Company Websites and the Need for Online Privacy Statements

By:  Steven J. Olsen, J.D.

 Businesses today understand that maintaining a company website is a vital element to a fully integrated marketing portfolio.  A business website can vary in complexity to meet the diverse interests and purposes for creating and maintaining the website.  Some websites are purely informative and operate as a page for sharing information from the business.  Others permit users of the website to engage in one-way communication to the company or to log-in to secure private accounts.  Some even permit two-way communication between the company and website users.  A company may, under any of the above formats, collect information from the users of their website.

Information collected by websites ranges from data intentionally and voluntarily provided by the user to the business (i.e. completed submissions forms or two-way communications) to information collected by the business without user knowledge (i.e. cookies, web logs, or web beacons).  Businesses that do not engage in any form of collecting information from users of their website are not required to have a privacy statement on their website.  All other businesses should develop a privacy statement that can be conspicuously placed (often through a hyperlink at the bottom of the homepage) on the company website.

California passed legislation requiring companies to have a privacy policy on their websites.  The California legislation prevents a company from obtaining information from a California resident without having a published privacy policy.  The internet is global and a company cannot preclude residents from California from viewing the company website or from submitting information to the company through the website.  As such, the best approach is to develop a privacy policy that conforms to the requirements of the California statute.

Under the California statute, the minimum requirements for a privacy policy include:  (1) identifying the information collected by or through the website; (2) describing how the company intends to use the obtained or collected information and with whom the company intends to share such information; (3) describing the process, if any, by which an individual may review and request changes to personally identifiable information collected by the company; (4) describing the method by which the firm will notify users of the website of any material changes to the privacy policy; and (5) identifying the policy’s effective date.  A privacy policy should also, pursuant to federal law, include a children’s privacy section that establishes the company’s policy regarding data collection, if any, from children under the age of 13 in compliance with the Children’s Online Privacy Protection Act of 1998.

A privacy policy should be tailored to the actions and intentions of the particular business.  Privacy policies are legally binding documents.  Accordingly, a business that collects any data from a user of its website should develop a tailored privacy statement that accurately reflects the policy of the company.

Disclaimer: These materials are for informational purposes only and should not be construed as legal advice on any specific facts or circumstances. We recommend you consult a lawyer if you want professional assurance that your interpretation of these materials is appropriate to your particular situation.

 ©  Yoder Ainlay Ulmer & Buckingham, LLP [March 2013]