Is Your Website’s Privacy Policy Putting You at Risk?

James Chiodo

This article was provided by Thank you for supporting the partners who make SitePoint possible.

Did you know that you’re legally accountable for the statements made in your website’s privacy policy? Have you read and understood each provision in your privacy policy? Do you know what your responsibilities are?

In this article, I’ll present five mistakes with privacy policies that could put you at risk of fines or lawsuits. I’ll also discuss why it’s important to have a privacy policy, and some concluding thoughts on how to avoid legal problems.

Words and Actions That Can Put You at Risk

Here are five things website owners need to watch out for when drafting and managing privacy policies.

  1. Guaranteeing That Visitors’ Personal Information Will Be Safe

    Many website owners tell visitors that their personal information will remain safe and secure by using a provision in their privacy policy similar to this one:

    Our website uses secure data collection, processing and storage procedures and other security methods to protect against unauthorized access, disclosure, change or destruction of your personal information, password, username, transaction information and data stored on our website and servers. Your personal information is safe and secure with us.

    Should your visitors’ and customers’ personal information be made public because your website gets hacked, or because the information becomes publicly disclosed by other means, the fact that you used a provision similar to the one above could—in the United States— get you sued by the Federal Trade Commission (FTC), for violating Section 5 of the FTC Act, which prohibits unfair and deceptive practices in commerce. (Similar rules apply in other countries, as I’ll discuss below.)

    The trouble doesn’t end there. Visitors and customers could also file a lawsuit against you because their personal information was disclosed after you had guaranteed its safety in your privacy policy. Under the law, you must take reasonable steps to protect important information and keep it secure. At a minimum, you must obey the privacy guarantees you make to your visitors and customers in your privacy policy.

  2. Making Exaggerated Statements in Your Website’s Privacy Policy

    The FTC has also taken legal action against companies that have made exaggerated statements in their websites’ privacy policies—statements that can’t be verified. Always make sure you can keep any promises made in your policy.

  3. Promising to Not Share or Sell Your Email Address and Personal Information

    “We will not share or sell your email address and personal information.” This is a common statement you’ll find in most privacy policies, because it’s a reasonable promise that makes visitors and customers feel comfortable giving you their email addresses and personal information. Website owners like this, of course, because it helps them grow their email lists, which can be one of their most important assets.

    But what if you sell your company? Unless you stipulate in your privacy policy that your visitors’ and customers’ personal information and email addresses will be included as part of the sale, you cannot include them with the sale without first getting your visitors’ and customers’ consent. If you don’t get their consent first, you’re violating your own privacy policy, which could get you into legal trouble with the FTC, your visitors and your customers.

    You could send notice to your entire database asking for permission to sell or transfer their information to the new owners. However, you may not get a positive response to such a request.

  4. Letting Your Guard Down After Your Company Files for Bankruptcy

    Your users’ privacy doesn’t go out the window just because your company goes out of business. Few business owners consider the privacy obligations that still apply if their companies go bankrupt.

    For a company that thrives on information, a database of customers’ emails and personal information is a valuable asset that can easily be sold. Many business owners think that once their company files for bankruptcy, their customers’ information can be auctioned off to the highest bidder. Not true. Unless stipulated in the company’s privacy policy, or unless notice was given to customers giving them the option to delete their information before the information is sold, doing so violates the FTC Act and subjects the owner to legal action.

    Again, you could send notice to visitors and customers asking for permission to sell their information, but most people value their personal information and will say no. In any event, at this point, the FTC prefers that you simply destroy your customers’ information.

  5. Changing Information in Your Privacy Policy

    Changing a website privacy policy is a common practice. However, it’s often done without considering the legal obligations. Many privacy policies include a provision like this:

    We reserve the right to change our privacy policy at any time. We encourage you to review our privacy policy when you visit our website. We will post revisions to this policy on our website’s home page or in another obvious position, and the revision shall be effective immediately on such posting. You agree to review our privacy policy posted on our website periodically to be aware of any revisions.

