Skip to Content
Kinetic Law Kinetic Law
Start Today: 513-450-9010
Top

Privacy Policy 101

Serving Businesses Throughout Ohio and California
|

Privacy Policy 101

Kinetic Law Strategic Business Law Solutions logo

Kinetic Law LLC

Business Counsel

Home » Blog » Privacy Policy 101

The massive data breach at the big box retailer Target that happened in late 2013 has focused a great deal of attention on privacy issues. Just this month, Target’s CEO lost his job as a result of that data breach and how it was handled. While Target’s data breach was caused by someone hacking into Target’s in-store point-of-sale systems, the incident has implications for anyone operating a website or a web-based business. If you or your company operates a website, you need to understand and deal with these same privacy issues. You will need to have a privacy policy, either separately or as part of your terms of service. The kind of website you operate will dictate how detailed and extensive your privacy policy needs to be. For example, a simple blog where you write about your interest in Venezuelan cuisine will probably need a much simpler policy than an e-commerce website or a gaming website.

Whatever kind of website you operate, you want your privacy policy to do three things. First, you need to notify visitors as to the kinds of personal information you will be collecting. Second, you need to notify visitors as to how that information will be used. Third, you should inform visitors as to how they can opt out of the collection and use of any personal information.

There are two basic types of information a website can collect. The first type is aggregate information. This is the kind of information websites collect when the user isn’t registered or logged in, and his or her identity isn’t known. It is essentially anonymous information, and includes things like IP addresses and cookie information. IP addresses are numbered based on location, so by collecting IP addresses, a website operator can tell that a user may be from California, or Ohio, or New York. Cookies, which are small pieces of code left on a user’s computer, can tell the website operator where a visitor goes next. If the website operator collects enough aggregate information, it can use data mining to fine tune advertising and promotions that appear on its site. Even though aggregate information is anonymous, a website operator must disclose that it collects such information. In addition, the operator must give visitors an option to switch off cookies, although the website can still tell visitors that switching off cookies might cause an inferior user experience. The website operator also should disclose how aggregate information might be shared with third-parties — for example, Amazon.com for mobile apps and various analytics companies.

The second type of information a website can collect is personally identifiable information. This might include a visitor’s name, address, e-mail address, age, credit card number, social security number, and other information that a visitor provides when he registers or logs in. The website operator must disclose the nature of personally identifiable information collected, and the kinds of uses to which it is put. It is also advisable to discuss how such information is safeguarded (although not in such detail that might compromise the safeguards).

Privacy issues are particularly important when it comes to children. There is a federal law, the Children’s Online Privacy Protection Act (or COPPA), which applies directly to this area. COPPA prohibits the collection of information from children under the age of 13 without parental consent. If you operate a website targeted at children – for example, an educational website or a game website – you will want to ensure that your website complies with COPPA. Even if your website doesn’t target minors, you may want to include a provision in your terms of service that all users must be 18 years of age or older.

Once you start collecting information, whether it is aggregate information or personally identifiable information, you need to safeguard that information. If there is a data breach, you may need to report the data breach to various state agencies. Since each state has different requirements, this can be an expensive proposition. When companies do suffer a data breach, they frequently offer their customers an identity theft protection service, free of charge, for a period of time. This can be quite expensive for companies, too. As the Target data breach has shown, however, failing to deal with data breaches in a straightforward, diligent way can have serious consequences for the business in terms of loss of customers, management turnover, and possible exposure to lawsuits.

Follow me on Twitter @PaulHSpitz

Footer

Kinetic Law LLC

Formerly Law Office of Paul H. Spitz 

810 Sycamore Street, 5th Floor,
Cincinnati, OH 45202

t: (513) 450-9010
e: info@kinetic-law.com

subscribe to our newsletter

Copyright © 2024
Terms & Conditions | Privacy Policy

Kinetic Law LLC

Formerly Law Office of Paul H. Spitz 

810 Sycamore Street, 5th Floor,
Cincinnati, OH 45202

t: (513) 450-9010
e: info@kinetic-law.com

subscribe to our newsletter

Categories: 

Effective Advocacy for Entrepreneurs

Let's build Your Business Together

Have questions? Ready to get started? Fill out the form below to schedule a consultation with Paul H. Spitz.

  • Please enter your first name.
  • Please enter your last name.
  • Please enter your phone number.
    This isn't a valid phone number.
  • Please enter your email address.
    This isn't a valid email address.
  • Please make a selection.
  • Please enter a message.
  • By submitting, you agree to be contacted about your request & other information using automated technology. Message frequency varies. Msg & data rates may apply. Text STOP to cancel. Acceptable Use Policy