Preparing your Web site's privacy policy

By Published on .

Should your Web site have a privacy policy? It’s not required by law, but it’s probably a good idea, according to Stephanie B. Glaser, an associate at Patterson, Belknap, Webb & Tyler L.L.P. in New York.

While there is no general federal privacy law governing the collection of personal data online, several related bills have been introduced in Congress. Web sites that collect health or financial information, or information from children or non-U.S. residents, may need to comply with specific U.S. and foreign laws, Glaser said.

Web sites that routinely collect personal information from U.S. residents (such as name, address and e-mail address) and plan to share that information with third parties should probably have a privacy policy, according to Glaser. "In these instances," she said, "a privacy policy may instill confidence in site users and make them more willing to submit their information over the Internet."

At the very least, she said, if a user complains that his or her information was used inappropriately, the site’s owner can point to its privacy policy to support the argument that the user had fair warning.

Along with a policy, it’s equally important to ensure that it is easily accessible wherever the site user is asked to provide information. And, Glaser said, marketers must stick to what they say in their privacy policies. In the past year, the FTC has made good on its promise to enforce Web site policies by filing charges against several companies that collected personal information but failed to use and protect it in the manner described in their privacy statements, she said.

Privacy policy basics

The necessary elements of a privacy policy vary, depending on the type of site and how its owner uses visitors’ personal data, Glaser said. Nevertheless, she listed a few general principles that should be in any privacy statement:

• Notice.
Privacy statements should give users clear and conspicuous notice of information collection and use practices, including whether such information is disclosed to other entities.

• Choice.
Site users should be provided choices about how their information is used beyond the use for which the information was provided (for example, if the user provided information to subscribe for an e-mail newsletter but the company also intends to sell that information to a third party). Marketers can provide site visitors these options by allowing them to check a box to opt in or opt out of a particular use of their information.

• Security.
Privacy policies should let site users know what steps are taken to reasonably protect the security of the information collected, including precautions to prevent its misuse, loss or alteration.

• Access and correction.
Site users should be informed about how they can access, review and correct the information a Web site has collected about them.

Most Popular
In this article: