Let’s talk Privacy Policies and Terms of Use for a moment. Arguably the dullest two pages on your website, these are the ones that no one ever wants to read - like the wall of text that pops up every time you update your iPhone (and which you scroll through as fast as possible and click accept ). There is considerable confusion as to why these are important, and if they are even required. So, we want to address and explain them for all of you working on your websites.
Privacy law in general is in a state of somewhat confusion due to the fact that the internet has no borders, and yet each individual country (and state) has varying restrictions and requirements in place, many of which apply to website operators outside of their boundaries. The lack of any overarching federal law regulating privacy in the US means that we have ended up with a patchwork of privacy laws, each with their own nuances, definitions, and penalties. Here are a few to be familiar with:
Personally Identifiable Information (PII)
The single most important term you need to become familiar with when setting up your own website to interact with users, customers, clients, etc. is “personally identifiable information,” or “PII” as it is usually shortened to. This special set of information is what most states’ and countries’ privacy laws concern themselves the most with. Different jurisdictions have different definitions for what they consider PII, but a good rule of thumb is that if you have collected a person’s name and another identifying piece of information about them (a driver’s license number, physical address, email address, etc.), you now have PII in your possession. When you collect PII, you are generally subject to the privacy laws of whatever state or country that person is a citizen of. This means that you need to consider the impact of these laws (or have counsel investigate the legal requirements) before you start collecting PII from citizens of a particular country.
Privacy Policies
Privacy Policies are essentially legally binding promises that you make concerning your practices for handling the personal information of your website’s users. Some states (California, for example) have laws that require website operators to post Privacy Policies on their website as soon as they begin collecting PII about citizens of that state. Failure to do so will result in unwanted attention from the Attorney General, the Federal Trade Commission (FTC), and possibly even private citizens.
So, how are Privacy Policies legally enforceable? When you post a Privacy Policy on your website, you are essentially making a bunch of promises and claims as to how you will handle PII. These promises include statements like “we will not sell users’ PII to third parties for use in marketing campaigns,” and “we will use strong encryption methods to store your social security number.” If you then go and break these promises by selling PII to marketers or storing SSNs in a word doc on your desktop, you have engaged in what the FTC deems a deceptive trade practice . The FTC and state Attorney General can and will come down hard on companies that engage in this activity. Possible penalties include fines of up to $40,000 and imprisonment for up to 10 years, depending on how serious and intentional the violation was.
As your business grows, your data handling practices will usually change and evolve to reflect your needs and the needs of other stakeholders. Having an accurate and up-to-date Privacy Policy that clearly reflects your data and PII handling practices is one of the most significant risk-reducing tools you can have on your website.
Terms of Use
Terms of Use (or Terms of Service) are those things we all automatically click accept on without even blinking. This document or webpage defines the relationship between your company and the users of your company’s website. These Terms contain important legal protections for you, should a conflict ever arise based on some interaction a user had with your website. They also serve to protect the intellectual property (including source code) on your site that you put so much time and effort into creating. So, how are these Terms enforceable?
Courts have divided Terms of Use into two different types – browsewrap and clickwrap agreements.
- Browsewrap Agreements make the Terms of Use available via a link to a separate page on you website. Users are typically not required to click any box to agree to this type of agreement. In general, browsewrap agreements are not as clearly enforceable against users, except for minor, inconsequential issues. This is because the user is never actually alerted to the existence of the agreement before interacting or purchasing something from your website. If you are selling anything on your website, you really should not be relying on browsewrap agreements.
- Clickwrap Agreements require the user to click a box acknowledging that they have read the Terms of Use (even if they haven’t). The enforceability of these agreements depends largely on the factors surrounding the user’s click. Was the Terms of Use hyperlinked in a tiny link somewhere below the check box or a “buy now” button? This would not likely be enforceable. On the other end of the spectrum – was the user required to scroll through the entire Terms of Use before they could check the box or hit a “buy now” button? This would likely be enforceable because you have given the user the opportunity, or forced them, to read the whole Terms.
While not legally required to, unlike Privacy Policies, foregoing your website’s Terms of Use creates significant risk for you and your company, particularly if you sell anything, or have any sort of information presented that users may rely on to their detriment (like nutrition/fitness tips, finance tips, travel advice, etc.). Additionally, simply pulling a Terms of Use off a competitor’s website creates the risk that users are agreeing to certain things that they may have no problem agreeing to, but which may cripple your business if a user was to ever invoke it against you. Customized Terms of Use for your website are vitally important.
Collecting PII from foreign countries
As mentioned above, different countries have different requirements. As much as we would like to treat it as such, the internet is not one borderless realm where anything goes (at least not anymore). Depending on where you operate, or where you are collecting PII from, different sets of laws apply to your collection, handling, and storage of PII.
The European Union, in particular, creates significant compliance headaches for US companies collecting PII about EU citizens and transferring it back to servers in the US. Under EU Data Privacy Directives (and the upcoming General Data Protection Regulation), US companies are technically prohibited from transferring EU citizens’ PII to the US due to concerns about the US Government’s bulk data collection practices. In order to do so, US companies must certify, under a program called the EU-US Privacy Shield, that they provide the same adequate level of protection as is required under EU law. If you are collecting PII from non-US citizens, you should have counsel look into any specific requirements these countries may have.
The journey of running your own business, or even just your own website, is undoubtedly a complex one especially when it comes to legalities. We hope this breakdown helps it all feel more approachable and understandable!
Disclaimer : Although this article may be considered advertising under applicable law and ethical rules, the information in this article is presented for informational purposes only. Nothing herein should be taken as legal advice and this content does not form an attorney-client relationship. If you would like further information, Wilkinson Mazzeo would love to hear from you, so please feel free to reach out with any questions!
Photos by: Valerie Denise Photos