5 Legal Clauses You Should Have in Your Privacy Policy and Why

If you scroll to the footer of most reputable websites you’ll see a link to that website’s Privacy Policy. Despite the fact that almost all consumers know they are there, almost nobody takes the time to read them, begging the question, why are they there at all?

The answer is that they’re often not really there for the benefit of the user, but in fact are there to protect, limit the liability, and comply with applicable laws for the website listing their privacy policy. To make sure your company website’s privacy policy is as effective as possible, here are five clauses it should include, and why.

1. Include a Clause Covering the Possibility of an Acquisition:

If your company is going to be acquired, the last thing you want is a deficient website privacy policy impeding the process by holding up the due diligence process. If you don’t account for the possibility of an acquisition in your privacy policy, however, that just might happen. Make sure that your privacy policy deals with the possibility of an acquisition, sale, or other transfer of assets by either stating that the acquiring company will adhere to the pre-existing privacy policy, or that upon sale or acquisition or assets you will adopt the privacy policy of the acquirer. The specific solution you state is less important than the fact that you account for the possibility of an acquisition and provide a clear roadmap for how the policy will be affected, so that a potential deal isn’t negatively impacted.

2. Clearly State Your Data Collection Policies:

The United States has an overwhelming number of laws that have provisions relating to data collection and privacy, such as the Americans with Disabilities Act, the Children’s Internet Protection Act (2001), the Cable Communications Policy Act (1984), the Computer Fraud and Abuse Act (1986), the Computer Security Act (1997), the Consumer Credit Reporting Control Act, HIPAA, the Gramm-Leach-Bliley Act, not to mention applicable state and local laws. Because trying to understand and navigate each of these laws would keep a team of attorneys busy full time, the Federal Trade Commission has provided a list of questions that you need to clearly answer in your privacy policy which will keep most businesses legally compliant. They are:

  • What information does the company collect and how does it do so?
  • How does the company protect the information it collects?
  • How does the company use the information it collects?
  • Does the company share the information it collects with others, and if so, what is shared and with whom is the information shared?
  • Do customers have control over their personal data, and if so, what control do they have?

3. Communicate a Means to Easily Make Changes to the Privacy Policy:

If you want to change your privacy policy in the future (which you will) you need to provide a method through which those changes can be communicated. You have a few options, ranging from really onerous ones like emailing out all changes to all your current and past users to something as simple as listing the last update date at the top of the policy and listing when those changes will go into effect. The reason you need a means of communicating changes is so that you can make changes as your business needs develop that retroactively apply to all users. By far the easiest to comply with is just to state that changes will go into effect 30 days after the policy is updated, and that users should return to this page regularly to check for updates.

4. Have a COPPA Compliant Policy for Users Under 13 Years Old:

The Children’s Online Privacy Protection Act (COPPA), created in 1998, was designed to protect children under 13 and place their parents in control over what information is collected from their children online. It applies to websites that are either targeted to children under 13, or which have actual knowledge that they are collecting information from children under 13. If your website is targeted to children and/or teens, you need to spend the time to have a comprehensive clause about what you collect, how you notify parents about what is collected, and how you obtain the parents consent before doing so. For those websites that may only incidentally have users that are 13 or under, the most common path is to not collect age data (thus preventing you from having actual knowledge) and state clearly in your privacy policy that your website is not intended for children 13 or under, and that they are prohibited from using the website. To the extent that collecting age data is imperative for your website, you’ll need to block users 13 and under once they tell you their age.

5. Be Clear About Your No Spamming Policy:

If your business uses email you probably already know about CAN-SPAM laws which prevent spamming and require that you provide email subscribers with your address and an opt out. What you may not be doing, however, is providing redundant CAN-SPAM compliant documentation in your privacy policy. So, in order to protect your company from accusations that it has violated CAN-SPAM in the event that your email addresses get hacked or a rogue employee decides to send out spam, make sure that you clearly state that your company complies with CAN-SPAM and list your mailing address, contact information, and an unsubscribe button or email in your privacy policy. That way, should a rogue email be sent you’ll have the backup protection of being able to say that angry recipients can simply notify you and /or unsubscribe in your privacy policy, even if your email was deficient.


If your website doesn’t have users under 13 years old, your company doesn’t use email for marketing, the possibility of a business merger isn’t a serious concern, and the whole host of other reasons haven’t convinced you that it’s necessary for your company to have a privacy policy, you may be wondering if you need one at all. The answer, is that if your website collects any data whatsoever, whether it be as robust as financial or medical information, or as limited as cookies, the California Business and Professions Code requires that you have a Privacy Policy. What about if your business isn’t in California? Unfortunately, if your website is visible to people residing in California, and therefore could potentially collect California residents information, you are required to have a visible Privacy Policy regardless of where your company is based, your website hosted, etc. In sum, virtually every website that is subject to U.S. law must have a privacy policy.

Finally, it’s important to remember that whatever you say that you’re going to do with respect to protecting your user’s information or not selling their data, you should actually follow up on. While enforcement is spotty, the FTC does have the power and does on occasion actually prosecute companies that violate the promises in their privacy policies.