Privacy Concerns and Website Privacy Policies

Privacy Policies

Privacy concerns arise in any situation where personal information is collected and stored. A Privacy Policy should be disclosed to a consumer in a clear and conspicuous manner. Further, it should be reasonably understandable by the reader. And it should disclose the ways personal information is gathered, used, disclosed, and managed.

Guidelines for Commercial Use of Personal Data to Address Privacy Concerns

The Fair Information Principles, published by the U.S. Federal Trade Commission, provides a set of non-binding governing principles for the commercial use of personal information. These principles also offer guidance for drafting policies that encompass existing privacy concerns. The four critical issues identified in Fair Information Principles are:

(1) notice, meaning that information practices must be disclosed before personal information is collected;

(2) choice, meaning that consumers must be given options as to how collected personal information can be used beyond the purpose for which it was provided;

(3) access, meaning consumers should be able to check the accuracy and completeness of personal information collected; and

(4) security, meaning that reasonable steps must be taken to assure consumers that the personal information collected is secure from unauthorized use.

Conforming to the Fair Information Principles

In order to conform with the Fair Information Principles, a Privacy Policy generally includes statements regarding the following:

(1) the sources from which personal information is collected;

(2) specifically how the collected personal information is used;

(3) with whom the collected personal information is shared; (4) an option allowing consumers to opt out of the disclosure of personal information to third parties; and

(5) the steps taken to protect the collected personal information.

Federal Laws Governing Privacy Policies and Privacy Concerns

There is not a single comprehensive body of law that is generally applicable to privacy policies. However, there are some federal laws which govern Privacy Policies under specific circumstances. The most notable of these are explained below.

The Children’s Online Privacy Protection Act (COPPA) mandates that commercial websites, which direct online services to children under 13, or that knowingly collect information from them, inform parents of their information practices, and obtain verifiable parental consent before collecting, using, or disclosing personal information from children. In addition to posting a privacy policy, these websites must also adhere to enumerated information-sharing restrictions.

The Gramm-Leach-Bliley Act requires institutions significantly engaged in financial activities to provide clear, conspicuous, and accurate statements of their information-sharing practices. The Act also restricts the use and disclosure of financial information to unauthorized third parties.

The Health Insurance Portability and Accountability Act (HIPAA) requires notice in writing of the privacy practices of health care services. HIPPA protect how an individual’s health information is used by organizations and disclosed to others. All health care providers, insurance companies, employer-sponsored health plans and HMOs are the covered entities.  They must comply with this privacy rule’s guidelines. The covered entities of HIPAA are one of the most extensively regulated niches, regarding information privacy.

State Laws Governing Privacy Policies and Privacy Concerns

Some states have implemented more stringent regulations for Privacy Policies. For example, California requires "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a Privacy Policy on the site". Additionally, both Nebraska and Pennsylvania have laws treating misleading statements in Privacy Policies published on Web sites as deceptive or fraudulent business practices.

U.S. companies should also be particularly cautious with e-commerce, because the European Union (EU) has far stricter privacy regulations, which can affect U.S. companies. The EU Data Privacy Directive prohibits EU organizations from transferring personal data to countries where privacy protection is not deemed adequate. To prevent the interruption of data transfers from the EU to the U.S., the EU approved a “safe harbor.” The safe harbor permits U.S. companies that voluntarily abide by the safe harbor principles to continue data transfers with the EU member states. U.S. companies within the safe harbor are presumed to provide adequate privacy protection.

About the Firm

Klemchuk LLP is an Intellectual Property (IP), Technology, Internet, and Business law firm located in Dallas, TX.  The firm offers comprehensive legal services including litigation and enforcement of all forms of IP as well as registration and licensing of patents, trademarks, trade dress, and copyrights.  The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, data privacy, and domain name dispute resolution.  Additional information about the IP law firm and its IP law attorneys may be found at www.klemchuk.com.

Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.