A privacy policy is a statement about how an organisation manages the personal information it collects. It is a general, not exhaustive, statement about how personal information flows through an organisation. All online services need a well-crafted privacy policy. Not only is this required for compliance with law but it is essential to create and preserve your user’s trust.
Data privacy and security issues are more critical now than ever before and every company should have a global Privacy Policy. Displaying a Privacy Policy is recommended even if your website is not a commercial site.
In the context of eCommerce, legislatures, regulators, and courts worldwide have responded with new restrictions on the maintenance and management of personal information. Every Internet-based business website that collects information from end-users must tailor a compliant privacy policy that provides specific information regarding its use, retention, protection, disclosure, and data collection processes pertaining to consumer information. Commercial website operators should be prepared to live with the commitments they make.
What must be included in Privacy Policy
Here are some of the key provisions you need to make sure are included:
1. What information is being collected
Your policy must clearly outline all the various pieces of data that are being collected. This generally falls into three categories:
- User submitted information. Your policy must specify what information is being collected that user’s themselves supply, either during the registration/account creation process, or through general use of the site. This may include their email address, phone number, billing information, demographic information, date of birth etc. You would still be required to disclose this information even if it is collected through a third party site or credentialing service, such as Facebook Connect.
- Information collected automatically. The policy must address whether the site is collecting any information automatically through the user’s use of the site, for example, their IP addresses, mobile device ID, the location information, browser, operating system, URL of pages visited prior to visiting, ads clicked on, length of time on the site etc. As with user submitted information, you must disclose this information even if it is being collected through third party providers, such as Google Analytics.
- You must disclose whether your website is storing cookies, web-beacons or any other tools, on your users computers / devices to collect and track their online movements.
2. What is done with information
Your policy must specify the intended purpose for which the information is being collected and whether any of it will be shared with third parties, such as service providers, analytics companies, law enforcement etc. Also, user’s should be informed whether the information is shared with its personally identifying elements attached, or if it is being shared in an aggregated and anonymized form. Furthermore, the policy should describe what happens to the information in the event of a merger, acquisition or bankruptcy.
3. Children
All websites that direct their services to children under the age of 13 must comply with the Children’s Online Privacy Protection Act (COPPA). The COPPA has a number of detailed requirements which are beyond the scope of this article, but if your site is not intended to be used by children under the age of 13, then a statement to that effect must be included in the policy.
4. Date
This one is easy: include the date the policy was posted or last updated.
5. Review
Make sure your policy includes a provision which states how users can review and change their stored personal information.
6. Where to Place
In addition to the above where you need to post your privacy policy. Any site that collects personal information must make sure that either:
- The policy is posted on the home page of the website;
- The policy is linked to the homepage with an icon that includes the word “privacy” (note: the icon color must differ from the homepage background); or
- The policy is linked to the home page by a link that contains the world “privacy” and is distinguishable from the surrounding text (ie. written in capital letters greater in size than the surrounding text, or in a type, font or color that contrasts with the surrounding text of the same size).
- States what type of personal information is being collected;
- States the process for users to review / change their personal information;
- Lists the categories of third parties that the site shares personal information;
- Includes a statement on the process that a user is notified of privacy policy changes; and
- Includes the effective date of the privacy policy.
7. Third Party Direct Marketing
If your site shares any personal information with third parties for direct marketing purposes then make sure you Include a link on your home page.
8. Drafting Principles
Importantly, when drafting a privacy policy, make sure you do not over-promise with statements like “we will never ever ever EVER share any of your information.” Even if you don’t intend to share anything now, you may in the future either due to changes in technology or due to a strategic opportunity, and back-peddling your privacy policy may arouse suspicions. It’s best to use broad, sweeping, and inclusive language. Draft the policy with the help of your developers and engineers. That way you can confirm that the policy covers all information that is in fact collected and / or shared.
A privacy policy should not simply reproduce the IPPs. It should be concise, and directed towards its audience (that is, the general public). It should be written in plain English and be easy to read. The policy should deal with both online and offline collection of information.
Organisation’s privacy policy must display:
- What personal information does the organisation collect?
- Identify the organisation’s basic functions and activities to determine the type of personal information that is commonly collected to facilitate those functions.
- Consider why the information needs to be collected.
- Where does the information flow to and how is it used or handled?
- Examining the organisation’s personal information handling functions allows a greater understanding of whether the organisation is currently complying with the IPPs and how the IPPs work in everyday practice.
- How is the information held by your organisation stored and protected?
- If the organisation generally handles information that requires a high level of security, or if it handles sensitive information, specific assurances should be given about access controls and security measures in place to protect that information.
The privacy policy of an organisation should contain the following:
- the identity of the organisation and how to contact it;
- the fact that an individual is able to gain access to their personal information, and how the individual can do so;
- the organisation’s main functions and the sorts of personal information the organisation generally collects and holds to fulfill those functions;
- how personal information is usually used and to whom it is usually disclosed;
- whether collection of personal information is compulsory or optional (including referring to any legislation which authorizes the collection, use or disclosure of the information, such as the Local – Government Act or taxation legislation); and
- the date and version reference for the policy.
- Does the organisation transfer or store personal information outside Victoria (IPP 9)? If yes, this should be specified in the privacy policy.
- If the transfer is authorised or required by legislation this should also be specified, as well as the steps the organisation will take to protect the information.
- Does the organisation collect or deal with sensitive information (IPP 10), such as information about an individual’s race, ethnicity, political opinion or party membership, religion, union membership, sexual preference or criminal record?
- If yes, how this information is collected and used/disclosed should be detailed specifically in the privacy policy.
- Does the organisation actually comply with your privacy policy?
- An organisation should ensure that its actual practice accords with its privacy policy: that is, an organisation should do what it says it will do in its policy. A good way of assessing whether or not an organisation is in compliance with its privacy policy is with a self-audit.
Privacy Policy and the Advertisement:
- The three primary legal requirements for truth in advertising are:
- Advertising must be truthful and not misleading.
- Advertisers must have evidence to back up their claims.
- Advertisements cannot be unfair.
To honor these legal requirements when advertising on the Internet, the FTC recommends that businesses:
- Place disclosures on the same Web page as the claim they apply to, and when necessary, provide adequate visual cues to indicate that a consumer must scroll down on the page to view the disclosure.
- When hyperlinking to disclosures, make the link obvious and noticeable, label the link accurately and indicate its importance, place the link near relevant information, ensure that the link takes consumers directly to the disclosure, and monitor link usage to ensure its effectiveness.
- Display disclosures prior to purchase.
- Ensure that an advertisement’s “text, graphics, hyperlinks, or sound do not distract consumers’ attention from the disclosure.”
- If your Web business sells other companies’ products, be aware that the FTC can also hold you responsible for misleading ads and product descriptions, even when those materials are provided by the manufacturer. The FTC recommends that “to protect themselves, catalog marketers should ask for material to back up claims rather than repeat what the manufacturer says about the product” and that “in writing ad copy, catalogers should stick to claims that can be supported.” The FTC pays closest attention to ads that make health or safety claims, or that present data or statistics that consumers would have difficulty verifying.