Join our mailing list and receive our Legal Audit Checklist.Check out our latest blog posts, webinars, and other valuable content.
|
614.9445171
4200 Regent Street, Suite 200, Columbus, Ohio 43219
 If your business has a web presence (and in the 21st century, you really should), then you probably need a privacy policy on your website. Several relatively recent laws require business websites to post a privacy policy, but these laws aren’t universal in their applicability, especially when it comes to small businesses. Complicating matters, this area of the law is developing and changing rapidly. According to a recent survey, customers are not only starting to care about their online privacy, but they are also willing to take action to protect their privacy, even going so far as to switch businesses or service providers because of their privacy policies. This means your customers are increasingly likely to want to know what data they are giving up when they interact with your business and what your business is doing with all that data in the first place. In this post, we’ll talk about the legal requirements for your website privacy policy: What should be included in your privacy policy? What are some best practices for keeping your privacy policy up to date? While Ohio has not passed any laws specifically requiring websites to post privacy policies, such laws have been passed in several other jurisdictions. And these laws typically apply even if your business isn’t located in that state or country. Practice Note: Ohio law hasn’t addressed privacy policies yet, but Ohio’s Data Protection Act does protect businesses from lawsuits if they take steps to protect the security and confidentiality of personal information, among other requirements. The most common example of this is California’s Online Privacy Protection Act which requires websites and apps to post a privacy policy if they collect any personally identifiable information from California residents. Regardless of where your business is located and who your target customer is, unless you can be absolutely certain that you’ll never collect information from someone located in California, then this state law from across the country applies to your website. Under California law, your privacy policy must let visitors know what personally identifiable information your site collects and who you share that information with. The law doesn’t dictate what information you can or cannot collect or even what you can or cannot do with that information once you have it, but it does require that your business comply with whatever privacy policy you establish. Similarly, the European Union’s General Data Protection Regulation (GDPR) applies not only to businesses based in the EU, but also to businesses that offer goods or services to residents of the EU or that collect data from the EU. As we discuss below, most websites these days use third-party services to track website visitors. That alone potentially makes the GDPR applicable to your small business because an EU resident could stumble across your site, even if you aren’t specifically targeting the EU. So while the GDPR technically applies to almost every website in the world, (a) as a practical matter, it seems unlikely that regulators will be targeting small businesses that inadvertently obtain insignificant amounts of data, and (b) it does include an exemption to the more onerous record-keeping requirements for small businesses with less than 250 employees. The GDPR is a complex law with a lot of requirements. But most importantly for small businesses, it requires that you:
In addition to the patchwork of legal regulations requiring a privacy policy, the services you or your website designer may have built into your website also typically require the use of a privacy policy. For example, most websites rely on Google Analytics to try to understand how visitors find and interact with their website. When you signed up to use Google Analytics on your site, you agreed to their terms of service, which require the use of a privacy policy on your site. Other data analytics tools, third-party advertising services, your payment processor (if your business is involved in e-commerce), even the chat bot that interacts with your visitors, all typically require that your site post a privacy policy. What to include in your privacy policy Your website’s privacy policy should let visitors to your site know:
Best Practices for Drafting and Maintaining Your Website Privacy PolicyThis is a messy area of the law that is only likely to get messier as the privacy debate continues. At this point, you might be thinking, “I’ll just copy a privacy policy from a website that seems similar to mine and call it a day.” But be careful! The law may not be clear about what your privacy practices should be, but it is clear that, at a minimum, your business must comply with the terms of whatever privacy policy you set. Failing to do so or misrepresenting what you do with consumers’ personal information is an unfair or deceptive trade practice. In other words, your business can face legal liability simply for failing to follow your own privacy policy.
As your business practices change, your privacy policy should also be updated to reflect those changes. And because this is an evolving area of the law, your privacy policy should be reviewed periodically to ensure compliance with the changing regulatory landscape. If you have questions or concerns about the legal requirements applicable to your website privacy policy: 12/9/2020 03:14:00 pm
Hey Maritza, hoping you can help me with crafting this language for our website at ROY. We're launching e-commerce and want to be sure to cross our ts. Your comment will be posted after it is approved.
Leave a Reply. |
Categories
All
Archives
March 2023
|
RSS Feed
11/17/2020
1 Comment