Privacy policies are a neprivatecessary headache.  The incessant wave of data breaches and theft of consumer personal information has resulted in lawmakers across the world making privacy compliance more arduous and penalties even stiffer. Most companies, unfortunately, view privacy policies as an extension of their web pages — largely static and reviewed perhaps every few years.

The problem is that privacy policies developed years ago may lack key provisions that address ever-changing legal requirements and tighter standards. Here’s a list of the top five items your company’s privacy policy is probably missing.

 #1 – Do Not Track.

Does your company’s privacy policy make it clear how your servers respond to do-not-track signals? “Do Not Track” is the online equivalent of the “do not call” telephone list/ Do-Not-Track signals are intended to notify websites that the user does not want his or her personal information and viewing history shared with advertisers or “tracked” across multiple websites.  Think of how countless websites now allow you to create a username and registration account using your existing Facebook, Twitter, or Google account.  When user personal data is tracked across multiple websites, do-not-track signals issued by the user’s browser or a third-party application are presented to websites notifying them that the user’s information should not be tracked.  Do-Not-Track legislation has been introduced by the U.S. Senate, and the U.S. Federal Trade Commission has in the past investigated the legality of data collection practices that track users’ personal information and browsing data. Late last year, California became the first state to enact Do-Not-Track laws, requiring businesses to identify how they respond to Do-Not-Track signals  and whether third parties collect personal information when a consumer uses their site. More states will likely be following suit, making this a requirement for companies that have online visitors across the country.

 #2 “Right to be Forgotten” / “Online Eraser” Requests

Does your company’s privacy policy include provisions that specify how consumers should request the deletion of data that may be collected about them residing on your servers? The European Court of Justice ruled that Google must honor requests for removal from its search results, under the E.U. Data Protection Directive. The E.U. Court found that E.U. rules apply, even if the physical servers of a company are located outside of Europe. Since then, tens of thousands of requests have flooded U.S. companies asking for the removal of personal details of E.U. citizens pursuant to E.U.’s Right to be Forgotten laws. Last year, California joined the ranks and became the first U.S. state to enact an “Online Eraser” law for minors – requiring businesses to have a procedure for the deletion of requests to remove information made by minors, which will take effect in a few months and will apply to any website which is accessed by California residents, regardless of whether the company is located or where its servers are located.

 #3  Integration with Terms of Use.

Is your company’s privacy policy neatly wrapped into your Terms of Use? Is it hyperlinked and incorporated by reference? Merely referenced? Not mentioned at all? How are you assuring that consumers’ agreement to your Terms of Use, which hopefully contains favorable venue, dispute resolution, indemnity, and disclaimer provisions, apply to your privacy policy and potential privacy claims?  When disputes arise, courts carefully evaluate the language that the business is seeking to enforce against the consumer through “click-wrap,” i.e., agreements to contractual terms simply by viewing a site or clicking on “submit” buttons.  If your website’s provisions do not gel well together, they could be stricken and held unenforceable.

#4 Cookie Laws.

Do business websites still cookies? Yes! Cookies only sound like remnants of a bygone online era. In the last few years, cookie violation laws were enforced (again by the European Union) against businesses who failed to notify customers how cookies were being placed, and penalized them for failing to obtain valid consent by the consumer before the cookies were deposited. Although the fines imposed were not steep (approximately $7,000), the fact that cookies are the dinosaurs of data tracking, regularly used, and not historically perceived to be intrusive, makes it important to revisit how your privacy policy addresses them.

 #5 Mobile Data

Does your company allow its information to be accessed by consumers through a mobile device? What about information about the consumers collected through their use of mobile services? Many websites offer “mobile” versions of their fuller websites, or make certain information available over mobile apps. It is important to remember that even though you may have a privacy policy for your website, you need a separate privacy policy to address mobile data. Not only can mobile privacy violations result in massive fines from the Federal Trade Commission, states now have mobile app privacy penalties as well. In California, a mobile app made available to a California resident without a privacy policy can result in a penalty of $2,500 per app download.

 In the hustle and bustle of the day to day affairs of any business, dealing with regulatory compliance of any kind can be an unnecessary annoyance. But giving your company’s privacy policy a fresh change of clothes does not have to be painful or cost a fortune.  On average, major privacy events or changes in privacy laws have occurred a few times a year for the past few years. So giving your privacy policy a review at least annually could help ensure that you’re not left too far behind. As with all things in the legal world, an ounce of prevention is worth a pound of cure.

AXIS Legal Counsel’s Business Practice provides legal advice to numerous small businesses with a variety of legal matters, including business formations, contracts, deals, and transactions, business administration, corporate governance, operations, risk management / insurancelabor/employment matters, intellectual property, healthcare, crisis management, directors/officers, private/data security, technology, statutory/legal compliance, and business litigation. AXIS represents businesses, corporations, LLCs, LLPS, partnerships, and startups in need of a corporate lawyer, for business legal matters as well as business litigation, such as disagreements, non-solicit agreements, non-competes, trade secrets, and other disputes with businesses. We are also experienced in providing assistance to business clients concerning business contracts, corporate formation matters, contracts and transactions, business litigation, business legal advice for Corporations, LLPs, LLCs, Partnerships, Small Business, Startups, and others involving corporate law.

If you are seeking a business lawyer, or for information on retaining AXIS Legal Counsel to represent your business in connection with any legal matter, contact or call (213) 403-0130 for a confidential consultation.


► MOBILEClick HERE to Initiate Call Now

► ONLINEClick HERE to Request Online

Top Business FAQs

Latest Business Representations