It's time to
Render Your Vision.

RVC logo

Render Visions
Consulting

How to Write a Privacy Policy for a Website – Part 1 of 2: Assess

Man at desk working on privacy policyThere are plenty of good reasons to have a privacy policy posted on your website or blog. In a previous article, I mentioned 11 of them. The focus of this article is the process of actually writing a privacy policy (or having it written).

After doing a fair amount of research I realized I had too much material for a single post so I broke it into two. This post, Part 1, covers the prerequisite assessment process that makes a meaningful privacy policy possible. The next post, Part 2, examines various options for the actual writing phase.

What are the Requirements for Online Privacy Policies?

As with most projects, before investing time and energy, the first thing I like to do is define requirements. So, my first stop was the website of the Federal Trade Commission since they are the watchdog of the U.S. government when it comes to consumer privacy protection.

The FTC website provides a wealth of information regarding privacy and PII (personally-identifiable information). In fact, there is so much content available it’s downright overwhelming. After wading through most of it, this is what I believe to be most useful for online entrepreneurs:

Fair Information Practice Principles – These core principles are widely accepted and should be the foundation of every privacy policy. To read the entire webpage, click on the title of this section. I have included additional details under the first principle, below, since it deals specifically with disclosure:

1. Notice/Awareness

    • Identification of the entity collecting the data
    • Identification of the uses to which the data will be put
    • Identification of any potential recipients of the data
    • The nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information)
    • Whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information
    • The steps taken by the data collector to ensure the confidentiality, integrity and quality of the data

2. Choice/Consent

3. Access/Participation

4. Integrity/Security

5. Enforcement/Redress

Principles of a Sound Data Security Plan – The FTC website offers a very informative brochure that details the do’s and don’ts of handling PII. It’s called “Protecting Personal Information – A Guide for Business”. To download a copy in PDF format, click the title of this section. (Note: if your default browser is Chrome and the PDF document does not open properly, try opening with IE or Firefox.)

Interactive Tutorial – If you prefer video and have about 20 minutes, this interactive video covers the same information contained in the above PDF document. The FTC recommends it as an effective way to explain the basics of PII security to your team if you have one. But even if you don’t have employees, this is a quality video worth checking out. To access, click the title of this section. You should see a link in the right sidebar.

Tips for Composing a Privacy Policy – Finally, this FTC article elaborates on the following tips for writing a privacy policy:

  1. Keep it clear and easy to understand; don’t over complicate it with a lot of technical terms and legal jargon.
  2. Don’t say it if you can’t back it up. This is where some websites get into trouble for false or deceptive advertising.
  3. Be proactive with letting customers know when your privacy policy changes.
  4. Get your entire team to buy-in to PII compliance.

While there are numerous federal requirements regulating the PII management practices of businesses, financial institutions and health care providers, surprisingly, as of this writing (June 2011) there is no federal requirement for privacy policies to be made available to consumers (i.e. posted on websites). That may soon be changing.

Pending Federal Legislation regarding Privacy Policies

During my initial research on the legal aspects of online privacy policies (see article Are Online Privacy Policies Required by Law?), I found that some U.S. states require privacy policies to be prominently posted but no such requirement at the federal level.

Today, 8 months later in mid-2011, there is an influx of bills pending in the United States Congress covering all aspects of online privacy including full disclosure. In the article Federal Legislation and Online Privacy Policies you will find a table listing 16 pending federal bills with links to the congressional database providing the status of each. Depending on what gets finalized and signed into law, requirements for collectors of PII could tighten significantly. This will affect most website and blog operators including those that simply collect email addresses for newsletters.

Other Sources of Requirements for Online Privacy Policies

Until a fair and balanced set of standards is signed into federal law, online privacy compliance will continue to be a challenge for the average website operator. As states enact their own privacy laws and industry icons like Google and Microsoft make their own rules (per self regulation promoted by the FTC), compliance continues to be a moving target.

