Before our recent two-month hiatus, we were discussing that most effective Terms of Use (or Terms of Service (TOS)) include seven key concepts: (1) permitted use – that is, the specific uses to which the website may be put and any restrictions on use imposed by the website operator; (2) the treatment of user-created content; (3) a disclaimer of warranties; (4) the limitation, in whole or in part, of the website operator’s liability; (5) a privacy policy; (6) governing law and choice of forum; and (7) how the Terms of Use may be modified.
Before our break, we touched on the first four elements, which leads us to:
5. Privacy Policies. A privacy policy is a statement that discloses the ways in which a website operator gathers, uses, discloses, and maintains a user’s data. Such statements are legally required where the website is directed to children under the age of thirteen, knowingly collects personal information from children under the age of thirteen,[i] or interacts with users living in one of the states that has passed a law requiring website operators to publish privacy policies.
The privacy policy should be a separate document, drafted and published so as to comply with the requirements of the most restrictive privacy laws which might apply to the relationship. Often, the most restrivice domestic privacy law is the California Online Privacy Protection Act of 2003 (OPPA). Under OPPA, “privacy policies must contain certain information, including the following: personally identifying information collected, the categories of parties with whom this personally identifying information may be shared, and the process for notifying users of material changes to the applicable privacy policy.”[ii]
Website operators with users in countries other than the United States must also ensure that their privacy policies comply with the law of those foreign countries from which their users visit the website. Often, at a minimum, such compliance requires the website to comply with the EU Data Proection Directive, adopted by the European Union on October 24, 1995, or the "Safe Harbor" framework negotiated by the United States Government.
[i] See Jonathan D. Frieden, Charity M. Price & Leigh M. Murray, Putting the Genie Back in the Bottle: Levering Private Enforcement to Improve Internet Privacy, 37 Wm. Mitchell L. Rev. 1671, 1683-84 (2011) [hereinafter “Internet Privacy”] (available at http://open.wmitchell.edu/cgi/viewcontent.cgi?article=1429&context=wmlr).
[ii] Internet Privacy, at 1690-91.