This week the Federal Trade Commission announced a settlement of its action against Facebook over privacy practices. (You can read the FTC's press release here.) The alleged misconduct by Facebook included failing to adhere to its own privacy policies as disclosed on its website. This presents an opportunity to address some important--but often overlooked--facts about website privacy law that all businesses should be aware of if they maintain a website:
2. Companies sometimes make assurances in their website privacy statements that they fail to put into practice. This is particularly unfortunate when the companies create avoidable risk by establishing privacy standards that are more strict those required by law. This can happen when a company (or its website designer) simply mimics another company's privacy statement without first understanding all of the considerations that may have gone into that other company's statement. There is no "standard" policy that will suit all companies.
3. The Federal Trade Commission Act and the FTC's rules govern website privacy policies, and care should be given to comply with their requirements, which are more complex than many realize.
4. A few states have their own website privacy rules, and California's are the most rigorous. If your company's website can reasonably be understood to be directed at California residents (including websites directed at U.S. audiences generally), it will need to comply with California's unique rules.
5. Websites that facilitate transactions may have additional financial privacy protection obligations and disclosure requirements under financial privacy laws, particularly if credit is extended for online transactions.
6. Websites directed at children (in whole or in part) are subject to additional restrictions and requirements under the Children's Online Privacy Protection Act. If your webpage has a "kids" section, you need to have a COPPA disclosure and policies and procedures to comply with the COPPA rules.
8. Websites that solicit consumers' electronic agreement, whether to a transaction or another policy, should take care to observe the requirements of the federal E-Sign Act and the versions of the Uniform Electronic Transactions Act adopted by the states to which the site is directed. These laws impose requirements on electronic signatures, records and notices, and include often-overlooked consumer protection provisions. I have personally seen many instances of websites that attempt to comply with these laws but come up short.
Website privacy is gaining increasing attention from governmental entities, consumer groups and plaintiffs' class action attorneys, and I foresee it as an emerging source of risk for many businesses. Having advised local, national and international businesses on website privacy issues, I believe most of that risk is avoidable if care is taken to observe the patchwork of applicable legal requirements.