Privacy Laws for Online Businesses

Online businesses bear the responsibility of abiding by state and federal privacy regulations that may affect how a business conducts sales and marketing, and how such businesses store and share information about customers.

California online privacy laws require all online businesses with California customers to provide a privacy policy that is easily accessible on their website. The California Secretary of State or the Washington, D.C. Business Resource Center will have information pertaining to the applicable privacy laws in that region.

There are also federal regulations in place that impact all online businesses that operate within the United States. The Children’s Online Privacy Protection Act of 1998 (“COPPA”) requires businesses to obtain parental consent before collecting personal information from children under the age of thirteen. Parents then have the authority to deny businesses from gathering such information. Parents also have the authority to grant access to personal information, but deny a business’s ability to share this information with third parties. Businesses often require users to enter their date of birth before accessing a site in order to ensure compliance with COPPA.

The Fair Credit Reporting Act (“FCRA”) also applies to online businesses, but only those that collect information from private individuals regarding their financial and criminal records. Under the FCRA, such consumer reporting agencies must protect consumers’ private information from unauthorized third parties. These agencies are responsible for generating credit scores and may only provide this score, upon request, to employers and creditors.

Online businesses involved in providing health care information and health care plans, or health care providers that conduct electronic transactions must comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA prevents such businesses from sharing health care information about an individual with third parties. A business may provide information about its patrons so long as it omits any identifying information about a specific individual. Such identifying information includes a person’s name, relatives, address, social security number, and date of birth.

Additionally, the Federal Trade Commission tightened regulations for online businesses in 2009 with the release of its guidelines for online advertising and marketing entitled “Self-Regulatory Principles for Online Behavioral Advertising.” First, the FTC requires that all online businesses notify consumers that they are participating in target marketing. Consumers must also have the option to opt-out of the survey if they do not want to share their personal information. Once online marketing companies collect the data, they are responsible for ensuring its safety from unauthorized third party access. In the event that companies intend to use personal information in a manner other than that explicitly stated in the privacy policy, the company must notify consumers of such alterations. Finally, online marketing companies are precluded from using financial information, health information, or information regarding children for marketing purposes. These guidelines aim to protect consumer privacy in light of the expanding business of online marketing.