© 2019 VERHAGEN BENNETT LLP

Los Angeles, CA

  • Yelp Social Icon
  • Facebook Social Icon
  • Twitter Social Icon
Please reload

Recent Posts

Food Patents and How to Get One for Your Los Angeles or Santa Monica Business

August 20, 2018

1/10
Please reload

Featured Posts

Privacy Policy Basics

December 9, 2017

Although there is no umbrella legal requirement that every business have a posted privacy policy, consumers are, understandably, increasingly sensitized to the data collection practices of companies with which they do business — in recent years, billions of users’ private information has been stolen by hackers (e.g., 57 million Uber customers, 143 million Equifax users, and so on). 

 

Often, they expect to be able to examine a company's privacy policy to learn how their data will be handled, which could impact their decision to do business with that company. Thus, if your business collects consumer data via the Internet or otherwise (e.g., by accepting credit card payments, operating a website, or having an online marketing presence), you should create a privacy policy that contains universally recognized privacy principles.

 

Privacy Policy Basics

 

A privacy policy is a statement, accessibly by consumers, that specifies a company’s practices and methods regarding the collection, storage, use, and sharing of customer data (e.g., name, address, phone number, email address, payment information, purchase history, etc.). It is distinct from a company’s overall enterprise-wide program for processing personally identifiable information (PII) or any other information regulated by law.

 

A privacy policy should be considered a legally binding agreement. Although breach of contract claims based on privacy policy violations have been mostly unsuccessful (either because the policies were not contractual in nature or the plaintiffs failed to adequately allege the requisite harm), the Federal Trade Commission (FTC) regularly brings enforcement actions against companies that misrepresent their privacy practices (in privacy policies or otherwise). 

 

It is therefore crucial to not only have a well-crafted policy that addresses any legal or regulatory requirements, but also to ensure that the organization adheres to the policy in practice.

 

Legal/Regulatory Considerations

 

A proper privacy policy must not only address the kinds of data that are being processed, but also should consider the legal and regulatory requirements concerning the collection and use of that data.

 

Unlike other countries, there is no comprehensive, uniform data privacy law in the United States. Instead, various federal and/or state laws regulate data privacy, generally by industry sector. Thus, the requirements of a privacy policy are often dictated by the laws governing the dominant industry to which a company belongs, as well as the state(s) where the company does business and where relevant consumers reside.

 

California

 

California has been at the forefront of state privacy legislation. The California Online Privacy Protection Act (Cal-OPPA) applies to any business that collects PII about California residents through websites, mobile applications, or online services. As such, Cal-OPPA has a broad reach and extends to most companies that conduct business online or engage in other online activities.

 

Cal-OPPA requires an operator of a commercial website or online service (which includes mobile apps) to do the following:

  • Conspicuously post a privacy policy on its website (or in the case of an online service, make the policy available)

  • Include various disclosures in the policy (such as what information is collected and with whom it is shared, how the business responds to web browser “Do Not Track” signals, and whether any third parties may collect PII on the business’s website or online service)

  • Adhere to the policy

See Cal. Bus. & Prof. Code § 22575

 

A business or website operator violates Cal-OPPA if it fails to post a privacy policy within 30 days after being notified of noncompliance, or if it otherwise fails to comply with Cal-OPPA or with the terms of its posted privacy policy either knowingly and willfully, or negligently and materially. See Cal. Bus. & Prof. Code §§ 22575(a), 22576. Failure to comply with Cal-OPPA may lead to an enforcement action by the California Attorney General (under the California Unfair Competition Law) and fines of up to $2,500 per violation. See Cal. Bus. & Prof. Code § 17206(a).

 

There is a lot of information that needs to be included in privacy policies. The policy should be flexible enough so that it will not need frequent changes. To this end, you should consider how the organization collects and uses data, not only presently, but in the future. For example, a company may not currently share information with affiliates for marketing purposes, but may decide to do so at some later time. To account for this possibility, the privacy policy should state that information which a customer provides in connection with completing a transaction may be shared for marketing purposes with affiliated entities and unrelated third parties. Other potentially foreseeable collection and use should also be stated in the policy, which will help keep the document flexible and relevant.

 

Download this article here.

About the Author:

 

 

 

Dallas P. Verhagen is a business attorney and a partner at Verhagen | Bennett LLP.  To learn more about Dallas, please click here.

 

For questions or comments about this post, please email Dallas directly at: Dallas@VerhagenBennett.com

 

To make suggestions about future posts, please email:  Info@VerhagenBennett.com

 

© 2017 Dallas P. Verhagen — This article is for general information only. The information presented should not be construed to be formal legal advice nor the formation of a lawyer/client relationship.