An important component of your website is its privacy policy that tells the website visitor what information is collected about them, how the information may be used, and how to access or contact your company about the information collected.

The U.S. Federal Trade Commission (FTC) provides some guidelines and regulations, while the State of California has enacted broad-reaching online privacy rules that apply to any commercial website or online service that may be accessed by a resident in the State of California. Essentially, California Online Privacy Protection Act (CalOPPA) is far-reaching, and would apply to most websites.

Looking globally, the European Union (EU) also has regulations regarding online privacy in the Data Protection Directive and the ePrivacy Directive. EU regulations apply to those websites that target EU customers.

For many businesses, violation of what is or is not disclosed in your company’s privacy policy would also violate state and federal consumer protection laws.

The privacy policy should be an easy to read document, typically available as a page linked from the footer on a website.

Components of a privacy policy include the following:

1. Notice of Collection

Notice of collection clearly describes what information is collected about the website visitor online. Many companies expand this to include not only information is collected from email, but also other offline communication channels that are linked to the customer or prospective customer.

Also included in notice of collection are the types of technology used on the site such as web beacons, cookies or other similar technologies. Often websites will include a separate ‘Cookie Notice’ that provides additional detail on the types of technology used, third-parties solutions that are used on the site, as well as how to opt-out of tracking. This separate ‘Cookie Notice’ may be used to follow the EU Directive if your website targets a global customer base.

2. Purpose of Collection

Included in your website’s privacy policy is a description of the purpose of collecting information about the website visitor. The collection of this information may be for marketing reasons, customer support, provide online access to certain areas of a website, and more.

3. Disclosure

Disclosure includes a description of how the customer, prospective customer or website visitor information collected will be shared. This includes how information will be shared with third-parties as well as whether the information collected will be sold, traded or rented.

If the privacy policy will span multiple websites that are owned by your company, then disclosure would include the websites the privacy policy applies to. If the privacy policy applies to all company owned websites, then clearly state that.

A requirement of CalOPPA, the State of California’s online privacy act, is to disclose how your website responds to ‘do not track’ signals or similar technologies sent by the user’s browser. CalOPPA doesn’t require the website to honor the request, just to disclose how it responds to a ‘do not track’ request.

The Children’s Online Privacy Protection Act (COPPA), a federal rule, requires websites to disclose whether any personal information is collected from children under the age of 13. If information is collected from children under the age of 13, then verifiable consent from the parent or guardian is required before any personal information is collected from the child.

4. Consent

Depending on the type of business your website supports, consent may be needed by the customer that they are over a certain age (e.g. marketing of alcohol, tobacco or adult content).

The ‘Cookie Law’, part of the EU Directive also has consent requirement that requires notice (e.g. the privacy policy), and to elicit consent from the website visitor that they acknowledge the use of cookies on the site. Consent can be implied if the notification is clearly visible to the website visitor.

5. Security

It’s recommended that the privacy policy describes how the customer, prospective customer as well as website visitor’s personal identifiable information (PII) will be kept secure. This disclosure can define security related to the information collected from credit card payments or other PII related data. While security is important, there are no guarantees the information will be kept 100% secure.

6. Provide Access and Accountability

Another component of your site’s privacy policy is to tell the customer or prospective customer who to contact if they want to review their information that is collected about them. In addition, your privacy policy needs to include how to contact your company if there are questions regarding the privacy policy.

A privacy policy also is required to include information on how significant changes to the policy will be made known to the customer as well as website visitor, as well as effective date of the company’s privacy policy.

Depending on the type of business, as well as the type of new information collected, notice in advance of implementing privacy changes are made to the website visitor. These notifications are typically shown as a clickwrap agreement.

In the Series