The current COVID-19 pandemic has forced many businesses online in order to survive. In many cases, businesses had no plans to be online. Others were forced to move online more quickly than planned. In order to assist these businesses, we are preparing a series of articles discussing some of the more important legal issues to address when moving your business online. In Article 1: Website Terms, we discussed online terms and conditions to protect your business.

Article 2: Privacy Policy

The next element to consider is a privacy policy. A privacy policy is a document that discloses:

• What personal information the business collects from individuals online;
• How the personal information is collected;
• How the business uses the personal information;
• How and to whom the business discloses the personal information;
• How the business manages and stores the personal information that it collects; and
• How the individuals can correct the personal information.

The definitions of “personal information” vary, but generally the term covers anything that can be used to identify an individual or access his or her financial accounts. Examples include an individual’s name, address, date of birth, marital status, credit card information, bank account information, and health information. Businesses that do not collect any personal information, or that only collect information from other businesses and not from individuals, probably do not need a privacy policy.

The most important thing about a privacy policy is that it reflects the business’s actual practices. The Federal Trade Commission and state attorney generals have brought enforcement actions and imposed fines and monitoring orders against businesses that have not followed established privacy policies. This also means that the policy needs to be updated whenever the business’s collection, usage and disclosure practices change over time.

There is no one law that governs privacy policies or that prescribes what to include. Federal laws impose specific requirements for businesses in the health care and financial services industries and for businesses that collect personal information about children. A few states also have laws requiring privacy polices if a business collects personal information from residents in those states. If a business is targeting residents of the European Union (EU), then the requirements of the EU’s General Data Protection Regulation (GDPR) also apply. Certain popular Internet tools, such as Google Analytics and Facebook Lead Ads, also require privacy policies.

It is tempting to just copy a privacy policy from another website, especially when you are rushed for time. However, there is danger in doing this, as the other company’s privacy policy may not address laws that apply to your business. Even worse, the other company’s information collection, usage, security and sharing policies are probably different from those of your business. You expose your business to unnecessary liability because you will not be following “your” privacy policy. It is much safer to construct your own agreement tailored to your business.

Click here for a shareable PDF of this article.