Part I of this post addressed the content that appears on your company website – both content you create or that was created for you and content generated by users of your website.  Today, we will look at the various technologies for collecting information from users – often without their knowledge or explicit consent – and the rules governing the use and protection of that information.

  • Does your website track visitors’ activities through “cookies” or “web beacons”?

Cookies and web beacons are simply text files or software code which track users’ activities while on a website.  Websites often use information from cookies and web beacons to personalize advertisements shown to a web visitor.  For example, most search engines place a tracking cookie on your computer relating to searches you perform.  That is why you might see advertisements relating to your past searches as you browse the internet.

Trackers such as cookies and web beacons are not currently subject to government regulation, though a coalition of website operators has created a self-regulatory regime which asks companies to implement privacy protections on their own initiative.

  • Does your website gather personal information about individual website users?

Websites that also gather specific personal information such as names, addresses, email addresses, social security numbers or bank or credit card information, are subject to more extensive regulation.  Depending on the types of personal information collected, a website may be required by law to post a privacy policy which describes the information collected from users, how users can request changes to that information and how the website uses and protects that information.  If personal information is shared with third parties for direct marketing purposes, a website operator must either provide consumers, upon request, information about disclosures of their personal information or allow consumers to opt-out of the disclosure of any personal information.  Even where not required by law, a comprehensive privacy policy can help a website owner assure its visitors that it will not use personal information it collects irresponsibly.

A website owner should be sure, however, that its privacy policy is accurate and that it follows the procedures set forth in the policy.  The FTC has brought several actions against website operators for using information in a manner contrary to their privacy policies and for failing to honor the promises made in privacy policies about protection of personal information.

  • Do you have a plan to deal with unauthorized disclosures of personal information or other types of “data breaches”?

Regulations in several states also require that a website which receives personal information from website visitors have a comprehensive security program and a security system covering its computers.  Similarly, most states require website owners to provide notice to consumers for any “data breach” resulting in unauthorized disclosure of personal information.

  • Do you send emails to website visitors?

The federal CAN-SPAM Act establishes rules for commercial email messages.  The Act prohibits false or misleading header information or deceptive subject lines and requires that the email discloses that the message is an advertisement.  The Act also must indicate the physical address of the sender and must include a clear and conspicuous explanation of how to opt-out of future commercial emails.

Protecting personal privacy on the Internet is a growing area of concern for legislators and regulators.  As businesses increase the use of their website to communicate and interact with their customers, they need to ensure that they comply with all of various federal and state laws governing the protection and use of that information.

Contributors: Dabney Carr and Robert Angle, Troutman Sanders Intellectual Property Practice

For questions and/or comments, please contact Bryan Haynes, at 804.697.1420 or by email.