Share This

Does Your Company's Website Privacy Policy Pass the Test?

| Matthew A. Cordell Matthew A. Cordell

During the last year, Facebook®, Twitter®, and Google® each settled disputes with the Federal Trade Commission ("FTC") relating to website privacy, and Google® has reportedly paid $8.5 million to settle a class action suit based on similar privacy-based claims.  Even though actions against these Internet giants capture the headlines, all companies, regardless of size, with websites can learn valuable lessons from the FTC's recent enforcement actions (as Upromise, Inc. learned just days ago when the FTC took action against it on similar grounds). 

The following are various aspects of website privacy law that you should ensure your company does not overlook.

Capturing Information

If your company has a website that collects information in any way, including through email, an embedded "contact" form, or even cookies, you should establish a website privacy policy for it to protect it from liability.  Privacy policies are not just for large corporations and "Internet companies."  Applicable laws control what must be disclosed in a website privacy policy statement and how it is presented, as well as the underlying privacy practices.

Making Promises

Companies sometimes make promises in their website privacy statements that they fail to fulfill in practice.  Allegations of such behavior can be found in most of the FTC's recent enforcement actions in this area.  This is particularly unfortunate because, in many instances, the companies created an otherwise avoidable risk by establishing privacy standards that were stricter than the law required.  This type of risk is increased if your company, or its third-party website designer, simply copies another company's privacy policy statement without first understanding all of the legal and practical considerations that went into that statement, including what different or additional policies your company may need to have because of the different ways in which it does business.  To be effective in protecting your company from liability, your website privacy policy must be tailored to your company's own practices.

Conducting On-Line Business

If your company does business through its website, it may well have additional financial privacy protection obligations and disclosure requirements under various federal and state financial privacy laws, particularly if credit is extended for on-line transactions.  Any company engaging in transactions through its website needs to be aware of the many additional legal obligations created by the patchwork of financial privacy laws.

Protecting Children

Websites directed at children are subject to additional restrictions and requirements under the Children's Online Privacy Protection Act ("COPPA").  If your company's website, or a section of the website, is designed for children, COPPA disclosures and policies are necessary.

Opt-Out Requirements for Advertising

The federal Controlling the Assault of Non-Solicited Pornography and Marketing Act, commonly known as the "CAN-SPAM Act," which limits electronic advertising, is not a privacy law per se, but it does require Internet and email advertisers to provide an opt-out mechanism for electronic marketing, among other things.  If your company advertises through its website or by email, you must have CAN-SPAM policies and an opt-out procedure.  It is customary and advisable to address the CAN-SPAM Act and opt-out rights in a website privacy policy.

Don't Forget State Laws

A few states have their own website privacy laws with which your company must comply if you are directing your website to residents of any of those states.  For example, if your company's website is directed at California residents, or at U.S. audiences generally, your website will need to comply with California's rules, which are reputed to be the most rigorous and which include specific requirements that may go beyond the requirements of the federal rules.


Internet privacy is gaining increasing attention from governmental entities, consumer groups, and plaintiffs' class action attorneys, and is expected to be an emerging source of risk for many companies.  Fortunately, much of that risk is avoidable if care is taken to observe the patchwork of applicable legal requirements.

© 2016 Ward and Smith, P.A. For further information regarding the issues described above, please contact Matthew A. Cordell.

This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.

We are your established legal network with offices in Asheville, Greenville, New Bern, Raleigh, and Wilmington, NC.