For that reason, a prudent strategy is to develop a privacy policy based on requirements and best practices from a cross-section of all relevant authorities. Table 1A, below, offers such a list.

  Sources for Best Practices regarding Online Privacy Policies

a)

Rules, recommendations and tips from the FTC website

b)

Selected requirements from bills pending in the U.S. Congress

c)

Applicable requirements from stringent U.S. states like MA, CA, and NV

d)

Requirements from online juggernauts like Google and Microsoft

 — Table 1A —

By adhering to the requirements prescribed by these sources, you will wind up with a compliant privacy policy and your site visitors will receive the privacy protection they deserve. Of course, once a U.S. federal law is passed, adjustments can be made, if necessary.

Questions to Consider Before Writing a Privacy Policy

Before a privacy policy can be written effectively, key issues need to be considered. In the FTC brochure mentioned above, this is referred to as taking stock. That is, understanding how PII moves into, through, and out of your business and who has access to it. This is the most important aspect of developing a privacy policy.

Table 1B, below, contains questions that facilitate this assessment. The questions are based on requirements prescribed by the sources in Table 1A. If answered thoughtfully and accurately, the result will be an outline upon which a compliant privacy policy can be constructed.

Realistically, regardless of who writes the privacy document, the questions need to be answered by the website owner or principal operator(s). The most conscientious consultant or attorney will usually not be as familiar with the site’s underlying functionality and supporting practices.

Answering these questions before the privacy policy document is drafted is similar to the requirements definition phase in the software development cycle – it reduces the number of iterations required to get it right. And that can save time and energy!

 

Questions to Consider

Examples and Sources

1

What PII is collected?– Specifically, what PII (personally-identifiable information) is collected? For examples of PII, see article What is PII?

2

Sensitive PII – If sensitive PII is collected is it done with affirmative consent? (opt-in) Sensitive PII is personally-identifiable information which, if compromised, can cause a significant negative impact for the individual (i.e. financial & medical records, religious affiliation). Credit card information, bank accounts, and social security numbers are examples.

3

How is PII collected? – what is the method for collecting PII? For example: newsletter form, contact/webmail form, subscription form, registration form, service application form, shopping cart transaction form?

4

Volume– What is the volume of PII collected? For example, one particular bill pending in Congress only applies if PII of more than 5,000 individuals is collected during any consecutive 12-month period.

5

Purpose – Is there a clear, valid purpose for the collection of each element of PII? Per pending federal legislation, collectors of PII should only collect as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service.

6

Minors– Is PII collected from children under the age of 13? Is the product, service, or site-content targeted at children 12 and under? If so, COPPA applies if PII is collected.

7

Storage– Is the PII stored in a secure fashion? How and where is it stored? Is it stored in a password-protected database on a secure server? Or on a password-protected and physically secure hard drive? Stored in encrypted format rather than clear text? Employee access on a need-to-know basis only?

8

Transmission – How is the PII transmitted? If transmitted across public networks and wireless networks, is the data encrypted?

9

Usage– How is the PII used? For example, is it used only for the stated purpose of the end-user form filled out by the consumer or is it also used for other purposes such as internal ad campaigns.

10

Sharing– Is the PII shared? If yes: (a) How, why, with whom? (b) Are third parties bound by contract to comply with the collector’s privacy policy? For example, is the PII sold or otherwise shared with third parties, i.e. external advertisers? Per pending federal legislation, the burden of protecting PII lies with the collector. See section 302 of Senate bill S 799 and MA state law.

11

Opt-out– Is there an opt-out function and is it clearly available? This refers to the website functionality not a browser (IE, Firefox, Chrome, etc.) feature.

12

Access– Can individuals access their PII and correct it or request that it no longer be used and distributed? If it cannot be directly accessed and edited by the PII owner, can the owner request deletion via email, postal mail, or phone, for example? Per pending Senate bill S 799 section 202.

13

Retention – How long is the PII retained? Pending federal legislation states that collectors of PII should retain it only for reasonable periods of time.

