Introduction to the Concept of Privacy
“The following is for informational purposes and is not legal advice. Please contact a lawyer or other legal professional for advice on your own Privacy Policy.”
In the United States, the idea of privacy began with the Bill of Rights in the Constitution in 1789 through the 1st, 3rd, 4th, and 5th Amendments. Though at this time, privacy was considered to apply to the body and home (unreasonable search and seizure). A little over a hundred years later, in 1890, the right to privacy was stated in an essay by Justice Louis Brandeis. However, towards the end of the 19th century, as compared to today, the information that could be gathered on an individual was a mere trickle. Today, much more data can be collected in a short time and hence the need for website privacy policies.
Privacy, as it applies to the internet and websites, is the right to be able to have control over how your personal information is collected and used. As time and technology progress, more and more personal information is being collected and in some cases search engines and social media know more about you than you may know about yourself. Although what constitutes privacy varies by culture and tradition around the world, it is generally considered by most to be a fundamental human right. As a website owner or designer you have to deal with this right and manage it such that nobody’s individual right is violated.
Enter the Privacy Policy
In today’s world, since your personal data is used by search engines, social media sites and others to make enormous profits, a privacy policy is needed. Users of your website want to be able to know how their data will be used and whether it is being sold to third-parties. In some cases (actually most), website owners are legally required to disclose how the information collected is being used by the website and by third-parties. In addition there needs to be a mechanism to give users an option to opt-out of the data collection.
In the European Union, these requirements are uniformly enforced through the General Data Protection Regulation (GDPR), which was passed by the European Union in 2016 and became effective in April 14, 2016. Other countries have something similar, albeit under a different name, e.g. Australian Privacy Principles, Act on the Protection of Personal Information (Japan), and so on. There is no federal policy on privacy in the United States and instead there is a patchwork of state laws, each with its own requirements, but all roughly following the GDPR of Europe. Even though there is no federal policy, generally the Federal Trade Commission (FTC) is in charge of enforcing that websites follow the privacy policies they have.
Regulations Regarding Privacy Policies
United States (Federal Government)
As stated in the previous section, the United States, does not have a uniform policy that applies to all data types. Note the Privacy Act of 1974 applies only to Federal Agencies. Instead, the United States has a mixture of laws, each of which, cover a narrow subsection of data. In part, these laws apply to website data. In some cases, even while dealing with data, they do not cover data privacy in all forms. One example is the Health Insurance Portability and Accountability Act (HIPAA), which covers communication of medical data, but not the collection of it or that which is collected electronically. Other alphabet soup laws dealing with data include the Fair Credit Reporting Act (FRCA), which covers credit reports, the Family Educational Rights and Privacy Act (FERPA), covering student records, and the Gramm-Leach-Bliley Act (GLBA) that covers consumer financial products. GLBA also requires companies to disclose how they use data but does not restrict it in way, such as an opt-in as in GDPR.
If your website, caters to children less than 13 years old, the Children’s Online Privacy Protection Act (COPPA) comes into play. This federal act puts limits on the collection of data from children. However, on a state level, the Delaware Online Privacy and Protection Act (DOPPA), expanded the age to those who are 18 years of age or below (see below).
The Federal Trade Commission Act (FTC Act) allows the FTC to enforce the privacy policies of websites and apps, making sure that what they state they ae doing is what they are actually doing.
State Laws in the United States
The state governments of the United States are a lot more proactive and more specific in dealing with privacy policies regarding the collection and use of data. Most follow the GDPR of Europe or something very similar. However, Delaware, passed the Delaware Online Privacy and Protection Act (DOPPA) in January 1, 2016, predating GDPR and before California. California soon followed with the passage of the California Online Privacy Protection Act of 2018 and was later amended by the California Privacy Rights Act (CPRA) in 2020. Likely because of its size and the fact that most of the companies involved are actually located in California, the CPRA is often cited as the leader in website privacy protection and is generally when privacy policies in the United States became noticed. Since this time there have numerous other states who have passed their own privacy laws.
As stated above, most of the state laws follow the GDPR protections from the European Union. Some states, namely Virginia and Colorado, hav trigger points such as a specific number of users (usually >25,000) of the website, above which the laws come into effect. Others expand on previous laws such as raising the age of children who are protected by the regulations (DOPPA in Delaware from age 13 to 18). While all of the states laws only apply to the citizens of those states, in today’s internet world, it is hard to allow the information on your website to just go one state and not another and the same with data collection. This same logic applies to countries as well since the internet is “worldwide.”
