Website Privacy Policies

Flat Fee Arrangement

Website Privacy Policies can often be prepared for websites on a modest flat fee basis. The fee will vary based on the simplicity or complexity of the website. Please contact us at , by phone at 410 367 5222 or complete our Contact Form to schedule a free initial consultation and to receive a quote for a flat fee to prepare a Privacy Policy for your website.

Purpose and Approach

Privacy Policies primarily regulate how a website collects personal information from its users and how such information will be used. In the U.S., the Federal Trade Commission (FTC) is primarily responsible for the enforcement of website privacy commitments. Additionally, the majority of states have implemented laws that impose obligations as to how personal information is maintained and what activities must be undertaken if personal information is breached. Also, where users are located in other countries or where personal information is being transferred from or to other countries, then the privacy laws of such other countries may also be binding upon a U.S. based website.

The FTC considers statements in a Privacy Policy to be promises made by the website to the users. Therefore, when drafting Privacy Policies, great care must be made to verify the accuracy of all claims and obligations contained in the policy. The Privacy Policy needs to accurately reflect the collection, storage, use and dissemination polices applicable to the information. Failure to keep these promises may amount to an unfair or deceptive trade practice actionable under the FTC Act. Additionally, Privacy Policies need to be prepared in a flexible manner that anticipates future needs.

As stated in relation to Terms of Use, it is often tempting to grab a privacy policy from another website and model it for a new website’s purposes. However, “getting it right” the first time is critical for a Privacy Policy, not only because of potential liability, but also because later changes to the policy that seek to correct earlier mistakes or misunderstandings may not apply to earlier collected information. This could have several significant negative results, like obstructing the implementation of new marketing plans, requiring costly administration to distinguish between information that needs to be handled in accordance with different policies and placing a cloud on potential liability and ownership in information that will scare off potential investors and purchasers.

Key Provisions

Following are some of the main provisions and issues that need to be considered when preparing Privacy Polices. There are quite a few other issues that also need to be addressed.

  • What Information is Being Collected. Privacy Policies need to specify the type of information that will be collected. It is best to be broad in the description. However, it is not a good privacy practice to collect more information than is reasonably necessary for the purposes of the website. Descriptions of information collected would usually include all of the typical personal contact, identity and preference information, but should also include the non-obvious information like IP address, browser type, host operating system, etc. that is automatically collected. Under the Children’s Online Privacy Protection Act (COPPA), parental permission is required to collect personal information from children under the age of 13. There are narrow exceptions to this requirement, and the method of verifying parental consent needs to be strictly complied with.
  • How Information is Collected. User information can be collected by a variety of means, through registration forms, by means of cookies and web beacons, etc. These methods should be clearly stated.
  • How Information is Used. Information may be used for a variety of purposes, such as to personalize content presented to users, to serve advertising and deliver other information, market research purposes, carry out agreements entered into between the website and the users, and to notify users about changes and features of the website. These uses should be clearly stated.
  • Third Parties that may be Receiving or Collecting Information. Third parties that will be receiving personal information of users should be clearly stated. Often there are third party service providers that will be receiving personal information on behalf of the website. Such service providers may include credit card transaction processors, communication platform providers, and hosting services providers. Information may also be transferred to third parties for marketing purposes. If there are legal proceedings involving the website, the website would want express acknowledgement from the users that the website may cooperate with such proceedings, which may include a transfer of personal information to legal authorities. Additionally, it is critical to allow transfer of the information to an entity that may acquire ownership in the website at a future date. Advertising served by third parties automatically receives IP addresses and such third parties may also use cookies, JavaScript, web beacons and other technologies to measure the effectiveness of their ads, to personalize advertising content, to compile anonymous statistics and otherwise monitor the effectiveness of their campaigns. Users should be notified in the Privacy Policy of these possibilities. It is also beneficial to highlight to users that there may be links in the website to third party websites and that the privacy policies of such third party websites will govern the collection and use of their information.
  • Security Used to Protect Information. Websites are not generally required to state the type of security that will be in place to protect the information from unauthorized access. However, many users what to see this. Once security procedures are stated, failure to comply with such procedures could subject the website to action by the FTC. Therefore, it is important not to overstate the actually security that will be in place. It is also important to clearly state the limitation of any security system. No system is absolutely secure from unauthorized access from hackers.
  • Compliance with U.S and non- U.S. Laws. The Privacy Policy should contain provisions so that marketing communications do not violate the CAN-SPAM Act. California in particular has implemented privacy laws that may impose additional requirements on a U.S. website that collects personal information from California residents. Additionally, if user information will be collected from individuals located in non-U.S. jurisdictions, then the Privacy Policy may also need to contain provisions that comply with European Union Privacy Directive requirements or the requirements of other jurisdictions.