-
Privacy Policy For Station Websites
June 7, 2022
Have an opinion? Add your comment below. -
In a recent article, we recommended that stations post Terms of Use on and for their websites. An equally important protection for those who have websites and that has received a great deal of attention recently is internet privacy. We have reviewed the current laws and recommendations in regard to website privacy policies. Stations should have Privacy Policies posted on their webpages. Here is an explanation of what Privacy Policies are, their purpose, and some relevant law.
What is a Privacy Policy and Why is it Important
Privacy Policies serve to notify visitors to your website of how you collect, use, and store personally identifiable information. Privacy Policies are not currently required under federal law but some states have started to enact their own internet privacy laws, which include privacy policy mandates. Further, there is increasing attention being given to internet privacy on both federal and local levels; so even if there is not currently a privacy policy requirement in your state, there may be a requirement in the near future. Here’s a brief explanation of the current status of privacy laws:
As noted above, there is currently no federal scheme regulating privacy on the internet in the United States. While the Federal Government has passed several laws that protect privacy in specific areas, the closest the Federal Government comes to regulating internet privacy are enforcement actions taken by the Federal Trade Commission under section 5 of the Federal Trade Commission Act of 1914, which prohibits unfair or deceptive trade practices. Under this section, the FTC primarily prosecutes companies that violate provisions of their posted privacy policies, such as selling a user’s data when the privacy policy says the company will not do so. The FTC Act of 1914 does not mandate that companies have a privacy policy or proscribe what should be contained therein. The FTC is thus just using the act to hold companies to the privacy policies they have posted.
Though there is not currently a federal law requiring privacy policies, there has been an increase in focus on consumer privacy and the internet. For example, the House introduced a bill that would require internet access service providers to conspicuously notify their users of their privacy policies and to giver opt-in or opt-out approval rights with regard to the information they collected. While this is not a broad law regarding privacy policies, it does demonstrate that there is increasing interest in consumer privacy on the internet, which may lead to a more sweeping federal privacy policy scheme in the future.
Given this lack of federal scheme, a handful of states have started to enact internet privacy laws. The most sweeping internet privacy law that has been enacted to date is the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA grants California residents four protections with regard to their data on the internet: (1) the Right to Know, (2) the Right to Delete, (3) the Right to Opt-Out of Sale, and (4) the Right to Non-Discrimination. The CCPA has the potential to hold businesses anywhere in the world liable if they do not follow the guidelines set forth in the law. In order to comply with the CCPA, businesses must have a privacy policy on their website that explains to visitors what information the website collects, how it is collected, how it is used, how it is retained and for how long, and an explanation of the rights granted under the CCPA with an explanation of how to exercise those rights. In addition, the CCPA requires that visitors to a website be provided with information on how to “opt-out” or “unsubscribe” and, if the data is sold, at the time of collection allow the visitor to request that their information not be sold.
Though the CCPA is a California law that only protects California residents, as noted above, it has the potential to affect businesses that collect California residents’ information through the internet. Further, though the CCPA is the most expansive law currently in effect, there is an increasing trend among states to pass internet privacy laws that protect their citizens due to the lack of federal protections. For example, Virginia recently passed the Consumer Data Privacy Act, which will go into effect in 2023 and grants protections to Virginia residents’ whose information is collected over the internet. Similar to the CCPA, the Virginia Consumer Data Privacy Act will require businesses that collect Virginia resident’s information over the internet to have a privacy policy explaining what information they collect, how it is stored, how they can make changes to the information, and how they can opt out, among other things. Further, over eleven states, including Nebraska, Utah, Missouri, and Florida, have had internet privacy bills actively before their state legislatures in the last year, several of which mirror the CCPA. It is likely that we will see an increase in the number of states that have enacted sweeping internet privacy laws, many of which will impose liability for the requirements in their respective acts.
In addition, there are international laws that can apply to United States businesses if their websites are visited by certain international citizens. The most sweeping and comprehensive of these is the General Data Protection Regulation (“GDPR”) which was enacted by the European Union in 2018. Similar to the CCPA, the GDPR grants EU citizens specific rights with respect to their online data and requires that websites visited by EU citizens have privacy policies explaining what information they collect, how its collected, how it is used, how it is stored, what rights EU citizen have, and how EU citizens can utilize their rights, among other things. There are many similarities between the GDPR and CCPA; the key difference is that the GDPR requires website owners to request visitors to the website to affirmatively consent to the collection of their information in addition to the ability to opt-out, as opposed to the CCPA which only requires that visitors be provided with an opt-out option.
This is a continually evolving landscape, which will continue to evolve and change in the coming years. In order to ensure you are in compliance with the varied laws, we recommend that you have a privacy policy posted to your website. We also recommend you regularly check with your local counsel to ensure that there are no current internet privacy laws you should be complying with, particularly if you know your state has passed an internet privacy law. Each of the states have different laws and requirements, which may or may not affect you depending on your own internet collection practices. Thus, while this memo can provide some general guidance about the importance of privacy policies, only counsel familiar with your own practices and needs will be able to fully advise on whether a privacy policy is mandated or recommended and whether there are specific items that must be included.
Posting the Privacy Policy
Your Privacy Policy should be accessible from any page on your site, typically by posting the link in your header or footer so visitors can always determine what sorts of information you are collecting and how to contact you about it. If it is possible and appropriate for your site, you may consider including a “pop-up” upon a visitor’s first visit to the site, which would include links to your Terms of Use and Privacy Policy, alerting the visitor to the rules of and types of collection conducted through your site. The pop-up is not required, though it does add an additional layer of security by forcing visitors to acknowledge that the Privacy Policy exists and agree to the collection contained within prior to using the site. This makes it more difficult for visitors to allege they were unaware of your Privacy Policy in the event that legal action arises down the line.
In addition, we encourage you to include a link to your Privacy Policy any time it is appropriate to draw a visitor’s attention to the Privacy Policy (such as when they are submitting information to contact you or registering with your site). This can be easily done by including a phrase like “By clicking submit/registering you are agreeing to our Terms of Use and Privacy Policy” or by requiring the submitting party to click a box confirming that they have read the Terms of Use and Privacy Policy before being permitted to submit their request.
This column is provided for general information purposes only and should not be relied upon as legal advice pertaining to any specific factual situation. Legal decisions should be made only after proper consultation with a legal professional of your choosing.
This column is provided for general information purposes only and should not be relied upon as legal advice pertaining to any specific factual situation. Legal decisions should be made only after proper consultation with a legal professional of your choosing.
-
-