- Is your website an information-only site? Is reading the site the only way for users to interact with it?
- Can users register for an account on your website? Can they submit their email address to receive updates?
- Do you have a shopping cart or a donation platform?
- Do you or your website host track visitors to the website, whether automatically or intentionally?
While virtually all websites collect information about visitors, even if the visitors are not identified by name or contact information, certain states create a higher bar of disclosure for sites that collect particularly sensitive information. Connecticut law, for example, requires any person who collects Social Security numbers in the course of business to create a privacy protection policy that must be “publicly displayed” on a Web page and must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers (Conn. Gen. Stat. § 42-471). Companies involved in highly regulated industries such as academia, health care, or the financial industry may also have stringent federal or state requirements that must be disclosed in privacy policies and other places, both online and offline.
Privacy policies should also govern third-party access to personal information. California and Utah require all nonfinancial businesses to disclose to customers, in writing or by electronic mail, the types of personal information the business shares with or sells to a third party for direct marketing purposes or for compensation (Cal. Civil Code §§ 1798.83 to .84 and Utah Code §§ 13-37-101, -102, -201, -202, -203). Under the California law, businesses may post a privacy statement that gives customers the opportunity to choose not to share information at no cost. California also requires the website operator to disclose whether third parties are or may be conducting any tracking activities on the operator’s site or service (Calif. Bus. & Prof. Code § 22575).
Obtaining user consent to privacy policies