This article by Barbara Meyers is from the January 2021 edition of Nink, the monthly newsletter of Novelists, Inc. (NINC). Nink, which is packed each month with informative articles for career novelists, is a benefit of NINC membership.
Not following compliance guidelines can lead to liability. Likewise, if you have a published policy but don’t follow it, someone could make claims against you for deceptive or unfair trade practices. Plus, those who view your website may be more comfortable knowing there’s a policy that spells out exactly what information you collect during their visit and how it’s used.
While most states have no laws regarding website policies, California and Vermont have been more aggressive in increasing privacy protections. The California Consumer Privacy Act (CCPA), took effect Jan. 1, 2020, and focuses on how businesses collect and use Californians’ data. Even if you are not a California resident, your website is accessible to those who are. CCPA is meant to address website operators selling data directly by using lead generation companies and direct marketers, or by sharing personal data with ad networks through cookies without disclosure. Violations fall under California Unfair Competition Law and can incur a penalty of $2,500 per violation.
Vermont recently signed into law legislation (Senate Bill 110) to address a number of issues related to data privacy and consumer protection, such as expanding the definition of personally identifiable information (PII) for purposes of data breach notification requirements for data collectors. Under the Vermont Security Breach Notice Act, data collectors are required, in certain instances, to report data breaches of PII.
The General Data Protection Regulation (GDPR) in Europe takes these rules a step further, requiring consent prior to data collection.
- Collect information for a newsletter, giveaway or any kind of an opt-in where you give a freebie in exchange for their email—you should definitely make visitors aware of how you plan to use their personal information.
A policy missing any of those key elements will fail to protect the business owner. Further, Lyons said, “The risk of not having a properly drafted policy is tremendous. Facebook has had billions of dollars of fines levied against it for failing to have one component of their policy adequately drafted and followed. It is essential that all of the elements be precisely addressed by someone who understands each facet and how to ensure compliance.”
Attorney Philip Nicolosi points out that often failure to write a proper policy stems from website operators not understanding the definition of personal data. For example:
- In California, under the CCPA, an IP address is specifically considered an item of personal data on a stand-alone basis. Cookies use unique identifiers to identify a device in connection to its IP address. Uninformed website operators may incorrectly define and then not disclose what is actually collected and shared.
- The use of email marketing services such as Mailchimp gives these third parties access to personal data, such as an email address. In theory, using third parties to operate the website or for marketing purposes that have access to personal data in any capacity should be disclosed regardless of how such parties are using data.
The issue of data collection and disclosure is primarily all about controlling unauthorized selling and/or sharing of personal data without notification. The FTC Act controls data collection disclosure through restricting "deceptive practices." Not disclosing how an individual's personal identifying information is shared with third parties is deceptive.
How to create your policy
Keep in mind, however, the free sites may offer no support or any way to get your questions answered. A good policy includes several requirements regarding the setup for your website, for example Secure Sockets Layer (SSL), so it can be worth it to have someone to go to for assistance when you need it. SSL is a secure protocol developed for sending information securely over the internet. When you are asked to "log in" on a website, the resulting page is usually secured by SSL. If a web address starts with "https," the "s" after the "http" indicates the website is secure.
No matter if you do it yourself or get an expert to help with your policy, make sure your policy is written in easy-to-understand language. Lyons says she sees a lot of policies written in “impossible-to-understand legalese, filled with legal jargon and old English wording. Having clarity with all legal documents is empowering for an entrepreneur and will foster confidence and peace of mind.”