Insights into law - The five most common legal mistakes involving commercial Web sites

Rob Hassett

August 1, 2008

D o you have a privacy policy posted on your business Web site? If so, did your attorney review it? If you answered “no,” there’s a good chance there’s a difference between what you state in your privacy policy and what your actual practices are.

And if there is, you could be subject to actions by the Federal Trade Commission, and private companies and individuals for fraud.

In a recent case, a jury awarded $4.5 million in damages against a company that helped students apply to colleges online, because the policy stated personal information was not being shared. But it was. This is an example of the type of legal mistakes often made with commercial Web sites.

law

Here are the five most common legal mistakes involving commercial Web sites:

1. The company’s privacy policy doesn’t accurately state what the true policy of the company is. Make sure your privacy policy says that in the event of the sale of your business, you reserve the right to transfer the data you collected from customers to the purchasers of the business, while making it clear the new owners will continue to be subject to the commitments that you make regarding privacy.

2. The business is required to have a privacy policy and does not. There are a number of laws requiring the posting of a privacy policy under certain circumstances including the Graham Leach Bliley Act (which applies only to “financial institutions,” but which defines the term “ financial institutions” very broadly); the Health Insurance Portability and Accountability Act (which applies to health care providers, health care plans and “health care clearing houses”(i.e., companies that collect and sort health related billing data); the Children’s Online Privacy Protection Act (which applies to Web sites directed to children under 13 or knowingly obtain data from children under 13); and the California Online Privacy Protection Act (which requires any commercial Web site that collects data from individuals residing in California post their privacy policies.) The consequences of non-compliance with privacy laws can be severe.

3. Failure to post “Copyright Policy.” Third parties are able to post materials on the Web site and the company fails to post a “Copyright Policy” and file a designation of a representative to receive any complaints regarding copyright infringement with the U.S. Copyright Office. Properly posting such a policy helps insulate the company from liability for the posting of infringing materials by third parties.

4. Failure to screen all photos of individuals posted on the site. Posting of a recognizable individual on a Web site without permission that is not posted for a newsworthy purpose or other situation protected by the First Amendment freedom of speech clause, can result in liability.

5. Failure of the owner to register copyrights in the owner’s Web site. If ownership of the copyrights in the Web site are owned by the Web site’s owner, but the owner doesn’t register the copyrights in the U.S. Copyright Office, the owner may still register the copyrights after an infringement and sue to stop such copying and collect damages provable (it is very difficult to prove any) but may not recover what are called statutory damages (much easier to prove) or attorney fees.

Rob Hassett is an attorney with Casey Gilson in Atlanta.