you are legally required by state law to have a privacy policy<\/strong>. Companies in certain industries or sectors such as in the healthcare sector (HIPAA) and financial sector (Gramm-Leach-Bliley) have specific requirements for their privacy policies.\u00a0A privacy policy is\u00a0also required by law in some states on an information category basis, such as Connecticut’s requirement that anyone collecting Social Security Numbers have a publicly displayed privacy policy with certain required disclosures.\u00a0Certain laws also\u00a0mandate that you cover certain topics in your privacy policy (e.g., California’s requirement to disclose how\u00a0you handle “do-not-track” headers, and California’s requirement to provide information on how minors who are your registered website users can request that you remove their personal information).\u00a0Don’t forget that your privacy policy needs to\u00a0apply to, and be displayed on, your company’s apps as well.\nA company’s privacy policy obligations can be summarized simply: say what you do, and do what you say.<\/strong>\u00a0“Say what you do<\/em>” means ensure your privacy policy fully describes how you collect, use, and share information (both personally identifiable information, such as your name and address,\u00a0and non-personally identifiable information such as behavioral data) collected from or about your customers.\u00a0“Do what you say<\/em>” means ensuring your day-to-day business activities with respect to information collected from consumers falls within the boundaries of what you say you do in your privacy policy.\u00a0Two important rules to follow\u00a0are, (1) if you want to change how you collect, use or share information from consumers, make sure your privacy policy allows it first, and give prior\u00a0notice to website users that your privacy policy is changing<\/strong>; and (2) if you want to change how you use information you’ve already collected from consumers, you’ll need permission from the consumers first<\/strong>.\u00a0Always include an effective date on your privacy policy (again, a state law requirement).<\/p>\nLook for a more detailed post on\u00a0privacy policies coming soon.<\/li>\n
Terms of Use\/Terms of Service.<\/strong>\u00a0Your terms of use (sometimes also referred to as “terms of service”) should describe the rights and obligations applicable to both your company’s website\/app\/online service users and to your company itself with respect to the operation and\/or use of an online\u00a0website, app, and\/or online service.\u00a0It should cover topics such as ownership of the website and company-provided content on it (including your copyrights, trademarks and licensed trademarks), and associated restrictions (e.g., no screen scraping website content); disclaimers of third party content, such as third party ad networks on your site, and language to prevent\u00a0use of your\u00a0company’s trademarks other content to\u00a0create the\u00a0appearance of sponsorship by or affiliation with a third party;\u00a0whether or not you collect information from children under 13 (if you do, ensure you are complying with the Children’s Online Privacy Protection Act or “COPPA”); an obligation to report lost or stolen passwords and change passwords regularly;\u00a0what you can do with user-generated content uploaded or shared to the website (e.g., a broad right and license to use it), and related terms (e.g., it’s provided royalty-free and with no license costs, that it doesn’t infringe anyone else’s rights, etc.); a feedback provision if users may\u00a0provide feedback or comments; links to third party content; and important legal terms such as jurisdiction, choice of law, indemnification, and the like.\u00a0Many website operators include an acceptable use policy as part of their Terms of Use\/Terms of Service; some have a separate policy on their website.<\/li>\nDMCA Notice.<\/strong>\u00a0If your website collects, displays, or otherwise uses or shares\u00a0user-generated content, consider a copyright notice (also called a “DMCA notice”).\u00a0The Digital Millennium Copyright Act creates a “safe harbor” from copyright infringement for websites operators who honor takedown requests and display on their website information for their designated “copyright agent” to which takedown requests can be sent.\u00a0There’s more to the statute than that, so if you need a DMCA notice please review one of the multitude of articles out then on crafting a proper DMCA notice.\u00a0Don’t forget that you need to register your designated copyright agent with the US Copyright Office by filing a “Designation of Copyright Agent” form.<\/li>\nCalifornia “Shine the Light” Notice.<\/strong>\u00a0In 2005, California enacted the “Shine the Light” law as part of its Consumer Records Act.\u00a0The law requires businesses to provide disclosures to California consumers of the types of\u00a0customer information they share with third parties for the third party’s direct marketing purposes during the immediately preceding calendar year.\u00a0If your business shares collected personal information with third parties for the third party’s direct marketing purposes and does business in California, with a few exceptions this law applies to you.\u00a0Businesses are required to\u00a0let customers know how to submit requests for this information.\u00a0While there are a few options, the simplest for most businesses is to include a link on the company’s homepage to “Your California Privacy Rights<\/strong>” or “Your Privacy Rights<\/strong>” to a page describing customer’s rights under the “Shine the Light” law and the email\/physical address to which requests should be sent.\u00a0There has been an uptick in class action litigation recently against companies\u00a0which do not have a “Shine the Light” disclosure on their website.<\/li>\nTerms of Sale.<\/strong>\u00a0If you sell products through your website, consider using a Terms of Sale to govern the sales transaction.\u00a0Terms of Sale typically include provisions such as placing an order; when it is accepted by the company; delivery and fulfillment terms; the return\/cancellation policy; information on prices (e.g., subject to change without notice, not\u00a0required to honor incorrect pricing); license rights to software; etc.