Online business owners are the architects of the internet. Particularly following a year of many businesses moving to online models, it’s not only critical that a business have an attractive, engaging, and accessible online home: a website must comply with all required online privacy laws.

After all, what good is a website, if it just invites liability to your doorstep? It is important for businesses of all sizes to understand how to refrain from violating privacy laws in order to protect their investment.

What does a website need to be legal?

Generally speaking, a website must contain three things to be as legally protected as possible:

1. A privacy policy: First and foremost, federal FTC laws require privacy policies. In other words, a website is breaking the law by not having one. You can find the one I draft for my own clients here.
2. A terms and conditions: While not a federal requirement, this is something I require my own clients to have. A terms and conditions acts as the contract that governs your website- just by accessing your website, users are agreeing to be bound by the terms in your terms and conditions. Why is this important? In short, if someone copies a portion of your website, such as a photo, or copy (which is, unfortunately, one of the most common occurrences I see working with online business owners), you will have a much better “legal leg” to stand on when you send a cease and desist letter, because the infringer will have also committed a breach of contract action. If you don’t have a terms and conditions, you’re relying on a common law intellectual property cause of action- in other words, a harder fight, which means more expensive attorney’s fees.
3. The correct information in the footer of the website. This includes a link to your privacy policy and terms and conditions, an up-to date copyright symbol, and a disclaimer, if needed. This site is the best example- because we share legal education (an industry that requires licensure), we have a legal disclaimer.

All website documents, such as a privacy policy, and terms and conditions, may be found at the Creative Law Shop®.

What privacy laws do online business owners need to know about?

One note before diving in: the legal nuances of these laws? They regulate laws regarding the users of your website. IE, the GDPR regulates how EU citizens’ information must be protected on websites. The obvious secondary question this brings up: how can you regulate who accesses your website?

You can’t. Therefore, your website’s privacy policy and terms must comply with all relevant online privacy laws.

The three main online privacy laws:

The three most important privacy laws are the General Data Protection Regulations (GDPR), which originate in Europe, the California Consumer Privacy Act (CCPA) and the Children’s Online Privacy Protection Act (COPPA). While only COPPA is United States Federal Law, each of these regulatory bodies are looked too as reference points for existing state law requirements.  Likewise, these are not the only regulations, statutes, or requirements but rather they are the broadest and most referenced. Note: for an in-depth examination of everything business owners need to know regarding the GDPR and other online privacy laws, head to shopcreativelaw.com.

Business owners may want to consider that many consumers are demanding increased privacy protections. Likewise, hefty fees and fines, as well as legal ramifications, are all considerations when creating, building, or establishing an online presence.

An overview of what the GDPR suggests including in a privacy policy:

• Provide visitors or users to your website the opportunity to personalize how their data is managed
• Obtain permission from the user or visitor to capture personal data
  • Understanding how and where this permission is given is fundamental
• Minimize what information is being collected and alter identifying information to protect data privacy
• Integrate procedures designed to guard data
  • Recall: Whenever data is captured or a third-party product is introduced, a security risk emerges
• Understand when privacy and data distribution notices should, and need to be, introduced

The GDPR has clearly put an emphasis on rebuilding trust with online users in regards to their data. By minimizing the amount and type of data collected- focusing on only collecting the information necessary to accomplish business related tasks- online businesses are able to navigate the constantly evolving demands of online privacy protection.

Like the GDPR, the CCPA has established the seriousness of data minimization. The CCPA requires businesses to not only disclose any personal information that is taken, but requires website owners to detail why the information was taken and how the information will be used. The CCPA also requires privacy policies and notices to be updated on an annual basis.

Some considerations to keep in mind are:

• Only gather necessary information
• Explain why you are collecting the information
• Elaborate on how the data will be used
• Notify visitors and user what their rights are and how they can apply those rights
• If data is being collected for third-parties, notify visitors and users to the website
  • More importantly, provide a “Do Not sell” hyperlink in a visible location
• Explicit consent may be required for any additional data collection not mentioned

COPPA, on the other hand, deals mostly with compliance in regard to children under the age of 13. It is important for websites whose primary targeted audience is children or websites who have actual knowledge that children are using the website, to know and understand their responsibilities as outlined by COPPA. Of note: you may not be “targeting” children under 13 to your site, but that does not mean that children WON’t be accessing your website. So, best practices are to ensure you’re compliant.

• COPPA requires a clearly written and understandable privacy policy which includes:
  • Information the website is going to collect
  • How the information is collected
  • Whether the information can be made public (usually through social media)
  • How the information collected will be used
  • Company practices for disclosing information
  • Audio file collection, use, and deletion policies
  • Contact information for website and online service operators
  • One main point of contact for parental inquires
• COPPA also requires a notice for parents that states:
  • The website requires disclosure of the child’s information only as is reasonably necessary
  • Parents can review, have deleted, or at any time refuse to permit further data collection
  • A parent may allow a child’s information to be obtained by the website but not by any third party
  • The procedures on how a parent may enforce their rights

With the world rapidly changing however, these vague and general guidelines may soon phase into stricter and more precise rules and regulations. An example of this can be seen in the Online Accessibility Act (H.R. 8478), a proposed amendment to the Americans with Disabilities Act of 1990. If this act were to pass into law, it would require all consumer facing websites and mobile applications to provide accessibility to all persons, regardless of disability. The act allows for a transitionary period as well as flexibility for small businesses; however, it would require major adjustments in regards to how website and mobile application content is accessed.

Most importantly, the new Biden administration, spearheaded by Vice President Kamala Harris who has her own track record in requiring enhanced online data protection, will most likely have upgraded online data requirements. Whether that will be in continuance with Obama’s “Consumer Privacy Bill of Rights” or the passing of one of the many bills already being pushed from both democrats and republicans, privacy laws and regulations are certainly something online business owners are required to stay ahead of.

For lawyer-drafted website templates (including lifetime updates, as new laws are passed), head to the Creative Law Shop®.