A privacy policy, also known as an information management policy, is an agreement between a website operator and a website user that determines how the operator intends to use, collect, store, share, and protect the data that the user shares through interactions with the website. Even a little more than a decade ago, some commercial websites did not have privacy policies, but now, virtually all websites have one. These policies, which should be separate from the website's terms of use agreement, are a necessity for several different reasons.

The Policy Can Foster Transparency and Trust between Operators and Users

In connection with privacy policies, website users usually want to know two things: what information the website collects and how that information is used. Best business practices dictate that website operators let users know the answers to those two questions and let them know how to control that use.

Some websites inform users that they simply collect information for their own use, and other websites disclose that they provide that information to third parties under certain circumstances. eBay's privacy policy, for instance, tells users that it does not "disclose your personal information to third parties for their marketing and advertising purposes" without the user's explicit consent. The policy says eBay may share personal information to third parties when it is necessary to prevent fraud or use the eBay website's core functions. The extended version of eBay's reader-friendly policy could be improved by specifically informing users at what points of service the information is collected and how it is shared at each point.

A website should also update users whenever the privacy policy changes. It should let the users know when the new policy will go into effect, and it may allow users to agree to the changes, explicitly through a dialogue box or implicitly through continued use of the website.

The Policy Can Help Shield You from Legal Liability

Although there is no general federal law outlining privacy policy requirements for websites that collect information from adults, several state laws and minor-specific federal laws exist. For instance, the California Online Privacy Protection Act of 2003 (OPPA) requires that website privacy policies must contain certain information, including: "personally identifying information collected, the categories of parties with whom this personally identifying information may be shared, and the process for notifying users of material changes to the applicable privacy policy." The Children's Online Privacy Protection Act (COPPA) requires operators to maintain a privacy policy if the website is directed to children under the age of 13 or knowingly collects information from children under the age of 13.

About the Firm:

Klemchuk LLP is a litigation, intellectual property, transactional, and international business law firm dedicated to protecting innovation. The firm provides tailored legal solutions to industries including software, technology, retail, real estate, consumer goods, ecommerce, telecommunications, restaurant, energy, media, and professional services. The firm focuses on serving mid-market companies seeking long-term, value-added relationships with a law firm. Learn more about experiencing law practiced differently and our local counsel practice.

The firm publishes Intellectual Property Trends (latest developments in IP law), Conversations with Innovators (interviews with thought leaders), Leaders in Law (insights from law leaders), Culture Counts (thoughts on law firm culture and business), and Legal Insights (in-depth analysis of IP, litigation, and transactional law).