Hi, thank you for bringing your question to Google Answers.
I?ll begin by summarizing the answer, then fill in the details. You
have a lot of questions but the basic answer is pretty simple.
There are some very scary sounding laws regarding the Internet but the
important thing to remember is that very few people get into trouble
and those are almost always people with actual criminal intent. Mere
mistakes usually won?t get you into trouble with the criminal law
unless you do something such as intentionally disclose someone?s
private information such as a social security number. Being criminally
negligent in designing a Web site is difficult to prove in court,
although I would avoid designing Web sites which collect any personal
health or financial data or which make them available through some
sort of search (even if encrypted.)
Civil action is always possible about absolutely anything. Just check
any of the entertainment court shows on TV and you will see that it is
possible to get sued over virtually anything.
The simple way around this is to incorporate the design business ?
that way, unless the people involved are intentionally doing something
blatantly illegal, their private assets are protected (in the U.S.). A
corporation is legally an individual under the 14th Amendment to the
Constitution, capable of engaging in business, signing contracts, and
being sued. But the owners of the corporation are MOSTLY immune to
criminal or civil action.
That is my major piece of advice ? if the person designing Web sites
has any assets of their own, don?t go into that (or almost any)
business without incorporating. It is cheap insurance.
What brought about all this concern over Web site Privacy Policies was
the release of Internet Explorer 6 which included a way to quickly
check a site?s privacy policy. (Look in the View pull down menu for
Privacy Report.)
This relates to the P3P Platform for Privacy Preferences standard. If
you do have a privacy policy for a Web site you should definitely
comply with the P3P guidelines. (More on P3P below)
Most sites only use a privacy policy as a marketing tool so it only
makes sense if your clients are going to look for it.
>Is a Web site privacy policy required?
No.
In fact, there are virtually no regulations relating to Web sites. The
Internet is still the wild, wild west of marketing and commerce,
although that is slowly changing as governments begin to regulate the
Web more closely.
Unless you fall into some very narrow categories such as a U.S. based
medical services company or a financial institution with fiduciary
responsibilities, what a visitor puts on your Web site is considered
public information.
In this instance, your friend?s site advertising his/her own Web
design service has no particular obligations to protect privacy of
anyone visiting the site ? OTHER THAN THOSE IMPOSED BY A COMMON SENSE
CONSIDERATION OF HOW HE THINKS HIS CLIENTS WOULD LIKE TO BE TREATED.
However, being in the Web site design business he(or she) also needs
to know about any special needs his(her) clients have which are
imposed either by industry custom or law. I address that below.
However, IF you do post a privacy policy, then you could very well be
held liable for any violations ? that is one reason I never post a
privacy policy on any of my sites. I never collect or share
information about visitors but just stating that could open me up to
legal problems if some hacker penetrated the servers which host my
various sites. I have my own very strict internal privacy policy, but
it isn?t published on any of my Web sites.
For most businesses the purpose of a privacy policy is to tell your
users what you will do to protect their privacy. Whether it will be a
liability not to have a posted privacy policy is very much dependent
on just what the Web site does and who your visitors are.
I?ve never had a single question from many, many thousands of visitors.
> Is it necessary to have a privacy policy?
There is a difference between having a privacy policy and posting a privacy policy.
>What types of sites require a privacy policy?
Some health-related sites are required under HIPAA or other laws to
protect any confidential information collected.
This includes hospitals, pharmacies, doctors, and even insurance companies.
Any such company having a site designed will know about their privacy
policy obligations and the site designer should place the burden on
them in their contract.
Some states, such as California, make it a crime for anyone doing
business with even one person in California to disclose private
information and fail to notify that person quickly. It isn?t the
disclosure that is illegal, but the failure to notify.
This, however, doesn?t necessarily impose any requirement to post a
privacy policy. You need to consult an atty. About that ? the owner of
the site you are designing should certainly be aware about any legal
requirements they are under to post a policy and a Web site designer
should include something to that effect in their contract.
Any site which collects private information about individuals can
place the owner (and possibly the designer) in danger of being sued
and perhaps even prosecuted if they expose data which can be used in
identity theft.
I wouldn?t buy a privacy policy, although many of the sites which have
them for sale are reputable enough. The real problem is that this is
an area of legal limbo and, until a lot more case law is decided, no
one really knows what constitutes a good privacy policy.
To decide, I suggest you ask the vendor of a privacy policy just how
much they guarantee that it will stand up to legal challenge. My
suspicion is that none of them will offer any sort of solid guarantee.
If you decide to post a policy I would check with a good lawyer.
>What are the penalties for not having a policy?
None unless a particular State imposes a policy requirement on some kinds of sites.
