesses include a statement in their privacy policies making this claim.  However, the FTC has aggressively gone after companies that claimed to be certified under the US – EU Safe Harbor Framework (or the US- Swiss Safe Harbor Framework), but were not actually certified.  For example, on May 29, 2015, the FTC announced that it had approved Final Orders resolving the FTC’s complaints against TES Franchising, LLC and American International Mailing, Inc. when, in fact, their certifications had lapsed years earlier.