Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not. In 2003, California became the first state to impose a general requirement that most websites post a privacy policy. Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household purposes.1 Since the passage of the CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy.

What to think about when drafting or reviewing a privacy policy:

  1. Is your organization subject to a federal law that requires that a privacy policy take a particular form, or include particular information?
  2. Does the privacy policy describe the main ways in which your organization collects information?
  3. Does the privacy policy describe the ways in which your organization shares information with third parties?
  4. Does the privacy policy discuss data security? If so, is the level of security indicated appropriate?
  5. Would the privacy policy interfere with a possible merger, acquisition, or sale of your organization’s assets?
  6. Would the privacy policy interfere with future ways in which your organization may want to monetize data?
  7. Does the privacy policy use terms that might be misunderstood or misinterpreted by a regulator or a plaintiff’s attorney?
  8. Does the privacy policy comply with the laws in each jurisdiction in which your organization is subject (e.g., CalOPPA)?
  9. Should the privacy policy only govern information collected via your organization’s website, or all information collected by your organization?
  10. Does the privacy policy appropriately disclose and discuss network marketing and behavioral advertising?
  11. Does the privacy policy need to discuss the tracking that your organization may conduct of its clients or website visitors?
  12. Could the privacy policy be understood by the average person?
  13. Can the privacy policy be easily viewed on a smartphone or a mobile device?
  14. Does the policy provide information to users concerning how they can contact your organization about privacy related questions or complaints?
  15. Does the policy discuss what information may be modified or changed by a user?

The following provides a snapshot of information concerning website privacy policies.

10 minutes

Average time it takes for a person to read a privacy policy.2

244 hours

The amount of time it would take a person to read the privacy policies of all the unique websites they visit in a year.3


The premium that study participants were willing to pay to purchase a $15 item from a website that proactively displayed strong privacy protections from one with no privacy position.4