It is not uncommon for clients to inquire, skeptically, as to the necessity and importance of posting a privacy policy on their websites. While some clients might prefer to skip that step (and expense), my counsel is almost always the same: If you own or operate a website that collects personally identifiable information (“PII”) from end-users (name, e-mail/mailing address, phone number, etc.), it is crucial that you compose an easy-to-read, concise privacy policy that you make available to visitors via a hyperlink on your home page.
Letting website visitors know, via your privacy policy, what PII you collect, how you use that information, to whom you may disclose that information, the security measures taken to protect that information and whether the website uses cookies and/or other web-based tags to track user activity, is not only good policy from a customer-relations perspective, it is also required by state and federal law.
In addition to making sure that your online data collection activities are compliant with state and federal law, a well written privacy policy can form a key feature of your online business strategy. If proper disclosures are included in your privacy policy and elsewhere on your website, you can monetize user data through e-mail marketing, telemarketing and, where permitted by law and under narrower set of circumstances, mobile/text message marketing, to end-users.
On the other hand, if you do not properly inform end-users of your intention to use their data for marketing purposes, any attempt to do so (without obtaining separate and express consent) would almost certainly violate applicable law. You must provide specific disclosures for each intended use, and you cannot deviate from the stated purpose and range of options granted to you in the privacy policy. For example, stating your intention to send commercial e-mail marketing to visitor e-mail addresses would not grant you the right to telemarket to visitor telephone numbers.
If you want to change your privacy policy to allow for greater uses of the data than was permitted when your users provided the data to you, you must contact those users and receive additional consent or their data may not be used in such enhanced ways. For that reason, it usually makes sense to author your privacy policy such that you grant your business the greatest range of potential uses of the data from the beginning because, while you can choose not to use data in ways that you are authorized, you cannot decide to use the data in ways that your privacy policy does not allow for.
Even where you state up-front in your privacy policy that you can use all of your end-users’ PII in various ways, that does not always grant you the right to use that information in all of the enumerated ways. For example, more restrictive laws apply to the use of sensitive information such as Social Security Number, health-related information and financial data (such as credit card, bank account and other related information).
While properly collected end-user data may provide your business with a valuable revenue stream, collecting, storing and transmitting data also imposes a responsibility on your employees to safeguard such data. Various state and federal statutes require that you maintain and distribute to your employees a written manual on data handling and protection procedures, and that you notify end-users in case of any breach of security with respect to their data.
With all the rules and regulations governing the collection, security and use of the various forms of personally identifiable information – and given the potential financial benefits involved in utilizing a database of consumer information – it makes good business and legal sense to craft a privacy policy that is well-suited to the needs of your business, and that provides your website visitors with all the information they require to make an informed decision regarding the disclosure of their personal information.
Please note that this is only a brief overview of some of the legal issues associated with privacy policies. Remember to retain a licensed attorney to draft your website privacy policy.