The Law for Affiliate Marketing: Privacy Policies

seanmorrison | June 24 / 2014 | Affiliate Marketing, Privacy

Disclaimer: Obviously, this blog does not provide legal advice. How do you know? This is free. Legal advice you have to pay for.

Our overview of affiliate marketing rules now moves into privacy policy requirements. Online privacy is always in the news, and the balance between users’ privacy and your companies need for information is always going to be tricky. A site’s privacy policy explains to your users what information is being collected, and how it’s being used. This way, users can make an informed decision about working with you.

Do You Need a Privacy Policy?

Privacy policies are not legally required by the federal government. However, some states do require them. California requires privacy policies where the site collects information from any California resident. That’s right – resident. It doesn’t matter where you are. Unless your business in no way attracts users in California (or any of the other privacy policy states), you should put together a privacy policy.

Beyond the legal requirement, they’re a good idea anyway. At this point, users expect them. They’ll never read the damn thing, but it’s comforting to know it’s there. Sites without a privacy policy seem less legitimate. Some business will not even work with companies that don’t display privacy policies.

Finally, it’s just plain fair to your users. Remember, they’re the ones you’re trying to persuade. Ultimately, it’s their information and it shouldn’t seem like you’re sneaking it away from them. Let them make their own decisions. Respect your customers, and they will respect you.

Following Your Privacy Policy

I say this so often it seems like a mantra – Follow your privacy policy. While there is no federal law requiring a privacy policy, the FTC does require those with a policy to comply with it. And they love to enforce this one, even when the site didn’t put any thought into making it. They consider it a “deceptive” practice to post a privacy policy, but not follow it. If you remember the discussion about using disclosures to avoid deception, then you’ll know that you can’t tell customers one thing, and then do another.

Snapchat recently got caught up by the FTC for failing to comply with its privacy policy. The policy stated that users’ information would be deleted, which was the whole purpose of the app. However, there were so many ways to save the information and get around the deletions, that it was completely ineffective. Snapchat had to change their policy (notice they didn’t fix the app) to say that nothing would be deleted. Similarly, the FTC filed a complaint against Google because it was using information without permission to build the now defunct Google Buzz.

Once you put that policy out there, you need to know what it says and ensure that it matches your actual practice. Don’t just copy and paste something you found on another site, since lazy drafting is not a defense.

Don’t Forget the Little Children

The law is particularly strict when it comes to kids’ information. While a privacy policy isn’t required by federal law normally, it is if your site collects information on children. Under COPPA, sites cannot collect information from users under 13 without the guardian’s consent. This includes cookies.

This is a particularly tricky area, since it’s not always easy to know when users are under 13, and COPPA compliance brings in a whole array of requirements. The important thing to remember is that you are responsible for third parties. This means that even if you do not collect any information from kids, if one of your third party plug-ins or apps does, then you must comply with COPPA (they need to as well). It also means that you are responsible for your affiliates, so make sure they understand COPPA and won’t violate it.

What Goes Into a Privacy Policy

The general rule is to simply make clear what information you are collecting, and how it’s being used. Let them know if you’re selling it to third parties, or keeping it safe for them. Here are a few things to make sure you include:

  • What information is being collected;
  • What steps you are taking to make sure personal information (name, address, phone number, etc) is secure;
  • Whether you will share the information with anyone outside your, whether you sell it or not;
  • Let them know how they can opt out of communications, or modify/delete their information;
  • Unless you prohibit kids from visiting your site, include COPPA information like how a parent can delete their kids’ info;
  • Tell them how you will notify them when the policy changes (because you need to update your policy as you upgrade your business); and
  • The effective date of the policy (when it begins).

Depending on your practices, there may be specific clauses to add. For example, if you’re using Google Adwords remarketing, then they have specific language they want you to include in your privacy policy. You may also need language if you’re using analytics, Facebook integration, or other info sharing systems.

Do It Already!

A privacy policy is usually the last thing put on a site or app, and too often ignored. But it can have significant consequences. If you don’t want to mess with it, hand it off to an attorney. You’ve got enough to do already. If you do it yourself, make sure it matches your actual practices. Make notes of what your site or your affiliates are collecting, what kind of data security you have in place, and what you plan to do with all that information. Write it down. Now it’s 90% done. Put it through a privacy policy generator, like this or this. Then show that to your attorney to make sure it’s got everything you need. Finally, put a link on every page of your site or app so it’s easy to find. Common practice is to put it in the footer – you users will look for it there.