    A website owner might make significant changes to the website’s privacy policy, assuming that—because of the above provision—the change will affect all past visitors and customers.

    Well, it’s a convenient assumption, but the law doesn’t work that way. Your privacy policy is an agreement with your visitors and customers, and you’re required to comply with it. If you want to make changes in the way you use visitors’ and customers’ personal information, and you want those changes to apply to past visitors and customers, you need to notify them first. You’ll need to contact them by email or a physical mail delivery service, and tell them of the changes to your privacy policy—thereby giving them the chance to accept or opt out of the changes.

    Think about the notifications you get from companies explaining the changes to their privacy policies or terms and conditions. They notify you because they’re legally required to do so if they want the changes to apply to past customers. For the most part, the same (but not all) privacy laws and legal requirements apply to you when you operate your website or blog.

Other Things to Consider When Developing Your Privacy Policy

Google Requires You to Have Specific Provisions in Your Privacy Policy

Google and other major online companies require that you have specific disclosures in your privacy policy to comply with their terms of service. If you’re using Google Analytics, AdSense and certain AdWords advertising features on or for your website, you’re required to have specific disclosures in your privacy policy explaining the use of these services. Otherwise, you’ll be violating their terms of service.

Here’s a privacy provision that’s required if you’re using Google Analytics:

You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws, policies, and regulations relating to the collection of information from Visitors. You must post a Privacy Policy that includes providing notice of your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data. You will use commercially reasonable efforts to ensure that a Visitor is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the Visitor’s device where such activity occurs in connection with the Service and where providing such information and obtaining such consent is required by law.

The above requirement is for Analytics only. Google has additional privacy requirements for its AdSense and AdWords program.

Global Privacy Laws

Since websites are reachable worldwide, you’re obligated to comply with the privacy laws of the countries where your website is accessible to visitors and customers, even if you don’t live or do business there.

As an example: if you do business in the United States, you’re required to comply with the privacy laws of the United Kingdom, European Union, Australia, Canada and other countries that have privacy laws if visitors and customers in those countries can access and use your website.

Mobile Apps

The privacy laws that affect website owners also affect mobile app sellers. In the United States, the FTC and the state of California are paying special attention to mobile app sellers, because of the capabilities of some mobile apps to gather data without the knowledge of the app user.

The FTC has also commented that many of the mobile app privacy policies are in hard-to-find areas of the mobile app and the app developer’s website. Both the FTC and the state of California have filed suit against numerous app sellers for privacy violations.

Posting Your Privacy Policy: The “Clear and Conspicuous” Requirement

Your privacy policy is required by law to be posted on your website in a “clear and conspicuous” place that’s obvious to your visitors and customers. Ideally, this is on your navigation bar, so that it shows throughout all pages on your site and above the fold of the page. (Avoid putting the link to your privacy policy in the footer of your page.)

Also, the link to your privacy policy should be displayed at a size at least as large as the surrounding text and links—though, preferably, it should be larger and in a contrasting color.

Some Final Thoughts on Avoiding Legal Problems

I’ll conclude this article with the following pointers.

Read Your Privacy Policy

You’re posting an important document on your website; you should understand what it says. Are there any promises or guarantees that you might not be able to comply with? If so, don’t leave these in your privacy policy unless it’s a legal requirement. If you’re unsure or confused, get some good legal advice.

Don’t Use Free Privacy Policies

In our review of free privacy policies being offered on the Internet, we found that not one was in compliance with laws governing website privacy policies. Many contained provisions that could get you into legal trouble. An attorney-drafted website privacy policy is inexpensive insurance when running an online business. Buy one; it’s worth it. provides an attorney-drafted privacy policy to comply with the new laws and regulations.

Choose Your Attorney Carefully

Generally speaking, the average attorney has little experience with Internet law and privacy requirements. Make sure you have a privacy policy that was drafted by an experienced Internet attorney.