Website Compliance

October 12, 2022

Lyzz Leise & Sami Segelke

Privacy Policy

A privacy policy describes how a company or website collects, handles, and processes data of its customers and visitors. Is a privacy policy legally required? It depends. There is not a comprehensive privacy law that governs all companies; however, there are certain state and international laws that require companies to include a privacy policy on their website that explains their data-handling practices. More and more states are working to pass consumer privacy protection laws, so companies will likely be required to have a privacy policy in the near future even if they are not currently required to do so. Additionally, if the company uses certain analytics tools or advertising platforms, they may be contractually required to have a privacy policy. The privacy policies should be specific to each company rather than a standard form. If companies do not have a privacy policy when they are legally required to have one, they could face a significant fine or expensive litigation.

Terms of Service

A Terms of Service defines the way in which the individual user may use the website. Terms of Service is also known as Terms of Use or Terms and Conditions. Is a Terms of Service legally required? It depends. Certain laws may require certain Terms of Service. That said, the risk of not having a Terms of Service can be severe. If a website does not have a Terms of Service, it is a lot harder to mitigate liability or effectively protect your rights. Terms of Service allows the website owner to define permitted conduct for their website, better protect their intellectual property rights, require arbitration or mediation in the event of a dispute, and set the governing jurisdiction for any dispute through a choice of law clause.

Europe’s Privacy Laws

European residents have even more protections under the General Data Protection Regulation (the “GDPR”). Under the GDPR, companies who collect and manage personal data are obligated to protect it from misuse and exploitation, as well as respect the rights of data owners. The GDPR applies to any company within the EU, as well as any company outside of the EU which offers goods or services (free or paid) to customers or businesses in the EU or monitors EU residents’ behavior. Companies that do not comply with the GDPR face substantial fines and potential litigation.

California’s Privacy Laws 

Certain states have stricter privacy laws. California has one of the strictest privacy laws - the California Consumer Privacy Act (the “CCPA”). The CCPA applies to any company that meets one or more of the following thresholds: 

  1. Has annual gross revenues of more than $25 million; 
  2. Buys or sells, or receives or shares for a commercial purpose, the personal information of 50,000 or more California residents; or
  3. Derives 50% or more of annual revenues from selling personal information.

Under the CCPA, “selling” means releasing, disclosing, transferring, communicating, etc. If you are disclosing this information to any third-party company (even for marketing purposes), that likely constitutes “selling” under the CCPA.

Other States’ Privacy Laws

State level momentum is at an all-time high for privacy bills. In addition to California, four more states passed and signed privacy laws that will be effective in 2023 - Colorado, Connecticut, Virginia, and Utah. Moreso, four other states have active privacy bills in committee. Below is a map of the privacy laws as of August 2022. 

Key Takeaways

It is important to talk to your legal counsel about 1) whether your company needs a Privacy Policy, Terms of Service, and/or some other internet policy, and 2) if you must comply with the CCPA and the GDPR. It is also important to stay up to date on state privacy law developments. Although some state legislation isn’t effective until 2023, it may be necessary to take some precautionary steps now. Please contact us if you have questions or concerns or would like to discuss developing a Privacy Policy, Terms of Service or other internet policy for you or your business.