<\/li>\nWarranties.<\/strong>\u00a0One policy you may want to consider adding to your website are product warranties.\u00a0Last year Congress passed, and President Obama signed, the E-Warranty Act of 2015.\u00a0This law amended the 1975 Magnuson-Moss Warranty Act to allow companies to put their warranties online instead of including them on or in product packaging.\u00a0The product documentation or packaging would need to include a link to the online warranty, instead of the warranty terms themselves.\u00a0Companies that\u00a0sell products that come with warranties\u00a0should consider reviewing and taking advantage of the E-Warranty Act.<\/li>\nSupply Chains Notice.\u00a0<\/strong>In 2010, California enacted the Transparency in Supply Chains Act.\u00a0The law requires large retailers doing business in California (over $100 million in annual revenue identifying itself as a retail seller or manufacturer on their CA tax return)\u00a0to post disclosures on their websites on their “efforts to eradicate slavery and human trafficking from their [direct] supply chain for tangible goods offered for sale”\u00a0in\u00a0five specific areas: verification, audits, certification, internal accountability, and training. It requires the disclosures be accessible through the company’s homepage via a “conspicuous and easily understood” link.<\/li>\nBe careful your disclosures aren’t saying too much.<\/strong>\u00a0While having the right disclosures for your websites and apps is important, avoid saying too much.\u00a0Remember, when it comes to disclosures, what you say can hurt you.\u00a0Website disclosures are not the place for marketing puffery.\u00a0If you make a statement such as “100% guaranteed,” “we encrypt all data,” or “we use best-in-the-industry [whatever],” and it turns out to be false or inaccurate, you can expect state AGs and the FTC (and class action counsel) may come knocking. Generally,\u00a0one of the roles of the\u00a0Federal Trade Commission is to ensure that companies are\u00a0not engaging in unfair or deceptive trade practices.\u00a0This extends to ensuring that companies are making accurate and truthful disclosures on their websites. Some states, such as Pennsylvania, have expressly included false and misleading privacy policy statements as a\u00a0deceptive or fraudulent business practice.<\/li>\nAt the extreme end of this, consider what has been happening in New Jersey.\u00a0Class action counsel\u00a0have been using an extremely broad interpretation of NJ’s largely-ignored-until-recently Truth in Consumer Contract, Warranty and Notice Act to go after companies operating business-to-consumer (B2C) websites.\u00a0The law prohibits sellers from\u00a0providing notices, terms, or contracts with provisions that violate “any clearly established legal right of a consumer or responsibility of a seller” under federal or state law (whether or not the consumer is happy with the purchase).\u00a0Class action counsel are bringing suit under this statute stating\u00a0that just displaying a website notice with a general limitation of liability, broad disclaimers of\u00a0warranty, statements that certain terms such as warranty disclaimers may not apply to particular consumers without specifying whether NJ consumers are affected, or other limitations on a consumer’s rights is a violation of the statute.\u00a0Most of these cases are settling before trial, but like other nuisance lawsuits\u00a0they can end up costing your business considerable time and lost productivity if you end up facing one.<\/li>\n<\/ul>\nMost companies place their website disclosures at the bottom of the page in a footer.\u00a0Do not bury them or make them hard to find.\u00a0\u00a0Your policies should be accessible through no more than 2-3 clicks via a logical navigation path.\u00a0While putting your disclosures in the footer\u00a0makes sense and is very common, consumers may argue that they simply never saw the disclosures because they never scrolled down to the bottom.\u00a0Consider also making\u00a0website disclosures “contextual<\/strong>,” i.e., place policy and disclosure\u00a0links in close proximity to the related usage.\u00a0For example,\u00a0on pages where you are actively collecting information, consider putting a link to the privacy policy right next to the “submit” button, or before a consumer places an order on your e-commerce website, add language\u00a0verifying they have read and agree to your terms of sale and privacy policy.\u00a0Consider\u00a0providing a welcome message, with notice of your\u00a0privacy policy and terms of use, to\u00a0consumers visiting your website as a disappearing pop-up, e.g., one that\u00a0appears for 3-4 seconds at the top of the webpage then fades out, similar to “cookie disclosures” on many EU-based websites.<\/p>\nFinally, consider working with IT to create simple shortcuts for your most common policies (e.g., “privacy.company.com” or “www.company.com\/privacy” for your privacy policy) so you have a short and simple URL you can\u00a0use where you need to direct consumers to your online disclosures.<\/p>\n","protected":false},"excerpt":{"rendered":"
Almost every business has\u00a0an online presence of some form.\u00a0Many have a website which serves as anything from an\u00a0online company brochure to a fully-featured online store or customer\/vendor\/user portal. Some have apps available through Google Play Store, the Apple App Store, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,4],"tags":[74,79,142,167,179,180],"class_list":["post-387","post","type-post","status-publish","format-standard","hentry","category-compliance","category-legal","tag-disclosures","tag-dmca","tag-privacy-policy","tag-shine-the-light","tag-terms-of-sale","tag-terms-of-use"],"_links":{"self":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/comments?post=387"}],"version-history":[{"count":0,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/387\/revisions"}],"wp:attachment":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/media?parent=387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/categories?post=387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/tags?post=387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}