Have you ever signed up for a few e-newsletters, and then later noticed that your inbox was barraged with much more spam than usual? Spam that seems to have nothing to do with your newsletter sign up, but that you suspect might have a lot to do with it? You’ve probably just been taken along for a ride in the most widespread form of information gathering and secondary use, but certainly (luckily!) not the most dangerous part of that ride. But still, how shady is that? No one likes to be manipulated, and you don’t want your customers thinking you’re trying to manipulate them. That’s why privacy policies are key— they communicate your acts and intentions so everything stays peachy and stress-free.
Your site should abide by the following practices, as outlined by the Federal Trade Commission’s Fair Information Practice Guidelines:
- Inform people when you collect information.
- Collect only the data needed.
- Offer a way for people to opt out.
- Keep data only as long as needed.
- Maintain accuracy of data.
- Protect security of data.
- Develop policies for responding to law enforcement requests for data.
Let’s break this down paragraph by paragraph…
- Identify yourself (your business name/service/product/etc.).
- State whether you collect any data, and if you do, what data that is.
- Identify how you will use that data (use it to send weekly email digests? sell it to advertising companies?).
- Specifically name any potential recipients of the data (keep in mind that email client companies will indirectly receive the data if they store users’ emails).
- State how you obtain that data (do users voluntarily provide it, or do you record things like their IP address without users lifting a finger?).
- State whether this data is required or optional – must the user provide it before using your site?
- Identify the steps you have taken to ensure that the information remains confidential, current and viable.
State whether data is collected on an “opt-in” or “opt-out” basis. It is generally considered less shady to begin under the assumption that users do NOT want you sending them unrelated emails and recording their information, then let them correct you if they do.
Remember how at the end of paragraph 1 you shared the steps you take to ensure that user info is current? Here in paragraph 3, you should clarify how that is done. According to the FTC, users who supply personal information should have the ability to view the data collected, and also verify its accuracy. You can’t make users pay for – or jump through lots of hoops to use – this right. Will they have an account on your site, through which they can change or update their data and/or preferences?
How do you protect user data? Here, state how you protect against both internal and external security threats. For handling internal security threats, one aspect of your security might be that only certain employees have access to certain information (the gardener probably doesn’t have access to accounting files, etc). As for external threats, encryption and other computer security measures should be in use when it comes to personal information, so here is where you mention your use of SSL or TLS or other secure protocol.
Who enforces your policy? Unless you fit into one of the criteria mentioned below, the government will not be enforcing your policy (see the first paragraph in this article). Maybe you hire a third-party to audit your privacy framework, and if you do, you would mention it here. But for the majority of us, we’ll probably use a simple phrase for this paragraph, like this one:
This policy is self-regulated by the information collectors: [MyCompany, Inc.]
On the federal level, many acts regulate what companies put in their privacy policies.
Gramm-Leach-Bliley Act applies to financial institutions.
Fair Credit Reporting Act applies to credit bureaus.
The Health Insurance Portability and Accountability Act, aka HIPAA (applies to health care sites) applies to health care institutions.
Family Educational Rights and Privacy Act, aka FERPA applies to academic education sites.
Be sure to seek out any specific regulating bodies for the industry you’re a part of.
On the state level, look here to check if you have additional requirements based on your location.
On pages where you’re specifically asking for information, you may want to more prominently feature your policy or a link to it.
And just because we’re used to seeing the “small print” in small print doesn’t mean yours has to be. Do your user’s eyes a favor and use a legibly sized font.
Finally, don’t be tempted to make your policy long-winded and important-sounding. After all, the goal is to inform your users about what you’re doing – not just to cater to attorneys.