14

Disposal– How is the PII disposed of? Pending federal legislation specifies acceptable methods. For examples, see House bill HR 1707, section 2.a.2: E & F.

15

Accuracy– Are procedures in place to ensure the data is accurate? Pending federal legislation requires this in certain instances. See bill S 799, section 303 (a) and (b).

16

Tracking– Is analytics software embedded in the website or blog? Google Analytics, for example, requires users to have a privacy policy that discloses the use of a cookie that collects anonymous web traffic data. See Google Analytics Terms of Service, section 7.

17

Ad networks– Is an online advertising network utilized? For example, Google’s AdWords network and Microsoft’s Advertising service require certain information in a site’s privacy policy if using their services.

18

Monetization– Are monetization methods used such as ad serving networks or affiliate programs? For example, Google’s AdSense service requires certain information in a site’s privacy policy.

19

Breach policy– Has a breach policy plan been formulated? For example, in the event of a security breach in which PII is acquired by an unauthorized party, is there a procedure for notifying owners of the PII?

20

Dissolution– If the relationship with PII owners changes due to a website sale, company sale, or bankruptcy, is there a plan for the disposition of PII and is the plan disclosed in the current privacy policy? Consistent with the intent of item #10, above, if assets are acquired by another entity, PII owners should be given advance notice and an opportunity to opt-out and have their PII rendered non-personally identifiable. Likewise, a bankruptcy/dissolution plan should be disclosed relative to stored PII.

— Table 1B —

As indicated in the example for item #4 in Table 1B, some bills pending in Congress hold businesses to a higher standard if they deal with large amounts of PII. That seems logical since more people can be negatively affected if the data is abused or stolen.

Also, some of the questions in Table 1B stem from pending federal bills that do not specify how compliance must be achieved. Instead, they empower the Federal Trade Commission to establish rules within a defined time period after the bill becomes law. Interestingly, even at that point, the FTC will be prohibited from requiring a specific technological means of meeting a requirement (Source: S 799, title I, section 101, d). Given technology’s ever-increasing rate of change, that also makes sense.

It is important to remind readers that if a website or blog collects PII from residents outside the United States, different privacy laws apply. While those laws are outside the scope of this article, it may be the focus of a future research project to be posted here at .com. Stay tuned.

In fact, if you would like to receive future posts automatically via email or RSS feed, simply click on one of the links in the upper right corner of any page on this site to subscribe. Only an email address is required. You can unsubscribe at any time.

If you are interested in reading more about international requirements pertaining to information privacy, you may want to start with the EU and APEC. The European Union (EU), for example, is expected to introduce (sometime in 2011) the concept of the “right to be forgotten” which allows individuals to request that their data be completely removed once it has served its original purpose. Holders of information, such as ISPs and search engines may have to reveal who is collecting data and for what purpose. (Source: European Commission website, Safeguarding privacy in the digital age)

APEC (Asia-Pacific Economic Corporation) is a cooperative of 21 nations primarily concerned with global trade and economic issues. The APEC Privacy Framework promotes a flexible approach to information privacy protection while avoiding the creation of unnecessary barriers to information flows.

Pulling It Together Into a Privacy Policy

To summarize, the first step to writing a compliant privacy policy is to do a thorough assessment of PII handling practices. That is what this post is all about. The objective is to record answers to the questions in Table 1B and use the resulting document as an outline for the final privacy policy.

With the outline in hand, an informed decision can be made about what method to use to compose the final, consumer-friendly document. That is what the next post is about. It will examine a variety of options including:

  • Using an online auto-generator service
  • Customizing a template
  • Hiring an internet-savvy, privacy-law attorney to draft it

Until next time… render your vision.

==========

If you are interested in reading the follow-up to this article, here is the link: “How to Write a Privacy Policy for a Website – Part 2 of 2: Options.”

1 comment to How to Write a Privacy Policy for a Website – Part 1 of 2: Assess