Privacy Policy: Who Needs One and What Should It Say?

Perfecting the Pitch�Solve Big Problems with Unique Solutions

Privacy Policy: Who Needs One and What Should It Say?

Practically all websites you visit have a privacy policy.  Prior to launching a website, you may wonder whether you need a privacy policy, too.  It is extremely likely that you do.  You may have also considered whether you can simply copy a competitor’s privacy policy and focus on more important things.  Short answer: That is probably not a good idea.

What is a privacy policy and why do I need one?

A privacy policy is a statement that discloses the ways in which your website and its affiliates collect, use, disclose and manage user personal information.  In other words, if your website does that, you should have a privacy policy.  Personal information is anything that can be used to identify an individual, including first and last name, physical address, email address, date of birth, phone number, etc.

What should your privacy policy say?

The U.S. Federal Trade Commission’s Fair Information Practice Principles set forth widely accepted principles concerning fair information practices and identify five core principles of privacy protection:  (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.  Based on these principles, a privacy policy should identify the following:

•  the entity collecting the data;
•  the uses to which the data will be put (both internal and external uses);
•  any potential recipients of the data;
•  the nature of the data collected and the means by which it is collected if that is not obvious
(passively, by means of electronic monitoring, or actively, by asking the user to provide the
information);
•  whether provision of the requested data is voluntary or required, and the consequences of a
refusal to provide the requested information; and
•  the steps taken by the data collector to ensure the confidentiality, integrity and quality of the
data.

The privacy policy should give users options to control how the personal information collected from them is used.  Specifically, they should be given choices relating to secondary uses of information beyond the immediate needs of the collector to complete the transaction.  Secondary uses can include external ones, such as transfer to third-party advertisers, or internal ones, such as marketing for additional products or promotions.  Typically, the choice models are opt-in or opt-out.  Opt-in requires affirmative steps by the user to allow the website to collect and/or use the information.  Opt-out requires affirmative steps to prevent the collection and/or use of the information.  The choice does not have to be binary.  The website can allow the user to tailor the use of information collected to his or her preferences by checking boxes to grant or deny permission for specific purposes rather than using an all-or-nothing approach.

The privacy policy should also give the user some ability to access data about himself or herself and a means for such user to contest that data’s accuracy and completeness.  Measures taken by the website to ensure data integrity and data security should also be disclosed.

In addition to containing the information listed above, the privacy policy must, in order to be effective, be clear and conspicuous, posted on the website in a prominent location, and readily accessible from both the website’s home page and any web page where information is collected.

Why can’t I copy a competitor’s privacy policy? 

It is not enough to simply have a posted privacy policy. You must be in compliance with your stated privacy policy under federal and state laws aimed at protecting consumer privacy. Therefore, your privacy policy should be customtailored to how your website operates and updated whenever necessary.  Depending on what type of data you collect, such as financial or medical data or data collected from children, you may have to comply with additional laws. Where the user is located and where the data is stored and/or used may also mean that you will have to comply with additional state laws and even with laws of foreign countries.