By: Matthew Lubniewski
The terms of use and privacy policy on your website could be sources of unwanted liability to your business. The following is a list of some issues to consider when developing your terms of use or privacy policy.
Make Sure You Have a Privacy Policy
The California Online Privacy Protection Act (“CalOPPA”) (Cal. Bus. & Prof. §22575) requires “[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” to “conspicuously post its privacy policy….” Whether you know it or not, your website probably collects personally identifiable information about users. Make sure your website or app has a privacy policy.
Be Accurate
Your terms of use and privacy policy must accurately reflect your business and how you collect, store, and share users’ personal information. Periodically review your terms of use and privacy policy (at least every six months) to make sure new services or features you have rolled out are covered. Periodically audit how user data is shared with third parties and how your company secures user data to ensure that your terms of use and privacy policy accurately describe your practices. Keep dated copies of every version of your terms of use and privacy policy so you can show what policies were in effect when a particular user visited your site or used your app.
CA’s Automatic Renewal Law
If you sell automatically renewing subscriptions to consumers, California’s Automatic Renewal Law (“ARL”) (Cal. Bus. & Prof. §17600, et seq.) requires more than just a line or two in your terms of use notifying customers of the recurring charge. In short, the ARL requires that the company disclose the automatic renewal terms in a “clear and conspicuous manner” and provide the consumer with a written acknowledgment of the automatic renewal terms and cancellation policy “in a manner that is capable of being retained by the consumer.” Failure to comply with the ARL makes the company subject to “all available civil remedies,” which has given rise to numerous class action lawsuits against major companies. Even more onerous, if you send a customer products under an automatic renewal agreement without first complying with the ARL disclosure and acknowledgment requirements, those products are deemed to be “an unconditional gift to the consumer.”
Do Not Track Signals
All major web browsers (mobile and desktop) now give users the ability to send a “do not track” signal to website operators that expresses a preference that their web browsing activity not be tracked. Unfortunately for users, there is no consensus on or legal standard for what an operator should do in response to receiving a “do not track” signal. The World Wide Web Consortium Tracking Protection Working Group is currently working towards a standard for what operators are expected to do upon receiving a “do not track” signal and a standard for how users can ensure compliance with their preferences. In the meantime, the CalOPPA requires website operators to disclose how they respond to “do not track” signals “or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities.” (Cal. Bus. & Prof. §22575). Make sure your privacy policy states how you respond to “do not track” signals.
CA’s “Shine the Light” Law
California’s “Shine the Light” law which is part of the California Consumer Records Act (Cal. Civ. Code §1798.83) requires most website operators that share certain types of customer data with third parties for “direct marketing purposes” to choose between two ways for allowing consumers to control whether their data is shared with third parties. The first option is to state in your privacy policy that you will either obtain customers’ consent to opt-in to sharing their data with third parties for direct marketing purposes or provide a cost-free method for customers to opt-out of such sharing. The second option is to state in your privacy policy that, upon a customer’s request, you will provide an accounting of the types of customer data shared with third parties and the identities of those third parties. The “Shine the Light” law involves numerous technicalities and exceptions. If your privacy policy does not include an on opt-in/opt-out scheme or an accounting scheme with respect to the sharing of customer data for direct marketing purposes, you may be unknowingly violating the law.