Welcome to Internet Law Radio. My name is Attorney Enrico Schaefer. I specialize in internet law. Other attorneys and I at Traverse Legal understand technology, the internet, the web and we specialize in internet law issues. Today, we’re going to be talking about privacy policies. Every website needs a privacy policy, and we draft a lot of privacy policies for clients who are launching new websites or looking to audit their current website or upgrade their website in some way.
Now, a lot of folks out there will simply go and cut and paste a third party privacy policy and put it onto their own website. Well, this is a relatively common occurrence, it is really desolution to what could be a serious problem. In order to effectively draft a privacy policy for your website, the first thing an internet law attorney is going to need to do is understand your business model. There are a lot of variables that go into a well drafted privacy policy. Let me just give you some examples so you can understand the types of issues that need to be addressed in your policy for your website.
The first thing you need to understand is that a privacy policy is driven in several parts. The first is that many states and federal governments, The United States, The UK, etc. have specific privacy requirements that you must comply with. So, drafting an effective policy is a compliance issues first and foremost.
The next thing you need to understand is that a privacy policy will help insulate your company from liability if something goes wrong.
The third thing you need to understand is that privacy policies are also about customer relations. The last thing that you or company needs is some sort of outrage on the internet, a negative blog post attack on your company’s reputation, potentially defamatory statements about you and the company because you did something with a customer’s information that was not captured in the privacy policy or not made clear, and now you have a very disgruntled customer on your hands.
So, the first thing that we try and do is understand a little bit about your business model, and take a look at, for instance, how many transactions are you receiving through your website. What are the security standards that you’re going to have in place in terms of capturing data? That is to say, are you going to have SSL encryption on your website? Is there some sort of vulnerability to attack in order to gain data from your backend database or from your website by third parties?
The other thing that you need to understand is that if you’re going to use third party services, oftentimes, they’ll have some built-in policies and guidelines which you can incorporate into your model. But, depending on your business model, you may or may not have to do certain things. So, if you are going to collect ratings or reviews posted by your customers, it will require some very specific privacy policy type information in your online policy.
The other factor is customer support. What kind of customer support system are you going to have in place, because that’s going to be a point where customers are going to input information, potentially into your website, and then the question becomes, what happens to that information? So, do you have a support ticket system or a phone number, support email, live chat? These are the types of questions that you’re going to want to understand in order to effectively draft. Do you already have terms of service agreement or terms of use agreement that you can link to?
The other sets of information that we’ll often take a look at is, obviously, what kind of information are you collecting from visitors to your website that will need to be specifically addressed in your privacy agreement? Are people going to register on your website? Are they going to be placing orders on your website? Subscribing to a newsletter? Responding to survey? Filling out a form? What kind of information needs to be addressed in the privacy policy? Very important to understand what information is being input into your website.
If you’re going to have some sort of user entry of personal information, what is that information? Name, email address, mailing address, phone number? Are you going to be collecting credit card information or a social security numbers? Special regulations apply if you are getting into that type of information.
The other big issue that you’ll have to address is know, what now, what information you’ve collected, how do you plan on using that information? Are you going to be using it to process transactions? Are you going to be using it to send emails? Are you going to be doing promotions? Are you going to be just simply using it internally on your website to improve the site experience? A well drafted privacy policy will know exactly what the client intends to do with the information and incorporate that into the privacy policy to make it clear what you’re going to use the information for, and to obtain the web visitor or customer’s consent. That’s what privacy policies are all about. They’re about getting consent from your website visitors and customers.
Now, the next thing you need to ask yourself is, how do you plan on protecting the information that is gathered from your website? Are you going to protect it with encryption? Are you going to use payment gateways? Are you going to keep it in a company database, and if so, where is that database server going to be located? And what kind of security goes into that? Are you going to keep the data for one day? Thirty days? several years? These are the types of things that you can spell out very clearly in privacy policy.
Another big issue which you need to take a look at is cookies. Are you going to be using cookies? If so, you want your privacy policy to address what those cookies are doing to get consent, and to make sure that consumers are aware of what type of information the cookie is, in fact, capturing. A lot of websites have a lot of cookies these days and they’re fairly standard, but you need to understand what’s going on in your backend.
The other thing that you need to say to the consumer or the website visitors is whether or not you’re going to be disclosing information to outside parties, to third parties, so, are you going to be using the information just for yourself or are you going to be providing it to third parties, and who are those third parties, known or unknown? The privacy policy must address who is going to have access to the data you collect from website visitors or from customers?
Now, several states have some very special rules concerning privacy protection. In fact, California has an Online Privacy Protection Act. If that’s the case, you need to comply with California’s Online Privacy Protection Act, and in order to know whether or not you need to comply with it, you have to ask yourself if you operated a commercial website that collects personal identifiable information from consumers residing in California, and that’s just about everyone today, right? So, you need to do that.
