Smart Computing ® Smart Computing ®
Top Subscribe Today | Contact Us | Register Now   
middle
Home | Tech Support | Q&A Board | Article Search | Subscribe & Shop   


Create A Privacy Policy For Your Web Site Email This
Print This
View My Personal Library
Whom Can You Trust?
April 2000 • Vol.8 Issue 4 		Add To My Personal Library

Create A Privacy Policy For Your Web Site
Web Users Should Know What Sites Do With Their Information
The days of anonymous Internet use are over. In the past few years, the public has awakened to the fact that nearly every Web site gathers personal information about its visitors through cookies, registration material, or banner advertisements. Public concern about privacy online is substantial, and with high profile stories of privacy breaches by RealNetworks, GeoCities, and Comet Systems, such concerns are not likely to die down.

In response to public anxiety over the Internet's lack of privacy, many Web site operators are posting privacy statements that notify users of what kind of information a site is collecting and how it is used. But in the absence of a universally accepted model, deciding what to include in a privacy statement—or even whether to have one—can be confusing. Furthermore, creating a privacy statement is really just the beginning of developing a privacy policy for your site.



Who Needs A Privacy Statement?

If your Web site collects personal information such as names, phone numbers, mailing addresses, and even e-mail addresses or uses cookies to track visitors, we recommend that you create a privacy statement. While you are not legally required to post a privacy policy on your Web site, most major commercial sites do so, as do many noncommercial sites. (NOTE: The Children's Online Privacy Protection Act, effective April 21, 2000, requires children's sites or general audience sites that knowingly collect personal information from children to disclose their information practices in a privacy statement and to obtain verifiable parental consent before collecting information from children. Read the sidebar "Children & Privacy" for more information.)

In its December 1999 report "Surfer Beware III: Privacy Policies Without Privacy Protection" (www.epic.org/reports/surfer-beware3 .html), the Electronic Privacy Information Center (EPIC), a grassroots organization that monitors Internet privacy, found that only 18 of the 100 most popular shopping sites do not feature privacy statements. And a March 1999 Georgetown Internet Privacy Policy Survey, which investigated a sampling of 361 sites from the 7,500 most visited, found that 65.9% of these sites post some sort of privacy policy.

Because privacy statements are becoming the norm, particularly on commercial Web sites, visitors to your site may be reluctant to provide personal information without knowing why you are collecting it and to whom you will sell or distribute it. A prominently displayed, up-front privacy policy is likely to increase consumer confidence in your site. According to a 1997 eTRUST Internet Privacy Study, a privacy statement increases consumer willingness to divulge personal information by 50%. And, if your privacy policy assures consumers your site will not disseminate their personal information, costumer willingness to engage in e-commerce increases by a factor of 2 to 3, according to the study.

Many commercial Web sites feature privacy statements for another reason: to forestall or prevent government regulation. Currently, Internet businesses largely self-regulate their privacy practices through organizations such as TRUSTe or the Better Business Bureau Online, but government intervention is certainly not out of the question.

In a November 1999 speech at the Privacy In American Business Conference, Commissioner Orson Swindle of the Federal Trade Commission urged businesses to commit to protecting consumer privacy. "There is another line of thought that would strongly suggest the government needs to step in right now and legislate privacy practices through Internet regulation," said Swindle. "For those who advocate regulating the Internet, I ask, ‘how would we do it?' . . . Imagine a government agency trying to regulate or control something so dynamic. This is a formula for bureaucracy building, government intrusion and a stifling of economic growth—in other words, many potential unintended negative consequences."



Legal Stuff.

A privacy policy for your site might be purely optional, but once you post one, you need to abide by it. Recently, the Federal Trade Commission (FTC) has filed complaints against sites that violate their own privacy policies.

In 1997, the FTC charged GeoCities with unfair and misleading business practices after finding that the site misrepresented the way personally identifiable information it collected through its membership application was used. A privacy statement on the site's membership form indicated that certain optional information, such as income level, education, interests, occupation, and marital status, would not be released to anyone without the applicant's permission. GeoCities claimed the information was simply used to "gain a better understanding of who is visiting GeoCities" and to make improvements to the site.

However, once compiled, this information provided a valuable database for marketing. The FTC found that GeoCities did in fact disclose—and in some cases sell—this information to third parties without the consent or knowledge of the applicants. GeoCities settled with the FTC in 1998 without admitting wrongdoing.

Under the terms of the settlement, GeoCities (which has since been acquired by Yahoo!) was required to thoroughly revise their privacy statement and to feature a prominent link to the FTC. (This FTC-endorsed privacy statement is a good example of a very thorough privacy policy. You can read it at http://docs.yahoo.com/info/privacy.) The GeoCities case was the first of its kind, but the FTC has since pursued a similar case against Liberty Financial Companies, which was settled in May 1999.



