Privacy Policies and Terms and Conditions

Privacy Policies and Terms and Conditions

Businesses that collect consumers’ personal information online are subject to a host of laws that require disclosure of what data is collected and how it is used. These rules vary and can cause confusion for websites, online service providers, and consumers. However, the trend in recent years is to impose stricter requirements as federal, state, and international governments face increasing consumer complaints about misleading business practices and privacy concerns. 

What Is a Privacy Policy?

Privacy policies explain how a company will use the information gathered from those who visit the company’s website. Generally, privacy policies disclose the types of personal information collected and how the data will be stored, shared, and protected. Policies are published on the website so that visitors can view them at any time.

Legally, a business that collects personal information—including names, email addresses, phone numbers, and credit card numbers—from website visitors must have a privacy policy under federal, state, and in many cases, international laws. In addition, some third-party service providers require that websites using their services have a privacy policy.

Federal Consumer Protection Laws

Various federal laws protect consumers from privacy law violations in certain circumstances. In addition, the Federal Trade Commission can step in where privacy policies are misleading or false. Some of the laws that may apply include:

· Gramm-Leach-Bliley Act (GLB Act). Financial institutions must provide “clear, conspicuous and accurate statements” about what information they collect and how it is shared and protected.

· Children’s Online Privacy Protection Act (COPPA). This law requires websites and online services that collect, use or disclose personal information from children to have a privacy policy. The policy must clearly disclose specified information and give parents the right to review or have deleted the child’s personal information and refuse to permit its further collection or use.

· Health Insurance Portability and Accountability Act (HIPAA). This law requires that consumers receive written notice regarding the privacy practices of health care services, electronic and otherwise.

Unfair and deceptive trade practices. The Federal Trade Commission (FTC) has the authority to bring an action against a company for deceptive trade practices. A business that makes false or misleading statements or omissions about privacy or data security or violates the terms of its own privacy policy can be found liable for deception. While the FTC does not require businesses to use specific language in their privacy policies, it has issued recommendations for businesses to make their privacy policies more readable for consumers.

Information to Include in a Privacy Policy

Businesses should always check whether they are subject to certain laws requiring specific information in their privacy policy.  Absent that, there are best practices regarding what to include. Generally, a privacy policy should explain the following:

  • Types of personal data collected
  • How the data will be shared and with whom
  • The purpose for collecting the data
  • The process for opting out of data collection
  • Data security measures
  • Use of cookies
  • Relevant contact information for the business regarding its privacy policy

A privacy policy must be tailored to the business and disclose how the business actually collects, shares, and protects information. As noted previously, a company that fails to follow its own policy or is misleading about its practices is subject to liability.

How Do Terms and Conditions Differ from Privacy Policies?

Terms and conditions, also known as terms of service, describe what a user must agree to prior to entering into a transaction with the provider of the product or service. Generally, a website’s terms and conditions page is a legally binding contract (otherwise known as a “click-wrap” agreement), which a user can accept with the click of a button. It is typically presented right before a person downloads an app or software or accesses a protected website.

Purpose of Terms and Conditions

The purpose of terms and conditions is to establish the business relationship between the user and the business. Businesses want to protect their products and services from unauthorized use, minimize disputes, and limit their liability resulting from problems users may have. Terms and conditions are distinct from privacy policies, although they may reference each other. It is important to have both because they serve different purposes. However, they are both similar in that companies may be held liable for any false or misleading representations or failing to abide by their own policies.

Information to Include in Terms and Conditions

The terms and conditions must be tailored to the business, but typical provisions include the following:

  • Permitted uses of the information. This explains how users can use the product or services and the consequences of violations.
  • Disclaimers and limitations of liability. The business will generally exclude or limit recovery for damages arising from use of the product or service.
  • Refund and cancellation policy. The rules governing these policies should be stated in detail.

  • Payment terms. How renewals and late payments will be handled should be specified.

  • Access to information on a user’s other accounts or devices. The business must disclose if it needs to access the user’s social media accounts, contacts, or other personal information, and users must agree to this.
  • Dispute resolution. In the event of a dispute, businesses could require the use of arbitration and specify which jurisdiction’s law applies and the choice of venue.
Why You Should Consult an Attorney?

Both privacy policies and terms and conditions must be uniquely tailored to the operations of the business. In the context of privacy policies, there are numerous laws that may apply depending on the nature of the business, what information is collected, and from whom and where the business operates. These rules are confusing, and the consequences of noncompliance can be significant. It is important for companies to make sure they comply with their own policies. Additionally, as companies change their business model or operations, or work with new third-parties or technology, their risks may change and thus it is important to discuss those issues with an attorney.

While terms and conditions are generally enforceable, they can be contested on various grounds, including fraud, unconscionability, and other issues that apply to unilateral non-negotiable form contracts.

To avoid liability relating to its privacy policies and terms and conditions, businesses should consult an attorney.