A privacy policy is a statement placed in an easily visible place on a website informing users about how the website deals with users' personal information. Privacy policies generally explain whether and how users' information will be shared with third parties, including parent companies or subsidiaries. It frequently explains whether and how the website uses cookies.
Why Is It a Good Idea to Have a Privacy Policy?
Privacy policies let people know what you will do with information that they provide when registering with your website, as well as information that gets logged while they browse. A privacy policy allows users to find out what you do with their private information and enables them to adapt their conduct accordingly. Beyond that, a privacy policy will help you avoid liability under a complex array of state and federal laws dealing with users' private information.
What Should You Include in a Privacy Policy?
A well-crafted privacy policy should include the following items (although the particular items included may depend upon the nature of your website):
- a statement explaining what kind of information you collect about your users, how you use it, and with whom (if anyone) you intend to share it;
- a statement disclosing whether and how you use cookies and/or other tracking software;
- a statement reminding users that data is collected through a server access log when a user browses, reads, or downloads information from the site;
- a statement reminding users that the website operators may have to disclose user information in response to warrants, subpoenas, or other valid legal process;
- a description of the process through which users can request changes to any of the personally identifying information collected and/or stored (you can provide an email address for notifying the website operator of changes);
- an opt-out procedure for users to request that their information not be shared with third parties, or that their contact information not be used to send unsolicited correspondence (again, this can be done with an email address);
- a description of the process through which the website operator will notify users of changes to the privacy policy;
- a statement identifying the effective date of the policy.
Another important aspect of a privacy policy is what it says about minors. If your site targets or knowingly collects information from children under age thirteen, it must comply with the Children’s Online Privacy Protection Act. For more information about how to comply with the Children's Online Privacy Protection Act, please see COPPA.org's compliance page. If you do not plan to collect information from minors, you should consider adding a statement to your privacy policy saying:
This website's content is intended for adults and we will not knowingly collect personal information from children under 13 years of age. If you are a parent or legal guardian of a child under age 13 who you believe has submitted personal information to this site, please contact us immediately.
There are also rules about collecting medical information and information about criminal records. Unless it is important to the purpose of your website, you should not gather this type of information. If you plan to gather this type of information, you should consult a lawyer about your data collection strategy.
You can find good examples of privacy policies on the following sites: MinnPost.com, HuffingtonPost.com, Ars Technica, and CMLP.
What Should You Avoid?
It is common to see the following statement in website privacy policies: "[Name of website] will not collect any personal information about you except when you specifically and knowingly provide such information." While this kind of statement may sound reassuring for your users, it is not true in most cases. When a user visits a website, he or she provides personal information to the website operator simply by virtue of browsing, reading, and downloading material. This information includes IP address, user configuration settings, and what website referred the user to the site, among other things. It is better to tell users that this type of information is being collected automatically on standard web server access logs.