Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not.  In 2003 California became the first state to impose a general requirement that most websites post a privacy policy.

Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household use.¹  Since the passage of CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy.  Recently, California’s Attorney General announced the release of a new form that allows consumers to report potential violations of CalOPPA online. This online reporting tool will increase California’s ability to identify and notify entities in violation of CalOPPA.

On January 1, 2016, Delaware followed suit by enacting the Delaware Online Privacy and Protection Act (“DOPPA”). Similar to CalOPPA, DOPPA requires that website and app operators that collect personally identifiable information of Delaware residents conspicuously post a comprehensive privacy policy and conform to other privacy related requirements.²

What to think about when drafting or reviewing a privacy policy:

1. Is your organization subject to a federal law that requires that a privacy policy take a particular form, or include particular information?
2. Does the privacy policy describe the main ways in which your organization collects information?
3. Does the privacy policy describe the ways in which your organization shares information with third parties?
4. Does the privacy policy discuss data security?  If so, is the level of security indicated appropriate?
5. Would the privacy policy interfere with a possible merger, acquisition, or sale of your organization’s assets?
6. Would the privacy policy interfere with future ways in which your organization may want to monetize data?
7. Does the privacy policy use terms that might be misunderstood or misinterpreted by a regulator or a plaintiff’s attorney?
8. Does the privacy policy comply with the laws in each jurisdiction in which your organization is subject (i.e., CalOPPA or DOPPA)?
9. Should the privacy policy only govern information collected via your organization’s website, or all information collected by your organization?
10. Does the privacy policy appropriately disclose and discuss network marketing and behavioral advertising?
11. Does the privacy policy need to discuss the tracking that your organization may conduct of its clients or website visitors?
12. Could the privacy policy be understood by the average person?
13. Can the privacy policy be easily viewed on a smartphone or a mobile device?
14. Does the policy provide information to users concerning how they can contact your organization about privacy related questions or complaints?
15. Does the policy discuss what information may be modified or changed by a user?

1. Cal. Bus. & Prof. Code § 22575, et seq.

2. 6 Del.C. § 1201C, et seq.

3. California, Delaware, and Nevada.

4. Aleecia M. McDonald & Lorrie Faith Cranor, The Cost of Reading Privacy Policies, 4(3) I/S: A Journal of Law and Policy for the Information Society, 541 (2008).

5. Id.

6. Janice Tsai, et al., The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study, 6th Workshop on the Economics of Information Security (WEIS), (June 2007), http://www.econinfosec.org/archive/weis2007/papers/57.pdf.

[View source.]