Website Policies
Most businesses have websites. While the online movement is not a new phenomenon, many businesses are increasingly relying on their websites as a convenient tool to market, interact with current or potential customers, and transact business. However, as businesses continue to integrate into the online realm, it is imperative businesses monitor their websites to ensure compliance with the evolving legal landscape.
Which website policies a company should implement for its website is dependent on several factors, including the company’s industry, geographical location, offerings on its website, and the types of data it collects. However, as a general rule, companies should implement a Terms of Use and a Privacy Policy.
Terms of Use
Although not required by law, Terms of Use (also referred to as Terms and Conditions or Terms of Service) are highly recommended. Terms of Use set forth the rules and guidelines for the use of a business’s website and create a legally binding contract between a business and the end users. Visitors of the website must agree to the Terms of Use to use the website. And, like any contract, Terms of Use can reduce liability by dictating the manner in which people may use the website, the warranties or promises it might give rise to, and the manner in which disputes may be remedied.
Terms of Use typically cover items such as: (i) user rights and responsibilities; (ii) proper or expected usage of the website and potential misuse; (iii) accountability for online actions, behavior, and conduct; (iv) a privacy policy outlining the use of personal data; (v) payment details such as membership or subscription fees; (vi) an opt-out policy describing a procedure for account termination; (vii) disclaimer and limitation of liability provisions clarifying the website’s legal liability for damages incurred by users; and (viii) a procedure for user notification upon modification of terms.
Privacy Policy
If a business collects or uses any personal information from the users of its website, it must have a Privacy Policy in place. Personal information includes data such as customer names, email addresses, birthdays, credit card information, mailing addresses, and phone numbers. Various state and federal laws regulate what must be disclosed in a Privacy Policy depending on the type of business conducted through the website and the type of information collected. For example, certain industries such as education, healthcare, and financial services have more stringent privacy requirements. Certain states, such as California, provide end users a “right to know” and a “right to request deletion”, where end users can contact a company to request a copy of all data collected and/or request the company delete any personal information collected.
In general, a Privacy Policy should include:
- The specific type of personal information the company collects;
- How the company collects the personal information;
- Whether the company shares the collected personal information and, if so, to whom the personal information is disclosed; and
- How the company manages and protects the personal information it collects.
When developing a new Privacy Policy or updating an existing policy, a company should begin by identifying how the company collects and uses personal information and what type of personal information is collected. The Privacy Policy must accurately reflect the company’s actual practices – in other words, “say what you do, and do what you say.”
Because of the evolving legal issues involved, we recommend companies review their website policies every 12 months to ensure compliance. If you have questions about your company’s website or are in the process of creating a new website, please contact the author or a member of Barrett McNagny’s business practice group.