You Check the Date on Your Milk Carton…But When Did You Last Check the Date on Your Website Policies

Businesses attract and transact business through their websites. Those websites, in their terms and conditions, prescribe the rules by which customers and/or potential customers can engage with those businesses online. However, what many businesses forget is that such terms – and in particular the privacy polices – posted on their websites also prescribe the terms by which the businesses must engage with their site visitors.

Many businesses established their websites years ago, posted terms and conditions, and then began operations. Businesses update their sites’ content, their offerings, and their services. However, many companies neglect to review and, as necessary, update the privacy policies posted on their websites. And if a business’ privacy policy says, “we use best efforts to protect your personal information,” but in fact, the business’ actual practices do not meet this self-set standard, then the same may be deemed a deceptive trade practice by the FTC. And to be clear, a privacy policy that states “we do not protect your personal information”, which may be true, is also not acceptable: inadequate protection (even if disclosed) may also give rise to investigation – and potentially more – by the FTC.

Privacy policies should be clear as to what personally identifiable information is gathered, why it is gathered, how it is maintained, and for how long it is maintained. If a company determines to use personal information for a new purpose, such determination should be coupled with an update to the privacy policy. And of course, with more jurisdictions requiring affirmative consent before personally identifiable information is gathered, consideration must be given to where you are drawing visitors to your site. If information gathered will be shared with a third party, disclosures in this regard should also be made.

As with all other privacy and security practices, your website terms of use and privacy terms should be reviewed to ensure they are consistent with the reality of what your business is doing. This review process should not be a “one and done” activity; instead, such policies should be reviewed annually to ensure that you do “as advertised” by your own stated terms.

Attorneys in CSG’s Information Security and Media and Technology Practice Groups can work with your business to audit its privacy policies (internal and external) to assess whether the business is following applicable laws and accepted standards, and, as appropriate, to develop and/or update those policies to avoid unnecessary risk and exposure.

Related Industries

Privacy & Data Security