One last point about privacy policies. There is a statute called COPA, Children’s Online Privacy Protection Act, and if you are, in fact, operating a website that is directed at children under 13, then there’s a whole series of regulations and statutes that you need to comply with there.
These are some of the general issues you need to worry about in drafting your privacy policy or online privacy agreement. Contact an internet law attorney in order to have your policy custom tailored to your business model. An internet lawyer is the only type of lawyer who’s going to really understand how to draft a privacy policy to best protect your business, ensure privacy compliance and improve and enhance your consumer experience while protecting your reputation.
This is Enrico Schaefer for Internet Law Radio, that’s all for today.
The third thing you need to understand is that privacy policies are also about customer relations. The last thing that you or company needs is some sort of outrage on the internet, a negative blog post attack on your company’s reputation, potentially defamatory statements about you and the company because you did something with a customer’s information that was not captured in the privacy policy or not made clear, and now you have a very disgruntled customer on your hands.
So, the first thing that we try and do is understand a little bit about your business model, and take a look at, for instance, how many transactions are you receiving through your website. What are the security standards that you’re going to have in place in terms of capturing data? That is to say, are you going to have SSL encryption on your website? Is there some sort of vulnerability to attack in order to gain data from your backend database or from your website by third parties?
The other thing that you need to understand is that if you’re going to use third party services, oftentimes, they’ll have some built-in policies and guidelines which you can incorporate into your model. But, depending on your business model, you may or may not have to do certain things. So, if you are going to collect ratings or reviews posted by your customers, it will require some very specific privacy policy type information in your online policy.
The other factor is customer support. What kind of customer support system are you going to have in place, because that’s going to be a point where customers are going to input information, potentially into your website, and then the question becomes, what happens to that information? So, do you have a support ticket system or a phone number, support email, live chat? These are the types of questions that you’re going to want to understand in order to effectively draft. Do you already have terms of service agreement or terms of use agreement that you can link to?
The other sets of information that we’ll often take a look at is, obviously, what kind of information are you collecting from visitors to your website that will need to be specifically addressed in your privacy agreement? Are people going to register on your website? Are they going to be placing orders on your website? Subscribing to a newsletter? Responding to survey? Filling out a form? What kind of information needs to be addressed in the privacy policy? Very important to understand what information is being input into your website.
If you’re going to have some sort of user entry of personal information, what is that information? Name, email address, mailing address, phone number? Are you going to be collecting credit card information or a social security numbers? Special regulations apply if you are getting into that type of information.
The other big issue that you’ll have to address is know, what now, what information you’ve collected, how do you plan on using that information? Are you going to be using it to process transactions? Are you going to be using it to send emails? Are you going to be doing promotions? Are you going to be just simply using it internally on your website to improve the site experience? A well drafted privacy policy will know exactly what the client intends to do with the information and incorporate that into the privacy policy to make it clear what you’re going to use the information for, and to obtain the web visitor or customer’s consent. That’s what privacy policies are all about. They’re about getting consent from your website visitors and customers.
Now, the next thing you need to ask yourself is, how do you plan on protecting the information that is gathered from your website? Are you going to protect it with encryption? Are you going to use payment gateways? Are you going to keep it in a company database, and if so, where is that database server going to be located? And what kind of security goes into that? Are you going to keep the data for one day? Thirty days? several years? These are the types of things that you can spell out very clearly in privacy policy.
Another big issue which you need to take a look at is cookies. Are you going to be using cookies? If so, you want your privacy policy to address what those cookies are doing to get consent, and to make sure that consumers are aware of what type of information the cookie is, in fact, capturing. A lot of websites have a lot of cookies these days and they’re fairly standard, but you need to understand what’s going on in your backend.
The other thing that you need to say to the consumer or the website visitors is whether or not you’re going to be disclosing information to outside parties, to third parties, so, are you going to be using the information just for yourself or are you going to be providing it to third parties, and who are those third parties, known or unknown? The privacy policy must address who is going to have access to the data you collect from website visitors or from customers?
Now, several states have some very special rules concerning privacy protection. In fact, California has an Online Privacy Protection Act. If that’s the case, you need to comply with California’s Online Privacy Protection Act, and in order to know whether or not you need to comply with it, you have to ask yourself if you operated a commercial website that collects personal identifiable information from consumers residing in California, and that’s just about everyone today, right? So, you need to do that.
One last point about privacy policies. There is a statute called COPA, Children’s Online Privacy Protection Act, and if you are, in fact, operating a website that is directed at children under 13, then there’s a whole series of regulations and statutes that you need to comply with there.
These are some of the general issues you need to worry about in drafting your privacy policy or online privacy agreement. Contact an internet law attorney in order to have your policy custom tailored to your business model. An internet lawyer is the only type of lawyer who’s going to really understand how to draft a privacy policy to best protect your business, ensure privacy compliance and improve and enhance your consumer experience while protecting your reputation.
This is Enrico Schaefer for Internet Law Radio, that’s all for today.
Comments