Monday, October 17, 2011

Privacy Policies

Shore Up Your Privacy Policy Before Disaster Strikes
A typical Privacy Policy may state that the website will not use any PII without the user's express permission. The FTC will enforce that obligation if it learns that PII is being used without permission, such as to commercialize it. But if the website's Privacy Policy is silent about protecting PII, then the website may use the PII freely.

Last month, we discussed, from the website owner's point of view, the critical importance of using Terms of Service (ToS) and Click Agreements suited to their business.

Now we will address the need for appropriate consideration of your website's Privacy Policy.

What Type of Information Do Privacy Policies Protect?

Personally Identifiable Information (PII) may include many details such as name, address, email address, phone numbers, social security numbers, credit card numbers and the like. From a technology standpoint, every visitor to every website provides some PII about who they are and where they came from. When a visitor lands on a website, this is what the website owner can access:
• the visitor's unique IP (Internet Protocol) address;
• PII about the last website the visitor accessed; and
• information from cookies it left on the visitor's hard drive from a previous visit to the site, perhaps including credit card information and passwords (usually encrypted).

In addition, website visitors provide PII voluntarily when they register as users on sites such as Facebook and LinkedIn or for services like Gmail. Also, visitors provide credit or debit card information to facilitate website purchases. The critical issue about this volume of information presented to the website from the visitor is how that information is protected and what privacy the visitor is afforded.

Website Privacy Regulation
In the U.S., the Federal Trade Commission (FTC) regulates Internet privacy. Currently, the FTC does not require that websites have a Privacy Policy. However, if a website does have a Privacy Policy, it must adhere to its own terms.

A typical Privacy Policy may state that the website will not use any PII without the user's express permission. The FTC will enforce that obligation if it learns that PII is being used without permission, such as to commercialize it. But if the website's Privacy Policy is silent about protecting PII, then the website may use the PII freely.

Outside the U.S., privacy rules are very different. In the EU, Canada and Japan, for instance, there are very specific laws to restrict the use of PII on any computer, whether connected to the Internet or not.

In Canada, the Personal Information Protection and Electronic Documents Act specifies the "...ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them."

In Japan the Personal Information Protection Act was enacted after conducting public surveys regarding privacy protection for individuals.
The EU 1995 Data Directive (which started in 1989, in the pre-Internet era) regulates privacy for citizens and businesses that operate in the EU.
The U.S. Department of Commerce established Safe Harbor rules that allow U.S. businesses to operate in compliance with the EU laws, so if your website allows users to conduct business with it in the EU, it makes sense to be in compliance under the Safe Harbor rules.

TRUSTe (discussed in greater detail below) offers a specific service called EU Safe Harbor, which includes the following:
TRUSTe can help you certify your compliance with the EU Directive on Data Protection. The Directive prohibits the transfer of European citizens' personal data to non-European Union nations that do not meet the EU's "adequacy" standard for privacy protection.

Of course other companies offer similar EU services.

What Should Your Privacy Policy Contain?

Like ToS and Click Agreements, my informal surveys show that few individuals, at least in the U.S., take the time to review Privacy Policies. But that doesn't mean you should not have one. You have to consider your visitors' expectations, business issues and laws in countries where you operate.

One approach to create your company's Privacy Policy is to find a website you think has similar issues to your own, and use that as a base for your company's policy (but you should be careful to not violate copyright laws when doing so). This might work, but if you guess wrong about what the Privacy Policy should be, your business may be a risk.

Aggregate Data
Many Privacy Policies say that they will not use visitor PII, but the website may aggregate visitor information for resale. Such information may include the percentage of visitors to the website who came from Google (Nasdaq: GOOG) or The New York Times (NYSE: NYT). The largest company in the data aggregation business is DoubleClick, which was purchased by Google a few years ago.

Most website visitors do not feel that their privacy is violated by such aggregation since PII that is specifically identifiable is not being shared, but even where the law doesn't require disclosure, you should consider -- based on business reasons -- whether your Privacy Policy should let website visitors know whether your website aggregates such information.

