A customer asked me to create a Facebook ad that generates sales leads for her business. Because the ad collects personal information from sales prospects, Facebook requires the business owner to have a privacy policy that potential customers can view. My customer didn’t have one, and neither did the local real estate company she works with. When I requested that the real estate firm put a privacy policy on their site, their response was they didn’t need one.
But could they be wrong?
Yes, especially here in California. In 2004, California passed the California Online Privacy Protection Act (CalOPPA), the first U.S. law requiring commercial websites and mobile apps to post a privacy policy that informs users about how their personally identifiable information (PII) is collected and used. This law has been in effect for 14 years, yet very few commercial websites have privacy policies posted. Does yours?
What’s the penalty for not having a privacy policy on your commercial site?
If a company is notified, potentially by California’s Attorney General or the Federal Trade Commission, that they’re in violation of the CalOPPA law, they have 30 days to comply by publicly posting their privacy policy or they’ll be fined $2,500 per violation. That means each time a customer visits their company site while there’s no privacy policy in place, that visit counts as a violation. So a highly-trafficked website could be hit with a huge penalty for not having a privacy policy publicly available.
It’s a good idea to have a privacy policy in place on any commercial website, but it’s especially important for sites that collect sales leads and customer info, like email addresses for mailing lists and credit card numbers for purchases. And the State of California isn’t the only entity requiring privacy policies – Facebook won’t run your lead-generating ads without a privacy policy posted on your commercial website, and Google won’t let you run Adsense advertisements on your site, use Google Analytics to analyze your website traffic, or place Adwords ads on Google search results without a privacy policy on your site.
What’s a cookie?
It’s a small text file that’s placed on a user’s computer or device that allows the server to display a page tailored to that specific user. For example, when you shop for shoes on Zappo’s and then go to another website to read an article, you’ll often see an ad on that page for the same shoes on Zappo’s that you just shopped. Zappo’s placed a cookie on your computer when you visited their site so they could later display ads that would appeal to you. Zappo’s cookie doesn’t collect any personally identifiable information about you, but they know that you liked a particular pair of shoes and they want to encourage you to buy them from Zappo’s.
If you get website visitors from Europe, you’re also subject to European Union laws regarding privacy – and they’re even more strict than California’s law. All commercial websites used by European citizens are required to notify users immediately that they place cookies on users’ devices and give the users a chance to opt out.
So your commercial site needs a privacy policy. What’s the next step?
The Better Business Bureau offers a sample privacy policy that you can customize for your company’s needs. If you have a high profile business, you store a lot of personally identifiable information, and you have a lot of web traffic, you should consult a business attorney to craft a privacy policy that will protect both your business and your users.
I’ll put it on your site and make sure it’s set up to comply with applicable laws. But don’t procrastinate! This is an easy issue to fix and doing so could save you a lot of money and headaches.
