NY Startup Law

A businesslaw blog for New York entrepreneurs by Marc Law Associates PLLC


I’m sure most people reading this post, including me, often log on to their favorite web site to find information, listen to music, or shop for a desired item and completely ignore the link on the website that’s usually labeled  Privacy Policy. Most casual internet users simply don’t pay attention to how the websites they like are tracking them, and the majority of my clients build websites not thinking they should  bother going through the trouble of paying an attorney to draft a privacy policy and either leave it off their website altogether or copy and paste a competitor’s privacy policy and use it as their own. Are these naysayers wrong? It depends on a myriad of factors. This post will try to  take some of the mystery out of the company  privacy policy, which is the internal company policy addressing how companies use, secure, and manage personally Identifiable information (“PII”), and the privacy notice, which is the publication of the policy on the company website which alerts a website user on a company’s privacy policy.


Data Privacy has many different meanings in many different areas, and can be altered by a myriad of influences  including but not limited to nationality, industry, and even age. The main reason any internet company should have a privacy policy is if the company site collects  (“PII”) from consumers. In the United States, whose data privacy regulation is more reactive than proactive, PII may include the following: name, social security number, credit card info, address, etc.  For companies that collect PII, a privacy notice is necessary to inform the sites users what measures the website operators will take to protect the PII of its users, and how the site will use this information.

The reason that you probably should not post a privacy policy notice unless it’s absolutely necessary for PII purposes, is that once you post a privacy policy the Federal Trade Commission (FTC) has jurisdiction over your site now, because privacy notices are considered advertising  by the FTC. The FTC’s support for this theory is that it considers your privacy notice as an incentive for consumers to use your site, due to your possible reassurances of protection of PII, and possible guarantees not to use PII for any unauthorized purposes. Moreover, if you  structure your privacy policies or notices as part of any click wrap agreements (the check the box if you agree messages you usually see), deviation from the notice or policy will expose you to a breach of contract claim. This makes it essential to have a point person manage your privacy practices from a compliance perspective to avoid any legal ramifications, which can be pretty expensive and risky if unattended. So if you’re not collecting the PII of consumers, it may be easier to leave the notice off your site.


There are three industries where notices are not only mandatory but face intense scrutiny as different laws govern the collection, use and transparency of PII; banking/financial websites, health related websites, and websites that market to children.

Financial websites have to pay attention to the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to publish an annual notice of their privacy policies, provide their customers with control over having their financial information shared with third parties, and provide added security to protect the PII of their customers among other guidelines.

Healthcare companies and their affiliates are governed by the Health Insurance Portability and Accountability Act (“HIPAA”) which governs the privacy and protection of protected health information (“PHI”) by “Covered Entities” which include health care providers. Congress recently updated HIPPA as part of Obama’s stimulus bill by enacting the Health Information Technology for Economic and Clinical Health Act (“HITECH”) which expands covered entities to business associates. This means that any tech company that provides services to health care providers must also comply with these rules. Therefore, if you start a company that caters to health care you’re going to have to pay close attention to HIPPA and HITECH and structure your privacy policies and notices and comply with both.

The Children’s Online Privacy Protection Act, known in the privacy arena as COPPA restricts websites from collecting or disclosing  PII from children under the age of 13 without parental consent. Therefore, if your startup is aimed at this demographic you should not only post a privacy notice stating that you don’t collect PII from this protected oclass, but also gear your privacy policies towards adherence to of this rule. It may be more important to address COPPA if your site doesn’t market to children under 13 years of age and you collect PII. If this is the case your privacy notice and policies must address COPPA since it’s more likely that a site collecting PII will violate the rule if it doesn’t pay attention than one that markets to this class entirely since those sites may have a heightened awareness of the rules.


Different jurisdictions treat privacy differently. The two main ones that startups need to be cognizant of are California if your site collects PII and markets domestically, and the European Union if your website collects PII from Europeans.

The United States as a whole takes a very reactive approach privacy legislation, enacts legislation in response to consumer complaints. However, California is regarded as the state with the most stringent privacy legislation. For instance, last year California enacted legislation that requires any app developer that collects PII from California residents to have a privacy notice. No other state that I know of has enacted similar legislation. and most app developers I know don’t create apps with the intent of excluding California residents from their customer bases. Perhaps California’s privacy laws are at the cutting edge since Silicon  Valley is there, but whatever the reason, a startup with national focus must be cognizant of what California is doing in the privacy arena if it intends to market to California residents.

Europe’s privacy framework is based on data protection, and its Data Privacy Directive of 1995 codify these laws which represent minimum standards for the protection of PII by members of the EU. Any transfer of PII outside of the EU must either comply with their Data Directive or risk being fined for transferring PII out of Europe without following the framework. With respect to American companies, the Department of Commerce set up a Safe Harbor Program that the EU recognizes as a permissible substitute for American companies that  allow them to transfer and collect PII from European residents without the heightened security that others would face. The Data Directive was initially enacted to prevent multi national companies from transferring PII outside of Europe, but seemingly could apply and in my opinion will eventually apply to all digital entities that collect and transfer PII from European residents. In fact, I reached out to the Department of Commerce last year on behalf of a client that markets to European clients over the internet, and the representative I reached out to responded that my client should join the Safe Harbor Program.  I will not go too much into the Safe Harbor Program in this post, but will surely address it in a post of its own in the future.


If you don’t collect consumer PII, you may not need to post a privacy notice. The only reason that you would need to is if the failure to post one would result in possible reluctance to use your site due to your client base’s mistrust. If you have do collect PII, become familiar with privacy laws pertaining to your your industry and the jurisdictions you will collect PII from to assist in forming a privacy policy. Most importantly, when drafting a privacy notice, make it as broad as possible to avoid posting promises you can’t keep or afford to monitor, or else the FTC, or your Attorney General may come knocking on your door, and I don’t think any startup or established company that migrates to the internet wants that.

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Human Verification *