My previous post was regarding cybersecurity and some of the dangers lurking behind our widely-used “secure” technologies and authentication systems. A related issue is what you, as a business owner, chief technology officer or other data collector, must do to advise customers and other users of your website of your privacy policies and procedures – in short, how are you going to protect their identities, credit card information and other personal data you collect? This post will address what is legally required of you if you collect any sort of data, as well as the question of whether you need to implement Terms and Conditions. Hint: the answer is yes!
Many businesses are required by law to have a Privacy Policy posted conspicuously on their website. In California, the law requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site.” California Online Privacy Prevention Act of 2003, Business & Professions Code §§ 22575-22579. In other words, if you are gathering the personal data of your website users, you must have a formal Privacy Policy.
The primary federal agency that regulates and implements rules and regulations related to data privacy is the Federal Trade Commission, but other federal and state laws and acts have provisions that impose requirements on certain persons and businesses. For example, the Americans With Disabilities Act, the Children’s Internet Protection Act of 2001, the Computer Fraud and Abuse Act of 1986, the Computer Security Act of 1997 and the Consumer Credit Reporting Control Act all have laws relating to data privacy. The bottom line is that you must know and comply with federal laws as well as the laws of your state.
Another thing you should strongly consider – implementing and posting Terms and Conditions, which may also be called Terms of Use. While not required by law (and undeniably the dullest page on your website), Terms and Conditions can limit your liability, set forth your security features, link to your Privacy Policy and define acceptable use of your site (for example, you can specifically prohibit certain “hacking” activities). Here is some sample language from a Terms of Use policy related to cybersecurity:
You agree not to misuse Acme Company’s services (“Services”) or help anyone else to do so. For example, you must not even try to do any of the following in connection with the Services:
breach or otherwise circumvent any security or authentication measures; or
violate the privacy or infringe the rights of others.
Terms and Conditions can and should be specialized to your unique business activities. In other words, copying one from another website, changing a few words and posting it is not the best means of implementing your Terms and Conditions.
In sum, cybersecurity and privacy are hot issues these days, and whether you are a business owner, chief technology officer or someone else in a position that requires you to deal with stored customer information, you have many duties in connection with protecting your customers’ information. If you have questions about cybersecurity or your compliance with privacy laws, or if you would like assistance drafting and implementing your Privacy Policy and/or Terms and Conditions, please contact me or one of our other attorneys at (805) 546-8785. The attorneys at Carmel & Naccasha have extensive experience in handling such matters and are happy to answer your questions and assist you.
Contact Legal Professional
The information provided herein does not, and is not intended to, constitute legal advice; instead all information, content, and materials are for general informational purposes only.
If you have any questions, please contact Carmel & Naccasha, and for more details, read our full disclaimer.