How to Avoid Being a Shady Developer, Part 2: Privacy Policies


Post Tags

In order for users to utilize your service, they have to be at least somewhat informed about it. In order for users not to hate your service with a fiery passion, they have to not be barraged with newsletters and popups that they weren’t expecting. Drawing the line between those two nebulous extremes? That’s a job for your privacy policy. In part two of this series, you can make/check/update your own privacy policy, check which online laws apply to your site, and generally continue to avoid being shady.

Have you ever signed up for a few e-newsletters, and then later noticed that your inbox was barraged with much more spam than usual? Spam that seems to have nothing to do with your newsletter sign up, but that you suspect might have a lot to do with it? You’ve probably just been taken along for a ride in the most widespread form of information gathering and secondary use, but certainly (luckily!) not the most dangerous part of that ride. But still, how shady is that? No one likes to be manipulated, and you don’t want your customers thinking you’re trying to manipulate them. That’s why privacy policies are key— they communicate your acts and intentions so everything stays peachy and stress-free.

Privacy policy: Do you need one?

If at any time, users interacting with your site give any information that may pertain to their personal identity, you should have a privacy policy in place and clearly publicized.

I say “should” because technically, at this point in time, the Fair Trade Commission’s “Fair Information Practices” are only recommendations for maintaining privacy-friendly, consumer-oriented data collection practices, and are not enforceable by law. However, it’s only a matter of time before publishing and abiding by your own privacy policy will be required.


Your site should abide by the following practices, as outlined by the Federal Trade Commission’s Fair Information Practice Guidelines:

  1. Inform people when you collect information.
  2. Collect only the data needed.
  3. Offer a way for people to opt out.
  4. Keep data only as long as needed.
  5. Maintain accuracy of data.
  6. Protect security of data.
  7. Develop policies for responding to law enforcement requests for data.

The job of your privacy policy is to inform your users how you abide to the above policies.

Let’s break this down paragraph by paragraph…

Paragraph 1:

  • Identify yourself (your business name/service/product/etc.).
  • State whether you collect any data, and if you do, what data that is.
  • Identify how you will use that data (use it to send weekly email digests? sell it to advertising companies?).
  • Specifically name any potential recipients of the data (keep in mind that email client companies will indirectly receive the data if they store users’ emails).
  • State how you obtain that data (do users voluntarily provide it, or do you record things like their IP address without users lifting a finger?).
  • State whether this data is required or optional – must the user provide it before using your site?
  • Identify the steps you have taken to ensure that the information remains confidential, current and viable.

Paragraph 2:

State whether data is collected on an “opt-in” or “opt-out” basis. It is generally considered less shady to begin under the assumption that users do NOT want you sending them unrelated emails and recording their information, then let them correct you if they do.

Paragraph 3:

Remember how at the end of paragraph 1 you shared the steps you take to ensure that user info is current? Here in paragraph 3, you should clarify how that is done. According to the FTC, users who supply personal information should have the ability to view the data collected, and also verify its accuracy. You can’t make users pay for – or jump through lots of hoops to use – this right. Will they have an account on your site, through which they can change or update their data and/or preferences?

Paragraph 4:

How do you protect user data? Here, state how you protect against both internal and external security threats. For handling internal security threats, one aspect of your security might be that only certain employees have access to certain information (the gardener probably doesn’t have access to accounting files, etc). As for external threats, encryption and other computer security measures should be in use when it comes to personal information, so here is where you mention your use of SSL or TLS or other secure protocol.

Paragraph 5:

Who enforces your policy? Unless you fit into one of the criteria mentioned below, the government will not be enforcing your policy (see the first paragraph in this article). Maybe you hire a third-party to audit your privacy framework, and if you do, you would mention it here. But for the majority of us, we’ll probably use a simple phrase for this paragraph, like this one:

This policy is self-regulated by the information collectors: [MyCompany, Inc.]


On the federal level, many acts regulate what companies put in their privacy policies.

For example:

Be sure to seek out any specific regulating bodies for the industry you’re a part of.

On the state level, look here to check if you have additional requirements based on your location.


A good privacy policy is not doing anyone good if it’s hidden or inaccessible.

Make your privacy policy available across all the pages on your site; the footer is a common location for a link to your policy and something most users have come to expect.

On pages where you’re specifically asking for information, you may want to more prominently feature your policy or a link to it.

And just because we’re used to seeing the “small print” in small print doesn’t mean yours has to be. Do your user’s eyes a favor and use a legibly sized font.

Finally, don’t be tempted to make your policy long-winded and important-sounding. After all, the goal is to inform your users about what you’re doing – not just to cater to attorneys.


No matter what your privacy policy, you CAN be prosecuted if it’s proven that you are not abiding by it. So make sure everything you stipulate in the policy is current and in effect at all times.

There! Now you have the bulk of your privacy policy set and the most up to date references in one place. I bet you’ll sleep a lot easier tonight, right after you empty your spam folder.

Comments are closed.