A Practical Guide To Online Privacy Policies

If you do business on the World Wide Web, change is your only constant. Even the most loyal online customers are a fickle lot, and no one can predict the "Next Big Thing" in e-commerce. While navigating the cyber-minefields has always been a dangerous and shifting challenge, the concept of data privacy has been taking on particular significance recently as a potential pitfall for the unwary. In the United States, the approach Internet businesses have adopted has traditionally been driven by the market, with many individuals and businesses demanding to see "privacy policies" before patronizing online vendors. More recently, new laws and legal decisions have begun to appear, adding to the considerations online businesses must weigh in deciding what level of privacy should be promised to visitors and customers.

Unlike Europe, which has imposed comprehensive legal restrictions on the collection, dissemination and use of personal information of virtually every kind, the United States has adopted a more piecemeal approach. There is no uniform requirement in the United States that individuals even be informed that personal information is being collected about them as they surf from website to website. Moreover, the information that is collected can generally be used, sold or disseminated without permission or restriction. However, a constellation of laws exists which provide protection for particular groups of individuals, and imposes restrictions on specific industries. Failure to comply with applicable Federal rules and associated regulations can result in hefty civil and criminal penalties, as well as the elimination of exit strategies and alternative revenue streams.

One example of such a law is the Children's Online Privacy Protection Act ("COPPA"), which was discussed in detail in a previous Lucash, Gesmer & Updegrove mailing. Under COPPA, the Attorney General can seek an injunction and monetary damages for the mishandling of information collected from children under the age of 13. If a company intends to collect information from children under the age of 13, or has knowledge that it is doing so, restrictions under COPPA apply. The company must provide appropriate notice to users that it is collecting personal information from children, it must generally obtain verifiable parental consent prior to use or disclosure of personal information, it must provide parents reasonable access to the personal information and it must implement measures to protect the confidentiality, security and integrity of the personal information. An impacted company's privacy policy can address all of these requirements. The privacy policy must include careful detail as to the nature of the information being collected, how the information will be used, to whom the company will disclose the information, and how parents can access the...