Legal Writing Part Four: Privacy Policies-Drafting Pitfalls for Clients and Lawyers

This post originally appeared on the NITA Legal Advocate Blog.

One of the drafting tasks attorneys are increasingly faced with is to create privacy policies for their clients' websites and other online resources. These policies are supposed to provide sufficient detail about a company's personal information collection and use such that consumers can make informed choices about whether they will provide their information to the company. As with website terms of service, privacy policies often include contract-related provisions regarding consent, jurisdiction, notice, amendment, and other such elements.

There is no overall U.S. federal law requiring privacy policies on websites. While there are a number of state and federal laws that impose specific mandates regarding privacy policies (especially in certain contexts, such as health or children's privacy), the biggest legal risks for companies posting privacy policies, and the biggest potential challenges for the attorneys charged with drafting them, arise from general consumer protection principles. The FTC and attorneys general, the primary enforcement bodies for consumer protection, evaluate privacy policies as disclosure documents, and in too many situations, privacy policies fail because they are simply inaccurate. As a result, even when the company's practices are fully in compliance with applicable law, the privacy policy statement itself can result in liability if it doesn't disclose the practices correctly. A review of the FTC's privacy enforcement over the past decade shows a number of settlements where the FTC uses its general Section 5 consumer protection jurisdiction to sanction companies for inaccurate statements in their privacy policies.

Why do so many companies, even large and sophisticated ones, find themselves facing litigation and enforcement actions based on their privacy policies? Often, this is because those responsible for drafting the policy, whether in-house counsel, outside attorneys or non-lawyers, did not ensure that the policy was actually an accurate reflection of the company's current and future practices. Too many privacy policies are cut and pasted from those on other sites, even when the other sites' data practices have no relationship to those of the site using their text. This is a bad enough methodology when dealing with contractual language; in a disclosure document, which is primarily factual, it can be disastrous.

Further, policy drafters may not understand the relevant technology well enough to provide accurate language. For example, numerous websites include in their privacy policies something like the following statement: "We will not share your personal information with third parties." This sounds comforting, but is essentially never true: the owner of a website will share its users' data with multiple third parties merely in the process of transmitting a webpage containing the user's name back to the user, from the website hosting company, to the telecommunications companies providing bandwidth along the way, to the user's Internet service provider. In e-commerce situations, the user's data will (and must) be shared with the user's payment processing company, the courier delivering any ordered products, and so on. Again, the issue is not that the sharing is illegal or even undesired by the user; rather, the fact that the statement is in the privacy policy, and is inaccurate, is sufficient to expose the website owner to liability.

How, then, should those drafting privacy policies proceed in order to reduce the exposure of the site owner to consumer protection enforcement? There are a few key best practices:

  • Collect relevant information on information practices from all relevant stakeholders before drafting. This may be most effectively done through a written questionnaire that can be shared among IT, marketing, business, and other professionals within the site owner organization, and that can ask about both current and possible future practices. The questionnaire should also consider issues such as third-party access to the data (backup services, data analytics firms), information collection other than through website forms (via web server log analysis, e-mails, telephone calls, faxes, postal letters, etc.), the different jurisdictions in which the company may do business (and whose privacy laws may be different), and whether there are specific legal, regulatory, or contractual obligations that may impact on the company's data practices.
  • Write simply and flexibly. Because so much of the potential risk from privacy policies arises out of inaccuracies, it is best to say too little rather than too much, and to use flexible words such as "may" rather than limiting ones like "shall" to encompass as many potential situations as possible.
  • Be ready for revisions. Because the company's data collection and use practices may change over time, the policy may have to do so as well. It is important to build into the policy a process for revisions that does not require consent or overly burdensome notice before putting the change into effect. (Note, though, that based on past FTC actions, a material change affecting use of previously collected data may require affirmative consent from those prior users.)
  • Keep apprised of relevant law and regulation. Legislators and regulators in the United States and throughout the world are paying close attention to privacy issues, and the relevant legal requirements may change quickly. It is crucial that those responsible for privacy risk management keep up with governmental statements and trade publications to stay aware of possible changes to requirements for both data collection and use and disclosure.

Beyond the benefit of avoiding legal exposure, companies that demonstrate a commitment to responsible privacy practices and clear and accurate disclosure of those practices will also generate greater consumer confidence (and of course those organizations whose privacy practices are lax may well lose the trust of customers and business partners, let alone invite legal action). Attorneys, in their role as risk managers for their clients, can and should be an active part of a well-designed data collection and use strategy, especially when it comes to drafting privacy policies.

Jonathan I. Ezor is an Assistant Professor of Law and the Director of the Touro Law Center for Innovation in Business, Law and Technology and counsel to Olshan Frome Wolosky in New York City. He has been practicing technology business law for twenty years, and is a frequent speaker and writer on cutting-edge issues of Internet law. He is the author of multiple works, including Privacy and Data Protection in Business: Laws and Practices (LexisNexis 2012). He can be reached at and followed on Twitter as @ProfJonathan.

Add a comment

Type the following characters: romeo, foxtrot, mike, papa, mike

* Indicates a required field.


Recent Posts



Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.