Most websites offer a privacy policy, but did you know that few states have any laws regulating privacy policies of private entities?

Nebraska and Pennsylvania consider any false or misleading statements in privacy policies illegal under their deceptive and fraudulent business practices laws. Connecticut requires businesses that collect Social Security Numbers to have a publicly displayed privacy protection policy on their website that protects SSN confidentiality and disclosure. Currently, only California, in its Online Privacy Protection Act of 2003, requires websites that collect personally identifiable information of California residents to conspicuously post a privacy policy on their website.  However, many websites comply with this standard nationwide, not differentiating between residents of different states.

Additionally, in September of 2013, California enacted a novel addition to their law on website privacy policies known as “do not track.” This law, AB 370, requires websites that collect personally identifiable information or “PII” of California residents to include certain information in their privacy policies, which must be available in a conspicuous link on their website. PII is defined by California law as:

“individually identifiable information about an individual consumer collected online…from that individual…in an accessible form, including any of the following: first and last name, physical address, email address, phone number, social security number, and any other identifier that permits the physical or online contacting of a specific individual.”

Such disclosures must state whether or not PII is collected, what categories of PII are collected, if PII is made available to third parties, if users can adjust such collections of information, describe how the site notifies users of changes to such collections, the effective date of the policy, whether other parties collect PII when you use their website, and whether or not  “do not track” signals from web browsers are complied with. “Do not track” is a signal from a web browser to a web site that is designed to inform the website that the user does not wish to have their usage and information followed and saved by websites, and the idea is that the website would then comply with that request.

Currently, most major web browsers (Internet Explorer, Safari, Chrome, and Mozilla Firefox) support “do not track” signal transmissions, but you have to turn it on. See your preferred web browser’s website for information on how to do this. However, many websites do not listen or comply with such signals, so be sure and take additional measures if you want to prevent this kind of tracking.

If you need help creating a privacy policy for your business or checking to see if it complies with these standards, be sure to contact the Law Office of E.C. Lewis, PC, home of your Denver Small Business Attorney, Elizabeth Lewis at 720-258-6647 or email her at