Tech & Sourcing @ Morgan Lewis


Drafting and posting a clear, concise, and accurate privacy policy is one of the most important tasks when creating a company’s website, particularly given today’s legal and regulatory environment. Privacy policy legal requirements are becoming more stringent and shortcomings less tolerated, and consumer sensitivity to privacy concerns are at an all-time high.

Despite these concerns, many companies’ policies are seemingly insufficient. A recent opinion piece published as part of the New York Times’ Privacy Project assessed 150 privacy policies from various companies and found that the vast majority of them were incomprehensible for the average person. At best, these seem to have been “created by lawyers, for lawyers” rather than as a tool for consumers to understand a company’s practices.

In this month’s Contract Corner, we will highlight considerations for drafting an up-to-date privacy policy. Part 1 of this month’s Contract Corner will provide background on the current legal landscape for privacy policies in the United States and general issues that need to be addressed.


Unlike other countries, the United States does not have a uniform set of privacy laws and regulations. However, it is still important to understand the current legal landscape when creating or updating your privacy policy, including the specific jurisdictions, types of data, or industries that apply to your company.

At a federal level, although there is no general privacy protection legislation, there are certain specific laws that may impact privacy policy terms regarding protected health information (PHI) (Health Insurance Portability and Accountability Act, or HIPAA – applicability discussed in our previous LawFlash) or data acquired from children (Children’s Online Privacy Protection Act, or COPPA – compliance issues discussed in our previous LawFlash).

With the absence of general federal legislation, states have been rolling out their own laws imposing privacy policy requirements on companies doing business within their borders. In Colorado, since September 1, 2018, businesses owning, maintaining, or licensing personal information of Colorado residents must maintain a written policy for disposing documents containing personal identifying information (discussed in our previous LawFlash). In California alone, businesses with an online presence must be compliant with multiple laws, including the California Online Privacy Protection Act (Calif. Bus. & Prof. Code § 22575-22578) (CalOPPA), and the California Consumer Privacy Act (discussed in our previous LawFlash and blog post), which goes into effect in 2020.

Moreover, failing to be aware of laws and regulations pertinent to your particular industry and business and ultimately implementing inaccurate or misleading privacy policies could expose your company to liability from regulatory and legal actions. For example, as discussed in our previous blog post, the City of Los Angeles, on behalf of the People of the State of California, filed suit against The Weather Channel (TWC) for allegedly violating California’s Unfair Competition Law (Business & Professions Code §§ 17200-17210). The focal issue is whether TWC’s privacy policy sufficiently discloses its actual business practices regarding the collection and use of personal data. The city argues that, through its marketing, TWC misled consumers to believe that their geolocation data would be used only to provide the users with tailored forecasts and alerts, and TWC ultimately profited from using the data for other undisclosed purposes.

Drafting Issues

Although it would be nearly impossible to discuss all of the specific diverse legal requirements impacting privacy policies due to differing requirements across companies, industries, states, and countries (the General Data Protection Regulation (GDPR) also has its own requirements for “privacy notices” – see our GDPR Resource Centre for additional information), we have put together the following list of items that generally should be covered in your company’s privacy policy in the United States to provide a foundation for legal compliance:

  • The types of data your site or application will be collecting, which may include, for example, personal data (e.g., name, address, email address, telephone number, credit card information), geolocation data, information about user hardware and software, and other logged data such as IP addresses;
  • Why the information is needed and by whom (your entity, regulators, other third parties);
  • Details about the methods used for collecting data (e.g., via forms, original referrers, automatic collection);
  • How the information will ultimately be used (e.g., shared with, or sold to third parties, used solely to optimize the site or application for users, etc.); and
  • Where and how the information will be stored, as well as comprehensible details regarding your company’s procedures and means to protect personal information.

In this Part 1 of our Contract Corner on Privacy Policies, we have provided an overview of the legal background impacting privacy policies and general items to be covered in an up-to-date policy. In Part 2 of this Contract Corner, we will provide specific pointers on drafting those policies.