Mark Pestronk
Mark Pestronk

Q: In the last few weeks, I have been bombarded with emails stating, "We have changed our privacy policy. Please click here to read all about it." Also, on lots of websites, I see a pop-up asking me to consent to the company's use of "cookies." What's this all about? My agency doesn't have a privacy policy. Is one legally required? If so, what could happen if we don't have one? If not, should we have one anyway, just because all our competitors do? If we use cookies, are we legally required to get consent from every website user?

A: If, like most agencies, you do not collect personal information on your website, you are not required to have a privacy policy. Even if you do collect personal information, you are still not required to have one, with three exceptions:

First, if you collect personal information of individuals residing in California, the California Online Privacy Protection Act (CalOPPA) requires you to have one, regardless of your location. CalOPPA has very detailed requirements for privacy policies, which you can find here.

If you don't follow CalOPPA's detailed requirements, the state can fine you up to $2,500 per violation, although you will first receive a 30-day notice to comply.

Second, as you probably already know, if you are subject to the EU's new General Data Protection Regulation (GDPR), you must have detailed "privacy notices," among many other requirements. The specific requirements for those notices are described here.

As I noted in my June 4 Legal Briefs column, if you are outside the EU, you are subject to the GDPR only if you specifically target EU residents with offers or you track the online behavior of EU individuals for marketing purposes. The vast majority of U.S. agencies with some EU clients do not do so.

Third, you need a privacy policy if you have a contract with a tracking service such as Google Analytics that tracks your website visitors, provides reports on who visits your site, when they visit, where they visit from geographically and on what pages or social media they found you. The reason is simple: the contracts of Google Analytics and similar services require you to have a privacy policy.

Specifically, your privacy policy must include a statement that you use Google Analytics to track online behavior, a list of what information you collect and how you use it and a statement that you use cookies.

If you take online marketing a step further and use Google AdSense or a similar service that puts ads for your agency's services on a page of search results, your privacy policy must explain that you use Google AdSense. You must also use "commercially reasonable efforts" to make sure you get consent to use cookies by using a banner or similar notice that alerts users to the use of cookies on your website and allows users to block them.

However, these laws or contractual clauses don't explain the recent rash of revisions to privacy policies and cookie pop-ups. My explanation is that businesses subject to the GDPR had to revise their notices, and other companies decided to follow suit for competitive reasons because they did not want to appear unconcerned for privacy.

If you have a privacy policy, whether required or not, you must follow it, or you could get into trouble with the Federal Trade Commission (FTC), whose website states, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."
JDS Travel News JDS Viewpoints JDS Africa/MI