Five Most Common Legal Mistakes Involving Commercial Websites

July 2008 Article for Business to Business Magazine

by Rob Hassett

Do you have a privacy policy posted on your business website?  If so, did you have an attorney review it?  If the answer to this question is “no,” there is a good chance that there is a difference between what you state in your privacy policy and what your actual practices are.  If there is, you could be subject to actions by the Federal Trade Commission and by private companies and individuals for fraud.  In a recent case, a jury awarded $4.5M in damages against a company that helped students apply to colleges online, because the policy stated that personal information was not being shared, but it was.  This is an example of the type of legal mistakes that are often made in connection with commercial websites.

 The five most common legal mistakes involving commercial websites are:

             1.         The company’s privacy policy does not accurately state what the true privacy policy of the company is.  If nothing else, you should make sure that your privacy policy says that in the event of the sale of your business, you reserve the right to transfer the data you have collected from customers to the purchasers of the business, while making it clear that the new owners will continue to be subject to the commitments that you make regarding privacy.

             2.         The business is required to have a privacy policy but does not.  There are a number of laws that  require the posting of a privacy policy under certain circumstances including the Graham Leach Bliley Act (GLB), which applies only to “financial institutions,” but which defines the term “financial institutions” very broadly; the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care providers, health care plans and “health care clearing houses” (i.e. companies that collect and sort health related billing data); the Children’s Online Privacy Protection Act (COPPA), which applies to websites that are directed to children under 13 or knowingly obtain data from children under 13; and the California Online Privacy Protection Act , which requires that any commercial website that collects data from individuals residing in California post their privacy policies.  The consequences of not complying with privacy laws can be very severe.  Violations of GLB can result in a bank’s loss of FDIC insurance – which would likely put the bank out of business.  Violations of HIPAA can result in criminal penalties of up to 10 years in prison and a $250,000 fine.  For violations of COPPA, Mrs. Fields Cookies paid a civil penalty of $100,000 and Hershey’s paid $85,000.  Violations of the California Online Privacy Protection Act can result in private lawsuits — possibly a business person’s worst nightmare.

             3.         Third parties are able to post materials on the website and the company fails to post a “Copyright Policy” and file a designation of a representative to receive any complaints regarding copyright infringement with the U.S. Copyright Office.  Properly posting such a policy helps to insulate the company from liability for the posting of infringing materials by third parties.

             4.         Failure to screen  all photos of individuals posted on the website.  Posting of a recognizable individual on a website without permission of that individual that is not posted for a newsworthy purpose, or other situation protected by the First Amendment freedom of speech clause, can result in liability.

             5.         Failure of the owner to register copyrights in the owner’s website.  If ownership of the copyrights in the website are owned by the owner of the website, but the owner of the website does not register the copyrights in the U.S. Copyright Office, the owner may still register the copyrights after an infringement and sue to stop such copying and collect damages provable (it is very difficult to prove any) but may not recover what are called statutory damages (much easier to prove) or attorney fees.

 CONCLUSION

Any business owner with a website should take steps to assure that the use of the website is not resulting in a violation of another person’s rights and is taking all steps to protect its own rights.

Rob Hassett is an attorney who practices in technology, entertainment and corporate law with Casey Gilson P.C. in Atlanta,Georgia.

This article provides general information only and does not constitute legal advice.  Any reader should consult with his or her own attorney before making any decisions regarding legal matters.