Authors: Katie Newman, Kristél Kriel
Organizations with an online presence should ensure that they have an effective Privacy Policy and Terms of Use in place to comply with applicable privacy and consumer protection laws.
A Privacy Policy and Terms of Use provides appropriate flexibility for an organization’s operations, limits the risks relating to its operations, and increases customer and stakeholder confidence.
An organization’s failure to have an appropriate Privacy Policy and Terms of Use can lead to significant financial and reputational consequences including fines, penalties, complaints and other legal actions.
This blog focuses on the requirements for websites, but many of the same considerations apply to mobile applications (apps) as well. We will be writing more about the requirements for apps in the future.
What is a Privacy Policy?
A Privacy Policy is a legal requirement for most organizations and explains the organization’s privacy practices. Typically, this includes:
- what personal information is collected,
- why it is being collected,
- how the information will be used,
- how it will be protected, and
- who it will be shared with.
An effective Privacy Policy demonstrates to customers and visitors of the organization’s website that the organization is accountable, transparent and respects the privacy of its customers and/or stakeholders.
Tips for an effective Privacy Policy:
- Privacy Policies must be appropriately customized to the organization. Depending on the nature of an organization’s operations including how and in what jurisdictions the website is operated, the applicable laws, requirements, and best practices for the organization’s Privacy Policy will vary. We see many situations where organizations have simply copied and pasted a policy from various sources. This is not sufficient and is often not compliant with applicable laws. It may also create additional unintended consequences (for example, copyright infringement claims from competitors). Instead, we recommend that organizations conduct a careful review to ensure that a Privacy Policy satisfies applicable laws and best practices, it may save you significant costs later.
- Individuals should be aware of key privacy practices and know how to access and control their personal information. The type of information will depend on an organization’s practices but the policy should be transparent about what an organization does with information and why, how individuals can access and update their information, who to contact regarding privacy inquiries and complaints, and explain how updates to the policy will be managed.
- Organizations should regularly review and update Privacy Policies to reflect changes in privacy laws and best practices. Updating a Privacy Policy when changes in laws and operations occur is critical to being transparent and obtaining meaningful consent for the collection of personal information.
- Privacy Policies must reflect your website functions. If your website includes analytics, cookies, e-commerce or other functions, there are often specific requirements for wording to be included for website visitors based on contractual or statutory requirements – we will be writing more about the requirements for e-commerce in the future.
- Privacy Policies should be user-friendly. They should be easy to understand and navigate and readily accessible to visitors of the website. The information contained in a Privacy Policy should be specific to your organization and easy to understand. The policy should make clear what type of information is collected, the purpose it is used for, and who the information may be disclosed to.
- Organizations should appropriately implement their Privacy Policies. Having a Privacy Policy is not sufficient in and of itself; implementing the policy appropriately is critical. Individuals should be clearly aware of and be required to acknowledge or consent to the Privacy Policy wherever possible. Internally, organizations must also have a good privacy compliance program to support its privacy practices including, for example, staff and contractor confidentiality agreements, employee training, etc. An organization’s privacy compliance program will depend on the organization’s operations, and a review should be conducted to assess what is required for the organization.
What are Terms of Use?
Terms of Use set out the terms, conditions, requirements, and rules regarding the use of a website. An organization’s Terms of Use serves an important function – including to protect the organization from abuses of the website and to limit the liability of the organization. Essentially, the Terms of Use lay out the ground rules for dealing with issues that may arise with a visitor of the website. These are particularly crucial for organizations with important intellectual property on their websites (which is most organizations!).
Tips for an effective Terms of Use:
- Terms of Use should establish customized rules or limits of use for the website. Terms of Use can lay out prohibited conduct and establish the obligations of the website visitor. Typically, this would include terms regarding abiding by applicable laws, terms relating to cybersecurity, unauthorized use of materials, and other terms unique to an organization.
- Terms of Use should appropriately assign risks. Terms of Use should clearly specify who will be responsible for risks relating to use of the website and contain clear contractual terms in order to be enforceable.
- Terms of Use should outline notice of website interruptions and updates. Websites periodically incur shutdowns, whether intentional or not. Terms of Use should give the user notice of these possibilities and outline a policy to notify the user of outages. Including contact information for technical support may be useful in the event that the user needs to report an issue with the website.
- Terms of Use should include information on intellectual property. Rules regarding intellectual property protect the content of the website from wrongful use and put the organization in control of how its content can be reproduced and used.
- Individuals should explicitly agree to the Terms of Use. Terms of Use should require a positive action, such as checking a box or clicking “I agree.” Organizations should always require individuals to positively consent to the Terms of Use.
Conclusion
When it comes to Privacy Policies and Terms of Use, organizations need a customized document that addresses their unique operations. Organizations should continue to update their Privacy Policy and Terms of Use to reflect changing business practices, laws, and expectations from customers.
MLT Aikins offers fixed-price packages, including discounts for non-profit organizations, for constructing a Privacy Policy and Terms of Use. If you require assistance with creating or reviewing your Privacy Policy or Terms of Use, please contact us for more information.
This post is part of a blog series about moving your organization’s operations online. For more information regarding moving your organization’s operations online, please see our blog post series covering the legal risks that organizations should consider on an ongoing basis.
Note: This article is of a general nature only. Laws and government programs may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.