Frequently asked questions about intellectual property and corporate law

Question: I am setting up a website to sell products directly to consumers over the internet. Am I required to post a privacy policy on my website? If so, may I just copy one from another website?

Answer: To answer your second question first, there was a recent case in which a jury awarded $4.5 million in a ruling against a company that helps students apply to colleges online. The company's website operators had apparently copied a privacy policy from another website and posted - incorrectly - that personal information was not being shared.

I have seen and corrected many policies that were written with the best of intentions, but did not accurately state what the real privacy policy of the website operator was. Needless to say, not customizing and properly stating your privacy policy can lead to a lot of unnecessary and expensive headaches.

As for your first question, the answer is yes, you will more than likely be required to post a policy for one or more of the following reasons:

• Your credit card processor may require one as a condition of setting up a credit card merchant account, as many do.
   
• A federal law known as the Gramm-Leach-Bliley Act requires that any "financial institution" provide a privacy policy to its customers. The term "financial institution" is construed very broadly to include retail stores that offer their own credit cards or otherwise extend credit to consumers. The Federal Trade Commission is responsible for enforcing this law's compliance by businesses that are covered by it. The FTC can issue fines of up to $11,000 per violation.
   
• A second federal law known as the Health Insurance Portability and Accountability Act, or HIPAA, requires health care service providers such as doctors and pharmacies to provide privacy policies to customers. So, if you will be selling prescription drugs over the internet, you will be required to post a privacy policy. The privacy rules of this law are enforced by the Office of Civil Rights of the Department of Health and Education. Over 4,500 cases have been prosecuted based on this act.
   
• A third federal law known as the Children's Online Privacy Protection Act of 1998 requires that any owner or operator of any website that is directed toward, or knowingly collects data from, children who are under 13 years of age, post a privacy policy. A few years ago Toys "R" Us entered into a consent order with the Federal Trade Commission agreeing to pay a $400,000 fine for violating this law. Many other companies, including Hershey Foods, Etch-A-Sketch and Universal Music have been the subject of FTC complaints based on this act.
   
• So far California is the only state that requires that the owner or operator of a commercial website that collects personally-identifiable information such as names, addresses, email addresses or phone numbers from consumers who reside in that state, post a privacy policy. This law applies to the owners and operators of websites, regardless of whether or not they have a physical place of business in California. Both the California attorney general and private individuals and companies can bring actions against website operators who violate it.
   

Any privacy policy should be carefully drafted. First, the policy must conform to the requirements of any applicable law that requires the policy. Second, as stated in the beginning of this article, an inaccurate privacy policy can be the basis of a claim for fraud or unfair trade practices.

Rob Hassett is an attorney in technology, entertainment and corporate law with the Atlanta law firm of Casey Gilson P.C. He also teaches in the professional education program at Georgia Tech and is the co-author of a volume on Internet Law of a leading treatise on entertainment law. If you have a question about intellectual property or corporate law, you may contact him at rob@internetlegal.com.