The United States remains one of the few developed countries without a central, comprehensive federal privacy and data security law. Accordingly, websites that only collect information from U.S. residents have some of the loosest requirements with respect to disclosures and rights. However, most U.S. states have some sort of data security and privacy law requiring websites to post a privacy notice. The Federal Trademark Commission (FTC) has broad authority to regulate activities deemed “unfair or deceptive,” which can and has included taking enforcement actions against companies who treat personal data inconsistently with the disclosures made in their privacy notices. As such, even if your organization collects only limited personal information on its website – and only from individuals in a limited U.S. geographic area – certain basic topics need to be accurately and completely disclosed in a publicly posted privacy notice.
Regardless of the nature of personal data collected and the geographic scope of your visitors, in our experience, these are the top five topics your organization needs to address in a privacy notice:
- Describe What Information You Collect, How You Collect it, and What You Do With it. At its most basic level, a privacy notice should clearly disclose to users what information about them you are collecting and how the information will be used. This is especially true if you are gathering personal data in a way the user may not be aware of or using personal data for a purpose the user may not expect.
- Identify Who You May Share Data With. Again, this disclosure is especially important if you are sharing personal data with third parties a user may not anticipate or allowing these parties to use the data in unexpected ways. For example, suppose you share information with third parties so they can market to your users. It is important to disclose this to avoid the claim you are engaging in unfair or deceptive practices. Also, if your users discover that their data has been sold without their knowledge, their trust in your organization may erode.
- Provide a Reliable Way for Users to Contact You About Privacy or Data Security Concerns. Many states and countries supply individuals with some basic level of privacy rights (see #4 below), so you need to provide an easy and reliable mechanism for users to exercise those rights. Even short of enabling users to exercise their privacy rights, contact information demonstrates a level of transparency often valued by regulators.
- Right to Access, Correct and Delete Personal Information. While California is the only state that expressly requires website operators to provide these rights to its residents – and California privacy laws do not apply to every organization – an increasing number of states have pending legislation proposing a requirement for web operators to provide some or all of these rights to residents from their respective states. Moreover, providing these rights to users is consistent with best practices. These rights are common for website operators to provide and are aligned with an organization’s interest to maintain accurate and relevant records.
- Ensure the Notice is Accurate and Complete. The purpose of a privacy notice is to describe how your organization
Your Specific Practices May Trigger Additional Requirements for Your Policy
The list above only reflects the most basic, universal topics a privacy notice should cover. Depending on the nature and scope of personal data your organization collects, additional disclosures about cookies, your organization’s security measures, data retention information, and/or information about trans-country data transfers may be required. Also, depending on where your data subjects are located, you may have to provide more information about rights available to residents of different countries or states.
Because of the high amount of variance in data security and privacy practices, there is no “one size fits all” privacy notice, though there are common topics that all or most privacy notices will share. Additionally, the scope of domestic and foreign privacy laws one organization may be obligated to comply with may look completely different than the scope applicable to another. Our team can work with you to craft a privacy notice that meets your business needs and compliance obligations while clearly communicating your commitment to your users’ privacy rights.