Practically all websites you visit have a privacy policy. Prior to launching a website, you may wonder whether you need a privacy policy, too. It is extremely likely that you do. You may have also considered whether you can simply copy a competitor’s privacy policy and focus on more important things. Short answer: That is probably not a good idea.
What is a privacy policy and why do I need one?
A privacy policy is a statement that discloses the ways in which your website and its affiliates collect, use, disclose and manage user personal information. In other words, if your website does that, you should have a privacy policy. Personal information is anything that can be used to identify an individual, including first and last name, physical address, email address, date of birth, phone number, etc.
What should your privacy policy say?
The U.S. Federal Trade Commission’s Fair Information Practice Principles set forth widely accepted principles concerning fair information practices and identify five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. Based on these principles, a privacy policy should identify the following:
- the entity collecting the data;
- the uses to which the data will be put (both internal and external uses);
- any potential recipients of the data;
- the nature of the data collected and the means by which it is collected if that is not obvious (passively, by means of electronic monitoring, or actively, by asking the user to provide the information);
- whether provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
- the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.
The privacy policy should give users options to control how the personal information collected from them is used. Specifically, they should be given choices relating to secondary uses of information beyond the immediate needs of the collector to complete the transaction. Secondary uses can include external ones, such as transfer to third-party advertisers, or internal ones, such as marketing for additional products or promotions. Typically, the choice models are opt-in or opt-out. Opt-in requires affirmative steps by the user to allow the website to collect and/or use the information. Opt-out requires affirmative steps to prevent the collection and/or use of the information. The choice does not have to be binary. The website can allow the user to tailor the use of information collected to his or her preferences by checking boxes to grant or deny permission for specific purposes rather than using an all-or-nothing approach.
The privacy policy should also give the user some ability to access data about himself or herself and a means for such user to contest that data’s accuracy and completeness. Measures taken by the website to ensure data integrity and data security should also be disclosed.
In addition to containing the information listed above, the privacy policy must, in order to be effective, be clear and conspicuous, posted on the website in a prominent location, and readily accessible from both the website’s home page and any web page where information is collected.
Why can’t I copy a competitor’s privacy policy?
It is not enough to simply have a posted privacy policy. You must be in compliance with your stated privacy policy under federal and state laws aimed at protecting consumer privacy. Therefore, your privacy policy should be custom–tailored to how your website operates and updated whenever necessary. Depending on what type of data you collect, such as financial or medical data or data collected from children, you may have to comply with additional laws. Where the user is located and where the data is stored and/or used may also mean that you will have to comply with additional state laws and even with laws of foreign countries.

Building Your Personal Brand: Top 10 Takeaways
In celebration of Women’s Entrepreneurship Day, Valeska Pederson Hintz and Wendy Moore of Perkins Coie hosted a fireside chat with Elisa Schreiber and Priya Cherian Huskins on the theme of “Command Your Narrative: Building a Resilient Personal Brand for Women Entrepreneurs.” Elisa, a partner at Greylock and […]

Fundraising Without General Solicitation
When you’re building the next big thing in the startup world, it’s easy to overlook some crucial regulatory requirements in your quest for success—especially when it comes to fundraising. Securities laws (which apply to any fundraising) tend to be an afterthought for many founders, but this oversight […]

Rise in Popularity of AI Transcription Services Brings Litigation and Disclosure Risks
The increasing use of artificial intelligence (AI) transcription and note-taking services in virtual meetings allows participants to focus on discussions without the distraction of taking notes. But this convenience comes with novel litigation and disclosure risks that businesses must assess and manage as they roll out these […]