One of the items on the startup’s to-do list is posting a privacy policy on its web site. Often they think that this is one item that won’t cost them anything if they take the do-it-yourself approach, meaning (i) finding a privacy policy that looks good on a website, (ii) copying it, (iii) searching and replacing the company name, and (iv) voila! privacy policy complete! Yes? No, absolutely not. Privacy policies must first and foremost be truthful statements of a company’s data practices.  Untruthful statements can lead to class action or other lawsuits, and enforcement actions from the Federal Trade Commission (the FTC) and state attorneys general, not to mention the adverse publicity that typically accompanies legal action against the company.

Recent examples of companies that experienced significant legal problems based on their inadequate or improper privacy policy include the following:

  • Nomi Technologies, whose technology allowed retailers to track consumers’ movements through stores, was investigated for misleading consumers by stating that consumers would receive notifications when they were being tracked and be offered opt-out opportunities, despite the fact that no such mechanisms were available. Perhaps their privacy policy was a statement of functionality the company had planned for but not yet fully released, but the conflict between the stated and actual policies was problematic.
  • In 2015 six companies are alleged to have violated the FTC Act because their privacy policies stated the companies were certified under a safe harbor program when those companies never applied for membership in the safe harbor. The exact facts that caused the companies to make flatly untrue statements in their privacy policy are not known, but this has all the earmarks of companies that took the “quick and easy” path of copying and pasting of another’s policy without careful review – a path that turned out not to be easy at all.
  • The FTC entered into a settlement with SnapChat to ensure that it does not misrepresent the extent to which it protects users’ privacy and security. The settlement includes Snapchat agreeing to twenty years of independent audits of their data practices. This case illustrates that apps, ever the darling of the startup, are held to the same standard as websites.
  • The FTC got involved when Facebook proposed to acquire WhatsApp. The message to the companies was that if WhatsApp made statements to its users about the protection of their data upon or after an acquisition, those statements must be honored or else risk FTC enforcement actions, and in the case of Facebook, violation of its consent order. Many startups hope to be acquired; data practices must be planned for and stated at the onset accordingly and not forgotten about or dismissed at the negotiation table.

We recommend starting with a blank page and a completed privacy policy questionnaire that addresses the client’s website/app functionality, audience and intended data practices, such as selling data to or sharing data with marketing partners. It is more efficient to craft the answers into a privacy policy than go in reverse; an attorney reviewing a policy submitted by a client does not know (without a meeting with senior executives and IT personnel) what statements are representative of the client’s actual and intended practices and which may have been simply “borrowed” from another’s policy.   Untrue statements can result in immediate violation of law.

Even under California law (which has far-reaching implications in that it requires every company that collects personal information from a California resident to post and abide by a privacy policy), it is better to have no privacy policy at all than one that is untrue, as a company has thirty days after a notice of a violation to get into compliance before penalties attach. There is no such grace period for an FTC enforcement action for an untrue statement that the FTC deems a deceptive trade practice.

This is also not a ‘set it and forget it’ exercise. As companies and business models change, all policies and terms of use should be reconsidered. A few hours a year is likely to be invaluable at allowing policy language to ‘catch up’ with business practice and prevent expensive legal proceedings.

Let our privacy lawyers advise you on data practices and help you draft your privacy policy.

If you would like additional information, please contact any of the following FisherBroyles partners:

Carl Johnston
(404) 330-8179

Marty Robins
(847) 277-2580

Los Angeles
Steven Papkin
(310) 415-6254

Peter Cahill
(617) 475-0094

Palo Alto
Kimberly Booher
(650) 636-5958

Download the March Corporate Law Update


FisherBroyles, LLP – Cloud-based.  Not Virtual™

Founded in 2002, FisherBroyles, LLP was the first in the U.S., and now the largest full-service, cloud-based law firm in the world. The Next Generation Law Firm has grown to approximately 150 attorneys in 19 offices nationwide. The FisherBroyles’ Law Firm 2.0 model leverages technology to offer a more cost-effective solution without sacrificing Big Law quality by eliminating unnecessary overhead that does not add value to clients. Visit our website at to learn more about our firm’s unique approach and how we can best meet your needs.

© 2016 FisherBroyles LLP. These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create an attorney-client or similar relationship. Please do not send us confidential information. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

This newsletter has been prepared for the general information of clients and friends of FisherBroyles. It is not intended to provide legal advice for a specific situation or create an attorney-client relationship. Under rules applicable to the professional conduct of attorneys in various jurisdictions, it may be considered advertising material.