Running a website or blog? You’d better have a Privacy Policy

Every Website operator (including bloggers)  should have a privacy policy in place to protect him/herself, and to clearly define the relationship with the website’s visitors, customers and others.  Without a carefully crafted privacy policy, a site-operator can be exposed to significant liability. Unfortunately, not all privacy policies are created equal, and simply cutting-and-pasting from another site is risky business.


A privacy policy is a legal notice given by the operator of a website to provide information about the operator’s use of personally identifiable  information gathered from/about the site’s visitors.

Although there’s no specific federal statute governing the establishment of privacy policies, a number of states have implemented statutory and/or regulatory approaches to the gathering, use and dissemination of personally identifiable information.  Moreover, the FTC has pursued action against website operators for unauthorized use of personally identifiable information about their site’s users.


Personally identifiable information is data collected  online about a particular site visitor, user, customer, etc., and frequently includes  that person’s name, address, email address, phone number, social security number, and other information that allows either online or direct physical contact with the user.


One fairly strict state law addressing the gathering and use of personally identifiable information is the  California Online Privacy Protection Act (Cal. Bus & Prof. Code, Section22575, et. seq)., which requires any commercial website that collects personally identifiable information about a California Resident to (conspicuously) post its privacy policy on the site.    The required privacy policy must set forth the specific information collected and how it will be used or shared.  Failure to comply with the OPPA, can expose the site  owner to civil liability under the state’s Unfair Business Practices laws.


A good rule of thumb for a site operator is to be somewhat over-inclusive, but not so general or broad as to render the privacy policy meaningless.  A good privacy policy states: (a) The types of personal information collected; (b) how it will be used, stored, disclosed to others, etc. (c) whether cookies or other site-related materials are exchanged with the user’s computer (d) how the site user can opt-out, so their information isn’t used or exchanged. (e) whether information gathered is secured in any way, and how, (f) how a user may review and correct the information  collected.

It should also be noted that when a site serves children, the site operator must obtain verified parental consent for the collection and use of a child’s information (required under the Federal Children’s Online Privacy Protection Act)


Of course, merely having a privacy policy posted on the site isn’t enough.  A site operator must also abide by its policy.  Failure to do so may result in claims that the policy amounts to disinformation, or misrepresentation.

Another point of concern arises when a privacy policy is changed.  Since the idea behind a privacy policy is ‘informed consent’, it’s important that changes be brought to users’ attention, and consent obtained again following any material change to the policy.

The advice of an experienced entertainment or intellectual property attorney  is important when crafting your site’s privacy policy.  My office can help.  Call us for a free consultation.

2 Responses to Running a website or blog? You’d better have a Privacy Policy

  1. Good quesiton, Taryn.

    The Cannon of Ethics for Attorneys imposes a duty of confidentiality that doesn’t require any separate agreement. Confidential information disclosed to a lawyer must be kept confidential by the lawyer, unless the client authorizes its disclosure to others.

    There’s some debate among lawyers as to precisely which information about a client is confidential, and which is not.

    Basic Identifying information is probably NOT confidential in most circumstances, but specifics about a client’s business, background, activities, relationships, etc. probably ARE to be kept confidential.

    Attorneys who blog should be careful NOT to talk specifically about their clients without the client’s consent.

  2. Hello! I’ve really enjoyed reading your articles, they’ve been very informative and a fantastic source for those interested in entertainment law. I do have a question regarding the Canon of Ethics based on your entry on blogging today – if an attorney were to divulge personal information about his/her clients to the public through a blog, what kind of repercussions could be taken? Would a confidentiality agreement be in place to prevent this type of disclosure? Kind of a strange question I know, but I’m currently studying ethics and have really developed an interest in (ent. law).
    Thanks very much and have a great day!

There is no custom code to display.

Find us on Google+