>Would the designer face penalties, or just the owner?
Well that depends on a lot of factors. For example, if sloppy
programming or design caused information to be hacked then the owner
of the site could certainly have a civil case against the designer.
That should be addressed in the contract which must be signed before a
design project begins. Again, this has nothing specifically to do with
a posted or even unposted privacy policy.
>Are there any cases where owner or designer got into problems?
Absolutely! California in particular is always bringing cases against
companies and individuals. But considering the scale of the Internet,
this is actually very rare.
But I don?t know of any legal problems actually related to the lack of
a policy, only to fraud or violation of privacy and those laws apply
whether there is a policy or not, although a well-written policy
passing all responsibility to the site visitor might be helpful if it
is very carefully drawn up by a good lawyer.
Here is the California Atty. General?s main page because California is
often in the forefront of these laws.
http://caag.state.ca.us/
There are issues to do with the CANSPAM act
http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm
which actually specifies HOW you can spam people legally.
Issues surrounding age and particular care in protecting the
information about children.
Issues of protecting privacy or customers and vendors for commerce sites.
Because laws are always changing, you should monitor
http://www.usdoj.gov/criminal/cybercrime/
Which is the Department of Justice?s Cybercrime home page.
You will find some intellectual property and privacy notes at
http://www.usdoj.gov/criminal/cybercrime/privacy.html
and some more food for thought at
http://www.usdoj.gov/criminal/cybercrime/dojcyber.html
Medical Privacy
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
http://www.hhs.gov/ocr/hipaa/
Fact sheet for protecting patient privacy
http://www.hhs.gov/news/facts/privacy.html
Financial institutions
U.S.C. Title 15, Chapter 94, Subchapter I, Sec. 6801 covers the
Gramm-Leach-Bliley Act (he Financial Modernization Act of 1999.) This
act imposes privacy legislation on financial institutions by
regulating protection of nonpublic personal information.
http://www.ffiec.gov/ffiecinfobase/resources/management/con-15usc_6801_6805-gramm_leach_bliley_act.pdf
This would only apply if he is designing Web sites for financial
institutions but that covers a lot more than just banks. In any case,
that doesn?t necessarily mandate a published privacy policy on the Web
site, just that data be protected. Again, protect against this in the
contract.
Creating a privacy policy
There is an online Privacy Statement Generator for Web sites at
http://www.oecd.org/document/39/0,2340,en_2649_34255_28863271_1_1_1_1,00.html
Organisation for Economic Co-operation and Development includes
special guidelines for various industries.
>P3P is a W3C standard, in other words, it is a voluntary standard
published by the WWW Consortium.
http://www.w3.org/P3P/
and
http://www.allaboutcookies.org/p3p-cookies/
>If the designer held title to the site and URL (domain name) would
this change anything?
He or she needs to discuss this with a lawyer, but it shouldn?t make
any difference for most sites. I would certainly avoid owning the URL
or hosting site for any financial or medical-related Web site, however
the contract should shift any responsibilities either to the
contracting entity or the hosting business. Most hosting complaints
relate to outages and uptime anyway and your friend needs to make it
clear that they aren?t under his/her control.
Google Search Strings
prosecution of web site owner site:.gov
HIPAA
P3p
When dealing with the law there are always open questions and about
all anyone can do is approach situations with an open mind and no
malice in their heart.
The best course of action is to first incorporate and then have a good
lawyer draw up a standard contract for the Web design business, one
which specifically absolves the designer of liability for almost
everything and, at a minimum, requiring the contracting company to
provide any required privacy policy text to include in medical or
financial sites.
This isn?t important so much because published privacy policies are
required for most, if any sites,(they aren?t) but because there could
always be new laws passed which would change the situation.
Unless you want to follow all new legislation in any country and state
where the clients do business, you have to protect yourself in writing
against this sort of thing ? as with HIPAA requirements, they will be
notified of any changes in the law affecting them or their sites.
Although you didn?t ask about this, I think I should point out the
Americans With Disabilities Act and the requirements it imposes on
companies to keep even Web sites accessible. This law is seldom
enforced.
Although disability rights have mostly been ignored in the U.S. Web
sites do business internationally and the British have recently begun
to take this very, very seriously.
http://news.bbc.co.uk/1/hi/england/norfolk/3117050.stm
I hope this answered your questions, if you have a specific question
which you posted but believe has not been adequately addressed, simply
post a request for clarification and I will get back to you.
The bottom line is that if your friend has a well written contract
and, especially if they incorporate the Web design business, then they
should have no problems unless they actually have some criminal
intent.
Posting some sort of policy which isn't required is more likely to
cause problems than otherwise. |
