Share |
Article Categories Advertising, Marketing & Trademark Antitrust and Trade Regulation Bank & Finance China Construction Corporate & Securities Electronic Discovery Resources Employment & Labor Energy Family Law Government Relations Health Law Immigration Intellectual Property Internal Investigations International Internet, Technology &
E–Commerce Life Sciences Litigation Non-Competes & Trade Secrets Real Estate Shareholder Disputes Tax Planning & Business Organization Trusts & Estates White Collar & Regulatory Defense
 
Steven E. Helland

Steven E. Helland Internet, Technology & E-Commerce

shelland@fredlaw.com
612.492.7113
Printable Version

Drafting Website Privacy Policies and Terms of Use

By: STEVEN E. HELLAND

January 2004, Updated July, 2004

Including well-crafted Terms of Use and a Privacy Policy within a website provides useful protections and rights for website operators. Unfortunately, many adopt ill-fitting Terms of Use or Privacy Policies, often copied off other websites or donated by a website developer. These may be inaccurate, fail to protect against liability, and actually create liability for the website operator.

The most famous case on point is Toysmart, in which the Federal Trade Commission (FTC) brought an action to prohibit the bankrupt toy vendor Toysmart.com from selling its customer database. Toysmart had, in its Privacy Policy, promised customers that it would “never” share customer information with third parties. The FTC argued that a sale of the database would violate this promise, and would constitute an unfair and deceptive trade practice prohibited by law. Ultimately, Toysmart wound up destroying its customer data.

In the wake of Toysmart, Terms of Use and Privacy Policies are being scrutinized as a routine element of corporate due diligence prior to mergers and acquisitions. As a result of such investigations uncovering flawed Privacy Policies, Fredrikson & Byron clients have required sellers to accept a substantially reduced purchase price for the assets being sold.

DRAFTING A PRIVACY POLICY

The first question website operators should ask is whether they want or need a Privacy Policy.

Contrary to popular belief, most U.S. businesses are not legally required to adopt a Privacy Policy unless:

  1. the website operator is an entity covered by the Health Insurance Portability and Accountability Act (HIPAA);
  2. the website operator is an entity covered by the Gramm-Leach-Bliley Act (financial institution);
  3. the website collects personal information, such as a name or email address, from children under 13, or is directed towards children under 13;
  4. the website operator is applying for Safe Harbor status under the European Union Data Privacy Directive;
  5. the website operator desires a “privacy certificate” from organizations such as TRUSTe or the Better Business Bureau; or
  6. the website collects personal information from website visitors who reside in California.

The advantage of not adopting a Privacy Policy is that the website operator can freely collect and use information from its visitors (e.g., to market additional goods or services, or provide the information to other businesses).

If you adopt a Privacy Policy the cardinal rule is: Obey your own Privacy Policy. The corollary rule is: Don’t make promises you can’t or won’t want to keep.

For example, many clients are tempted to promise that they will not share information with any third party. This promise is almost always false and undesirable. If a website operator contracts with IT consultants to operate or maintain the website, for example, those consultants will likely have access to visitor information. Similarly, if a website visitor makes a purchase with a credit card, the website operator will have to turn over billing information to the credit card company, thereby violating the Privacy Policy.

A well-crafted Privacy Policy will:

  1. describe what information is collected;
  2. describe how this information is or may be used, now or in the future;
  3. describe with whom this information may be shared;
  4. if the website visitor is permitted to view or update his or her data, describe how;
  5. provide a mechanism (e.g., email or telephone) for website visitors to communicate with the website operator about privacy issues; and
  6. include any specific items required by a particular law or unique circumstances.

In most cases, a Privacy Policy should grant the website operator significant freedom to use visitor information as desired. For example, rather than promise that information will never be shared with third parties, a Privacy Policy could state: “Visitor information will be used or shared for the purpose of providing the visitor with any requested information, goods, or services; may be used by the business to send information about additional goods or services; may be shared with or sold to any successor to or purchaser of part or all of the assets of the business; and may be shared with third parties that the website operator believes may offer goods or services of interest to the visitor.”

Finally, website operators should provide some kind of notice to website visitors that it has changed or intends to change its Privacy Policy. In July, 2004, the FTC announced it had brought charges against Gateway Learning, alleging an "unfair trade practice," for changing its Privacy Policy without providing notice or obtaining consent from past website visitors.

TERMS OF USE

Posting Terms of Use is almost always in the best interests of a website operator. Unlike a Privacy Policy, which mainly describes promises by the website operator to website visitors, Terms of Use list terms and conditions that protect the website operator.

Useful items to include in Terms of Use:

  • A disclaimer of warranties, and statement that the website is provided as-is.
  • A Limit of Liability clause.
  • A statement that all copyrights are owned by the website operator and that the visitor may make a copy only for personal use and must include all copyright and trademark markings included on the webpage.
  • A choice of law and venue clause stating that any dispute will be litigated in the home state of the website operator.
  • A prohibition against interfering with the website or using it for an illegal or improper purpose.
  • A statement that the Terms of Use and Privacy Policy may change at any time.
  • A statement that use of the website constitutes consent to the Terms of Use and Privacy Policy.

In some cases, courts have refused to enforce Terms of Use that were merely posted on a website. A stronger method of obtaining consent, if desired, may be obtained by requiring visitors to click an “I AGREE” or similar button, posted along with the Terms of Use and Privacy Policy, in order to access the website.

Creative Commons License

This work is licensed under the Creative Commons Attribution-NoDerivs License. View a copy of this license, or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.