You’d be hard-pressed to find a Virginian who hasn’t received a data security breach letter over the past decade. Whether you were subject to the OPM, Experian, Anthem, or recent Dominion National data breach, cybersecurity and use policies are necessary for business management today. Savvy consumers are scrutinizing businesses’ privacy policies before entrusting Virginia businesses with personal data, and businesses may be liable for the theft or misuse of client information. Failure to take the potential for data misuse seriously often results in a loss of clientele and business goodwill, especially after a breach.
Privacy policy agreements ensure clients that your business is cognizant of data security and will protect personal identifying information. While not strictly necessary for every private business in Virginia, Virginia law still requires you to protect and responsibly manage the personal information you maintain. Your Terms and Conditions (“T&C”) or Terms of Use help accomplish this purpose by governing the use of client data and protecting your business from potential liability. Both agreements are often prerequisites to the success of a web-based business.
The Difference Between a Privacy Policy and Terms of Use
Put simply, a “Privacy Policy Agreement” is a legally binding contract obligating you, the business, to your client. It’s designed to notify, reassure, and protect consumers from data misuse. Your “Terms and Conditions” of use represent a legally binding contract obligating the user, i.e., the consumer or third party, to you. They are both legally binding contracts, but while businesses are required to protect personal identifying information even without a binding privacy policy, a T&C is often used to create rights and protect Virginia businesses against liabilities not otherwise provided for by Virginia law.
What Should Your Privacy Policy Contain and Why?
It’s recommended, and often required by statute, that privacy policy agreements in Virginia contain the following minimum information:
• A list of what information, including personal identifying information, will be collected if a client visits or utilizes your web-based services
• Whether this information, including what specific information, will be automatically collected simply by accessing the website
• Whether your website automatically places a “cookie” on the user’s computer and, if so, for what purpose, and
• How the collected information is, will, or may be used
Businesses with access to certain out-of-state markets, international clientele, or that use third-party integration platforms are often required to have a thorough and prominent privacy policy in place. You are contractually bound by the use restrictions and provisions set forth in your privacy policy; as such, it’s essential to monitor and update your privacy policy if there is a shift in the collection and use of client data.
The presence or absence of a privacy policy agreement does not mitigate your responsibility to protect client data in accordance with Virginia, federal, and international law. However, many Virginia business owners utilize their unique privacy policies to build business goodwill by ensuring clients that their data is being actively protected and informing users of their privacy rights. Businesses targeting clients in the healthcare, legal, and financial industries often benefit from drafting privacy policies designed to ensure users protection and privacy. The same is true of any business that accepts payment for goods and services via the Internet.
What Should Your Terms and Conditions Contain and Why?
A business’s “Terms and Conditions” require consumers (and often employees) to abide by certain equipment, service, and data use restrictions, which commonly include clauses prohibiting the use of your website for:
• illegal activities
• exploitation
• unauthorized marketing
• “spam,” scams, or solicitations, and
• intellectual property violations
Importantly, a conspicuous T&C Agreement can actually create rights via contract not otherwise existing under Virginia law. These often include the right to:
• Terminate a user’s access and account for “any reason”
• Disseminate personal information to third parties, including law enforcement agencies
• Take certain legal actions after a perceived misuse
• Collect, monitor, access, save, and remove personal data
• Monitor website use
• Set billing terms, and
• Disclaim certain warranties
The contractual rights contained in the terms of use often protect Virginia businesses from substantial liability if, for example, the T&C explicitly waived the cause of action alleged, clearly permitted the action complained of, and/or permitted the collection and introduction of electronic evidence in an action to defend against liability. While terms and conditions are only statutorily required for certain types of businesses in Virginia, such as credit service businesses, they are essential for your businesses’ protection and operation.
What is “Personal Identifying Information”?
When we think of a personal data breach, most envision a phishing expedition for financial records or social security numbers. However, Virginia businesses maintaining any “information system” that includes “personal information” must abide by certain state, federal, and international privacy laws. Personal information in Virginia is defined as all information that describes, locates, or indexes anything about an individual or affords a basis for inferring “personal characteristics.” This information includes, but is not limited to, the following:
• Social security number
• Driver’s license number
• Any government-issued identification number
• Student identification numbers
• Tax return information
• Information about property holdings, including real estate, personal items, and liquidated assets (money)
• Education
• Financial transactions
• Medical history
• Ancestry, religion, and political ideology
• Criminal and employment records
• Finger and voiceprints
• Identifying photographs
• Organizational memberships, attendance records, and activities
Almost all goods or service-based businesses in Virginia possess clients’ “personal information” as regulated by state and federal privacy laws. Whether it’s your client’s transactional history, preferences, stock photographs, or insurance information, the uniform collection, use, and storage of that information within a database necessitates a bulletproof privacy policy and terms of use agreement.
Speak with an Experienced Virginia Data Privacy and Business Lawyer Today
At McClanahan Powers, PLLC, our experienced Virginia data privacy attorneys tailor our clients’ privacy policies and terms and conditions to meet their unique business needs. Boilerplate policies seldom address the nuances of Virginia privacy laws or cover the array of contractual protections available to Virginia business owners. Investing in customized agreements now may save your business from substantial liability in the future. To schedule your business data privacy consultation, contact our experienced Virginia and D.C. business litigation attorneys today online or by calling (703) 520-1326.