Last updated on 01 July 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)
It is easy to overlook user comments when it comes to privacy practices. Since users often post comments through third party platforms (like Facebook) and submit the information voluntarily, there are few developers who realize privacy protection laws apply to these exchanges.
Most jurisdictions have passed laws protecting personal information. This is data that can be used to identify an individual online. Also called personally identifiable information, it includes but isn't limited to:
You must comply with these laws even if you only collect and share one type of personal information, such as email addresses or screen names.
Canada, Australia, the E.U., and the U.K. all have comprehensive privacy protection laws.
The U.S. does not have a federal law, but many states have their own laws. California, Delaware, and Nevada enacted online privacy protection acts and Illinois has one regarding location tracking.
Current laws are similar in their requirements for Privacy Policies. Every policy must include provisions describing:
Since user comments are voluntarily submitted, many developers fail to see commenting as collecting personal information. However, even when users willingly give information, you still have obligations to inform them that data becomes public and take measures to protect it.
Other information that may be considered personal is IP addresses. Since this number is unique to each device connected to the Internet, it has the potential of identifying individual users. IP addresses can also reveal the general geographic location of a device and that also makes them a form of protected information.
Taking a look at a comment on the Wordpress platform reveals the amount of personal information involved in commented. In this example, the commenter's name, email address, and IP address is all known to the developer.
This part is often included with the list of information collected by the website. It may also stand alone along with other policies affecting user comments.
The best way to start with this section is to explain that comments are publicly viewed and anything a user shares can be seen by others. Include a list of the information that could be released.
The New York Times allows comments on its news articles. It explains that when users disclose a screen name, image or email address, that information will be in public view.
This is true whether a user comments through Facebook or Google+ or responds directly to the story through the New York Times website.
Many developers do not create and maintain their own discussion and comment forums. They often borrow the services of Facebook, Google, and Disqus so they do not have to request new profiles from users. Even then, the website owner is not excused from the responsibility of following privacy laws.
Disqus, Facebook, and Google offer plugins and free code so users can post comments to a website through those platforms. Even with the use of these resources, developers must still address comments in their Privacy Policies.
For example, YouTube uses Google profiles when it comes to user accounts and comments. It extends the same notice to users explaining that information in a Google profile can publicly identify a user.
Disqus exists to allow users to comment on many websites without opening multiple profiles. It explains that using its service allows for tracking of comment patterns and social media use. There is also notice that usernames and email addresses are saved.
Current privacy laws require that you provide notice to consumers any time you collect their personal information, including any data given to you voluntarily. That extends to user comments as well as the information users give to put together an account.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022