In the wake of GDPR and California’s new data privacy law, website privacy policies continue to be a hot topic for the business community.

These pieces of legislation, the FTC Act, and various other sectoral and state laws and regulations set forth a myriad of complex rules and guidelines for website privacy policies.  At a minimum:

  • Privacy policies should clearly and concisely state:
    • What information is being collected when a person visits your site
    • Who else may have access to that information
    • Site visitors’ options – to opt in or opt out – without complicated or costly means to do so
    • How you will communicate with your customers/site visitors if their data is compromised (if you wish to avoid more costly or public means of breach notification that may be mandated by certain jurisdictions)
    • Whether you are tracking site users’ locations (and with California and EU site visitors, this cannot be done without clear disclosures and consent)
    • How cookies are being used
    • How long is information retained
  • They should not be materially misleading.
  • Consent:  If you are, or think you might be, subject to GDPR and/or if you are inviting or expect site visitors from California, your website should take the “opt-in” approach (without pre-checked boxes to receive future correspondence or advertisements)
    • “Consent” under GDPR for direct consumer marketing must be freely given, specific, informed, and unambiguous.
      • Site visitors should not be penalized if they choose not to consent.
    • Your customer must know to what they are consenting, and you cannot repurpose consent given for one activity for another, unrelated activity.
  • Your website should include mechanisms to allow a data subject to request (i) confirmation and/or correction of information you have about that person, (ii) that you remove (the right of “erasure”) that person’s data from your systems, and (iii) that you transfer their information to a third party
  • If your website processes payment transactions, it must be PCI compliant.
    • If the website uses a third-party payment processor, this should be clearly stated on the website and you should review your contract with that processor as to indemnification, notice obligations and liability disclaimers or limits if the processor experiences a breach.

In addition to the issues highlighted above, there are many other cyber and data protection-related considerations associated with websites and the disclosures in privacy policies.

Regardless of whether you are subject to GDPR, if your stated privacy policy, terms and/or conditions are misleading and/or deceptive, you will be inviting federal and state claims of deceptive and/or unfair trade practices.

However, there are other issues that many companies either ignore or neglect, including:

  • Reviewing advertising insurance coverage
    • Even if you have general commercial liability insurance that includes advertising coverage, it may NOT include coverage for your digital advertising. If you do not know the answer to this, we urge you to ask your broker!
  • Assessing whether the website is ADA compliant
    • Circuit courts around the country are split on their application of Title III of the Americans with Disabilities Act (“ADA”) to websites. However, many courts are taking the position that because websites are “places of public accommodation,” they are indeed subject to the ADA.
  • Clear and complete disclosure of warranty terms
    • It is worth noting that different laws apply if you are a manufacturer or a retailer.
    • In New Jersey, retailers must comply with the state’s Truth-in-Consumer Contract, Warranty, and Notice Act.
  • Disclosure of pricing, shipping, handling and return mechanisms, requirements and limitations
  • Review of general website terms and conditions
    • Do they protect your intellectual property?
    • Do they disclose third-party links?
    • Do they address the intended or unintended collection of information about minors?
    • Do they clearly state dispute resolution mechanisms?

For any business – but particularly for a business new to the internet or e-commerce – it is easy to purchase a website “kit” without giving the necessary thought to these and other considerations. If you are just establishing an online presence, do not just “cut, paste and go.” And if your business operates an already-established website, the stated terms, conditions, privacy policy, and notices should be reviewed at least annually.

A website is a wonderful way to promote and expand your brand – provided it is appropriately established, maintained and protected.