As an example, besides my web design website, silphiumdesign.com, I also have a Bed & Breakfast website, mcmullenhouse.com. The Bed & Breakfast has had visitors from a multitude of states from around the United States and countries in Europe and around the world. This means that I have conducted business with the citizens of all of these states and with citizens of the European Union, namely France and Italy. Because of these facts, my website has to compliant with GDPR. By extension, since a lot of the state laws draw from GDPR, if I am compliant with GDPR, I am also likely compliant with the state laws as well.
What does a Privacy Policy Include?
Essentially, if you own a website, you need a privacy policy. Some sites say that you need a policy under XYZ conditions, but in today’s connected world, the exceptions are so few and are becoming fewer by the day that they are practically nil. Privacy policies should cover the following:
- Identify information collected by your website.
- Allow users an opportunity to opt-in or out of the collection of their data and the ability to review or change the data.
- Describe how users will be notified of changes in your Privacy Policy.
- List all third-parties that use the data collected by your site and generally involves analytics data.
- Includes the date at which the policy became effective.
What are the Central Tenets of a Privacy Policy?
In most places there are generally three central tenets that are covered by a privacy policy. These include:
- Personally Identifiable Data such as that collected by website analytics, a contact page, email marketing sign-up or similar.
- Advertising and Marketing to Children
- The ability of users to opt-in or opt-out of data collection, which appears on websites as a cookie notice when first visiting a site.
Personally Identifiable Data (PII)
When a user visits your website there is a data trail left that shows that often shows the Internet Protocol (IP) address, which are unique to each computer, and the time of the visit. IP addresses can be collected by analytics programs such as Google or Matomo and by security software. Analytics programs can also gather information such as the users location, demographics, and more. If a user contacts you through a contact page subscribes to an email newsletter they provide information (the data) about the themselves. Other forms of privacy concerns relate to the use of accessibility overlays, which, if used, can show if a user needs assistance or not and can be a form of data that when joined to other to other information collected can be something they do not want publicly known.
Google, through its analytics program and other social media sites, collects reams of data on users and in order to get it they provide the analytics data free to you. In a sense, you are mining the data of your users for free so Google can then make money off your users through ads and algorithms. If you are using Google Analytics, it needs to be stated in your privacy policy as well as the types of data being collected and how it is being used by the website and by third-parties. Having a privacy policy, even though legally required, can help the reputation of your business and show that you care and respect the privacy of your customers and users. It is so important that Google, Amazon, and other third parties you may advertise or be affiliated with require your website to have a privacy policy stating:
“You must post a Privacy Policy and that Privacy Policy must provide notice of your use of cookies, identifiers for mobile devices or similar technology used to collect data. You must disclose the use of Google Analytics and show how it collects and processes data.”
Some websites use Google Analytics alternatives that allow the data collected to be stored directly on your server. In so doing, it allows more control over the data and does not allow third-parties to use the data. Some of these providers include Matomo, Independent Analytics, Koko Analytics, and Plausible Analytics. Even if you use one of these alternatives you still need a privacy policy, however, it is easier.
Even if you do not collect information, such as having a purely informational website, and use a privacy friendly analytics provider such as Matomo or Koko Analytics it still recommended to have a privacy policy. While you may not have a contact form, your security software may still collect information and your CMS, via the cPanel will also have some data.
Advertising and Marketing to Children
Privacy policies should tell whether or not the website markets to children being cognizant that this applies to those less than 18 years old.
Ability to Opt-in or Opt-out of Data Collection
A lot of websites employ the use of cookies in order to collect user information and to provide notification of a revisit at a future date. If a website is being responsible and is following GDPR or some of the state regulations, there will be a cookie notice allowing the user to accept the terms of data collection, modify the collection of data, or opt-out entirely. Currently the use of cookies is being phased out and other techniques are being used.
What can you Do to Protect your Users Privacy?
As stated above, most of the data collected by your site, is through the use of analytics. Choosing a an analytics solution that keeps the information entirely on your server, of which Matomo Analytics is largest solution, is a good start in protecting user information. The contact form and email marketing sign-ups are other sources of user information and can be kept entirely on your server depending on the solution used. Besides these, it helps to be aware of all of the processes happening on the website by which data may be collected. Some that come to mind include security plugins, the cPanel, and others depending on your site.
