Whenever a customer or citizen visits your website, you have a legal obligation to provide a complete disclosure of your business, the type of data you retain from website visitors, and how that information will be used.
Whether you sell a product or service, there is a legal requirement to provide a summary of the terms, conditions and limitations of your retail products and services to your customers.
Why You Need an Attorney to Draft Terms Conditions and Limitations for Your Website
Many businesses make the mistake of finding a template of terms, conditions and limitations for their website online, and using it verbatim for their business. However, the purpose of the disclaimer is to ensure that you are outlining the exact processes that reflect how your business will use data that is collected on your website.
Failing to write a customized disclaimer of terms, conditions and limitations for your Oklahoma business can leave you unprotected and liable in may key areas. At Compton Law Firm, we will schedule a meeting with you and discuss the full scope of the products and services that you provide through your business. Then we draft a limited liability statement that is compliant both at the State level with privacy laws, and at Federal level requirements.
If your business sells products or services internationally, you may also require a GDPR statement. For instance, if you are an e-commerce business that ships products internationally, and markets to foreign consumers or B2B customers, GDPR compliance is a legal requirement.
The General Data Protection Regulation (GDPR) for International Sellers
On May 25, 2018 the GDPR (General Data Protection Regulation) became legally enforced by the European Union (EU). The laws and compliance requirements apply to any business who sells products or services to any consumer or business located in European countries.
You are probably wondering how this impacts your business in Oklahoma, if you have no overseas business locations or foreign employees. But this new change in privacy law is the biggest shift in data safety and privacy since the implementation of HIPAA for allied health organizations. Many American based companies (because of globalized product or service sales) still fall within the GDPR regulatory and compliance requirements.
What kind of businesses need to ensure they are GDPR compliant?
- E-commerce companies that sell goods online to global customers.
- Exporters who provide raw materials to manufacturers in European countries.
- Recruitment agencies or HR services that collect and retain applicant data for the purpose of placing contract workers with Oklahoma business agencies.
- Freight and logistics companies that provide drayage, warehousing or other services to European companies and imports.
There are three compliance aspects that Oklahoma businesses need to adhere to, if they fall within the category of selling or collecting data from global businesses, or individuals.
Before your business collects or retains any information about an individual, they must first acquire consent. You’ve seen how most websites have a ‘cookies’ statement that you are required to approve before proceeding to access information on the website. That fulfills the basic requirement to notify any visitors from European countries that you are tracking information like visitor analytics to your website, or name and email information through your contact forms.
But there is an additional step required if your business sells products or services to European citizens, and that happens inside your statement of terms, conditions and limitations on your website. You must also outline why you collect the information, and how you will use it. For instance, if you are providing a free e-book for download and collecting email addresses, you must indicate that the individual will be subscribed to your email marketing communications. And you must provide an easy way for the individual to request an opt-out as an email subscriber.
2. Deletion of Personal Information
In the United States and globally, businesses must have a procedure in place for deleting personal contact information that they collect from their website. You cannot retain name, age, gender, email or other information indefinitely.
If you have a database of customer information, and you are no longer working with the customer or providing concurrent services to them, you must have a procedure that deletes that inactive customer from your system. Businesses are legally required to retain personal data for the shortest time possible and support a reason for retaining that information.
How long you retain this information should also be included in your business website terms, conditions and limitations statement in compliance with anti-trust and fraud prevention legislation. As a business owner, if you are retaining customer information, you must also ensure that you have proper security protocols in place (i.e., encryption) to prevent breach of sensitive information, such as age, gender, address, health records, credit information and more.
3. Data Breach Protocols
If your business provides services or products to European private citizens or businesses, you must also comply with data breach protocols under the GDPR. What that means is an immediate notification to your customers if your business has had private files and data breached by an unauthorized third party.
An email is required to notify each member that you have collected data on, that provides the date of the data breach and a summary of the information that was accessed. This notification must be provided to all customers who may have been impacted by the data breach, within 72 hours of the incident.
When your customers are notified, you must also provide them with an easy ‘delete information’ procedure, if they no longer wish to have their personal information stored by your business, for any purpose. If they request data deletion of personal records, you are required to provide a written email confirming that their information has been removed from your records.
Can My Business Be Sued for a Data Breach of Confidential Information?
One recent case of Zappos.com v. Stevens demonstrated in the Supreme Court, that individual citizens do have the right to sue if their confidential information is shared without their consent, due to a data breach.
Even large corporations who take extreme IT security measures can be hacked. Hospitals are often a target, and so are educational institutions and private businesses. The data retained by these businesses has a high value on the Dark Web, for the purpose of fraud, and identity theft. In some cases, this information can also be used and acquired illegally by financial institutions or insurance companies.
The eligibility to sue for damages is not limited to the consumer or private individual receiving harm or damage from the data breach. Even though Theresa Stevens did not experience any loss through the breach of her information, she successfully sued Zappos.com for damages in the Supreme Court.
Protect your business. A recent study revealed that a data breach can cost an American business almost $4 million dollars per incident!
If you are collecting any kind of personal information through your website, including tracking cookies etc., you need to have a solid terms, conditions and limitations statement that is accurate and compliant.