by Michael Mahoney
Everyone has seen them, few read them, and even fewer truly understand them. But that does not mean your company should not have them.
- the rights and obligations of the parties;
- payment of fees, remedies, term and termination; and
- other standard legal clauses like indemnification, confidentiality, and limitation of liability.
While Privacy Policies are not generally mandatory, there are certain instances where a company may be required to maintain one on its website, including if the company is:
- collecting personal information about, or targeting, children under the age of 13;
- an institution “significantly engaged” in financial activities
- a “covered health care provider”; or
- collecting data from citizens of the European Union and transmitting and storing that data in the United States. 
Many states have enacted their own privacy laws including, among others, the California Consumer Privacy Act (“CCPA”). Many early-stage companies do not meet the requirements to be subject to these laws (for example, with respect to the CCPA, having $25MM of annual revenue, possessing the personal data of more than 50,000 consumers, and earning more than half of its annual revenue through selling consumer’s personal data). Despite this, it is important to keep each state’s regulatory regime relating to privacy in mind. In the absence of a federal law that preempts state laws, companies need to ensure compliance with each state relating to the protection of personal information.
Things to keep in mind
- Be attentive to customer requests. Certain laws (namely CCPA) require a timely response to customer requests related to personal information a company has collected, and may involve civil penalties for non-compliance. Implement reasonable internal practices and policies to ensure continued compliance.
- Stay informed. Be sure to keep up to date with changes to the regulatory landscape, both federally and locally. Data privacy is becoming a hot topic, and states are beginning to enact laws to protect the privacy of its citizens. Therefore it is more important than ever to regularly review these polices to ensure that they remain compliant in an ever changing regulatory landscape.
 See, respectively: the Children’s Online Privacy Protection Act, the Graham-Leach Bliley Act; the Health Insurance Portability and Accountability Act; and the General Data Protection Regulation.