COVID-19 has shuttered businesses across the globe with no “grand return” day yet in sight. Looking to generate revenue while brick and mortar locations are closed, businesses are turning to the online sales and services, many for the first time. Fine dining restaurants that have never before offered takeout are now doing so, shops are holding sales using social media, and restaurant food purveyors are now selling to the general public. Local boutiques that have before never had an online storefront are now conducting website sales and local porch deliveries. In one interesting case, the reservations website Tock recently pivoted to offer “Tok to Go” and is managing takeout orders for the restaurants on their platform.[1] For smaller businesses now scrambling to adjust to today’s virtual market, website privacy policies are likely not at the top of the priority list. However, if material changes have been made to the business’ website to accept online orders, and the website is now newly collecting the personal data of visitors, the website privacy policy must be updated.

A website privacy policy is an important legally binding document that notifies visitors as to the types of personal information gathered from visitors and how the website operator uses, stores, manages, and/or distributes that information. Types of personal information that are typically gathered from websites that allow account creations and/or online purchases include names, email addresses, phone numbers, billing and shipping addresses, payment information, and other data. Websites may also passively gather data about the users’ device and location including GPS data, IP address, service provider, ISP, website traffic, and additional data through cookies, web pixels, and other tracking technologies. Regardless of whether the user actually reads the privacy policy, the policy is intended to govern the user’s interactions with the website and how the website operator can use the data provided by visitors.

The general rule on privacy policies is that the disclosures must be clear, complete, and not misleading. If the privacy policy states that the website operator does not sell user data, then the website operator should not be selling user data. Federal legislation on privacy policies is limited; however, the Federal Trade Commission has taken up the mantle of bringing regulatory actions against companies whose actual data practices conflict with their privacy policies and against companies who post misleading privacy policies. In 2019, the FTC imposed a $5 billion penalty and sweeping new privacy restrictions on Facebook, which the FTC charged with violating FTC orders by deceiving users about their ability to control the privacy of their personal information.[2] The FTC consent judgment claims that Facebook repeatedly used deceptive disclosures and settings for user privacy preferences that allowed Facebook to share users’ personal information with third party apps downloaded by the user’s Facebook Friends without the knowledge of the user. While the Facebook penalty is the largest ever levied by the FTC, the agency has routinely brought enforcement actions against entities whose privacy policies did not meaningfully provide notice before sharing personal information or using the collected data in a substantively different manner than described in the policy.

For many local and small businesses, websites can be fairly basic. A local restaurant may have a webpage that just displays the menu, location, and hours of operation. A local boutique may have a webpage that only displays hours of operation, location, and a few frames from its recent Instagram posts. For websites like these that do not use tracking technologies, account creation, online ordering, or any other kind of user interaction features, privacy polies can be fairly basic since little personal information is being collected. But with the pivot to an online model, if a website is now accepting personal information to fulfill online orders, the privacy policy needs to be updated to account for those changes.

That need for update goes double for any businesses located in California or with significant enough contacts to California to make the business subject to the new California Consumer Privacy Act (CCPA). The CCPA, which went into effect in January 2020, requires that each website have a Privacy Policy that advises California consumers of the various rights the CCPA gives to them. The CCPA gives California consumers several rights with regards to the data collected about them, including the rights to: (1) request disclosure of the business’ data collection and sales practices for the particular consumer; (2) request a copy of the personal information collected about the consumer during the 12 months before the request; (3) have the collected information deleted, with certain exceptions; (4) request that the personal information not be sold to third parties; and (5) not be discriminated against for exercising any of these rights. Despite requests from industry groups for delay due to COVID-19 logistical issues, the California Attorney General will not be delaying enforcement of the CCPA, which is scheduled to begin on July 1, 2020.

Privacy policies are not exciting, but they are a vital aspect of doing business and collecting data online. If your business has recently expanded its online offerings, be sure your privacy policy covers those changes.


[1] Kristen Hawley, “Your Reservation Has Been Canceled: How apps like OpenTable, Tock, and Resy are pivoting to keep themselves – and restaurants – afloat in a world without bookings”, Eater, Vox Media (Apr. 22, 2020) (

[2] “FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook”, Federal Trade Commission (Jul. 24, 2019) (