Consider Subscribing to Privacy Standards
A number organizations promulgate Privacy Standards. Website owners may subscribe, pay a fee, and agree to adhere to the Privacy Standards of that organization. You often see the logos for these Privacy Standards on the front page of websites and embedded in Privacy Policies.

You may be familiar with the TRUSTe logo. Since 1997, that company has offered a variety of online privacy services. This is what TRUSTe has to say about its services:

The company offers a broad suite of privacy services to help businesses build trust and increase engagement across all of their online channels including websites, mobile applications, advertising, cloud services, business analytics and email marketing... Based upon the comprehensive privacy model of "Truth in Privacy," which is laid on a foundation of transparency, choice and accountability regarding the collection and use of personal information, TRUSTe's privacy seal is recognized and trusted by millions of consumers as a sign of responsible privacy practices.

TRUSTe claims that more than 4,000 websites subscribe, including " companies like Apple (Nasdaq: AAPL), AT&T (NYSE: T), Disney (NYSE: DIS), eBay (Nasdaq: EBAY), Facebook, HP (NYSE: HPQ), Microsoft (Nasdaq: MSFT), Nationwide and Yelp." Among many services, TRUSTe offers website solutions for website privacy, EU Sage Harbor, Children's Privacy, Email Privacy, and downloads.

Of course there are other Privacy Standards like those of the Better Business Bureau, which claims that more than 142,000 websites use its Privacy Standards, and also the Online Privacy Alliance and the CPA WebTrust Program.

In Conclusion
Website owners should make sure their Privacy Policies satisfy applicable legal requirements and also address business concerns, so as to give the website visitors comfort that PII will not be used wrongfully.
Therefore, it is critical that each business review how it manages PII, and consider what it tells visitors to the website.
Question: Is a policy important to your website? Discuss what you will do & incorporate.


  1. I would like to have a privacy policy in place, specifically to follow legal guidelines in Canada, but also to ensure the privacy and right to free speech for my subscribers. There is a good chance that the blogs and discussions that will be taking place on the site could potentially be read out of context or read properly and that person could face legal action of some form of retribution based on what was said. My thoughts turn back to the young man a few years ago, who was put on a flying ban in the US for writing a left-wing blog rallying against President Bush. It is that sort of thing that I would prefer to be able to stop.
    I would incorporate by writing a small, tedious privacy policy and making sure to follow my own standards as well as making sure that subscribers did so as well.

  2. Yes I feel that any business that is online should have a privacy policy put into place. By having these policies it will be able to clearly show users what your business is all about. I would also like my customers to know what the legal restrictions are for our country about online websites. I feel that my business will need to be protected because having a photography business it gives people the option to steal my pictures and claim them as their own. People will be able to take my intellectual property if I don’t get my photography work secured. I will need to make sure that I have my pictures copyrighted and that my business logo cannot be used by any other business.

  3. It is important to have a privacy policy for my online business. People will be giving their personal information when purchasing items and they will need to know that we will not abuse that information. When customers want to purchase something, they must register. When they do so, I will have a spot where they can read what our policy is before they register. If I did not have this option people may be weary of giving their information to me thinking that I may use it for things other than their online purchases from my business.

  4. Priacy policy is for sure a necessity for my business. It will be asking users to provide their personal information, creditcard numbers, paypal account etc. They need to be confident that no one is going to steal any of that important infomation. Users will feel more comfortable to sign up and purcahse something if they no there are no risks involved because that is one of the main things that holds people back from ordering online. I think it is important to have a policy in place and have it available for them to read on the site. It also might be beneficial to have a little terms of agreement before they make any purchases just clarifying that they've read the policy and know that they are safe.

  5. Privacy Policies will certainly be utilized in my e-business. I will be protecting consumers information in the form of names, adresses, credit card numbers, and much more. It would be advantagious for me to protect this information because consumers will feel safer providing information to a company that has no risks and the site is secure. To incorporate these safeguards I will be looking for firewalls and privacy software that is appropriate to protect the information I will need to follow the progress of my physical business as well as online.