What To Include.

Generally, a privacy statement should begin by answering the eternal questions: who, what, when, where, how, why? More broadly, a privacy statement should provide notice that information is collected (or isn't collected, if that's the case), disclose the manner in which information is collected and used, and give the consumer a choice about the way personal information is handled and collected.

Because the goal of a privacy statement is presumably disclosure, don't present visitors with a long, daunting block of text. Consider providing a link to each area of concern; for instance, you might post separate links to Cookies and to Children & Privacy.

The following questions are the basic ones we believe any privacy statement should answer.

1. What personal information is collected through your site? For instance, are you collecting information such as name and e-mail address? Are you monitoring the products that visitors purchase or view (as Amazon.com does) to create a profile?

2. How is personal information collected? Do you collect information actively, using forms visitors can choose to fill out, or passively, using cookies? Explain what cookies are and how you use them.

3. What will personal information be used for? Is providing this information mandatory for participating in a site's activities, registering, etc., or voluntary?

4. Who is collecting personal information on your site? Do people or organizations besides the site's operators collect it? Are there links or advertisements posted on your site that may use cookies or otherwise collect personal information?

5. Who will have access to this information? Will your site sell or share this information with others? If so, who? What safeguards to their privacy can users expect from these third parties?

6. What choices do people have about the way their personal information is collected, used, and distributed? Is there a way for visitors to opt out of having certain information distributed? (Some sites let users opt in to receiving bulk e-mail or having their information distributed; by default, you are sent nothing, and your information is not passed on. We much prefer this method.)

7. How can visitors view, update, correct, or delete the personal information your site has collected about them?

8. What security precautions have you taken to protect the misuse or theft of personal information you've collected?

9. How can visitors contact you with questions about your site's privacy policy?



Licensing Organizations.

An independent statement of your privacy policy is better than nothing, but consider licensing your site with a regulatory organization such as TRUSTe or the Better Business Bureau Online (BBBOnline). A license from a reputable regulator shows a greater commitment to maintaining customer privacy and provides some assurance that you actually follow your own policy. Both organizations monitor the compliance of member sites and provide dispute resolution should consumers file a complaint against your site.

Furthermore, licensing your site may actually help you gather the personal information you need. According to AT&T Labs 1999 report, "Beyond Concern: Understanding Net User's Attitudes About Online Privacy," 58% of people who said they were unsure about providing or would not provide personal information to a site would provide information if that site had both a privacy statement and a seal of approval from a well-known, reputable organization such as the BBB. For comparison, 48% of the same group would supply personal information if a law prevented the site from using the information for other purposes.

In addition, licensing your site with one of these organizations will take some of the work out of creating a statement of your privacy policy. Not only do they provide clear guidelines about what to include, most of these sites will create a basic privacy statement for you after you fill in a few forms about your site's information-gathering practices.

Both the BBBOnline and TRUSTe offer children's privacy programs and grant special seals to sites that meet the programs' criteria.

Participation in these programs isn't free, but the costs are not prohibitive. The BBBOnline requires a $75 one-time application fee plus annual payment of the copiously-named "BBBOnline Annual Assessment Evaluation Fee." The fee is graduated according to your company's total sales revenue. At the low end, sites that earn under one million or less pay $150 dollars; at the high end, sites with revenue of $2 billion or more pay $3,000.

The cost of participation in the TRUSTe program is also scaled to your company's revenue. Companies in the lowest bracket, an annual revenue of 0 to 1 million dollars, pay a $299 annual license fee. The highest bracket, $75 million or more in annual sales is $4,999. At the time of our visit, TRUSTe was advertising a 20% discount for nonprofit organizations.



Where To Post Statements.

Even a good privacy statement isn't good enough if it's posted in an inconspicuous place. Position your privacy statement so that visitors will notice it. After all, that's the point.

EPIC recommends displaying a privacy statement on your homepage and providing a link to it in every place you request personal information.

Your privacy statement, or a link to it, should be clear and prominent. Use larger or different fonts and a color that contrasts with your site's background to draw attention to your privacy statement.



Don't Post & Forget.

Privacy on the Internet is a work in progress. As more and different violations of users' privacy are brought to light, new guidelines for privacy statements may emerge. A privacy statement shows your commitment to respecting visitor's privacy even in the absence of many external, legal protections, but it isn't something you should just post and forget. (For one thing, once you post a privacy statement, you will be bound to follow it.) Site operators with a true interest in preserving privacy will follow developments in Internet privacy standards closely to make sure they keep pace with the changes.

by Eileen De Mott Curtright


Children & Privacy


The Children's Online Privacy Protection Act of 1998, effective April 21, 2000, regulates the collection of personal information from children under 13 years old. The law requires, among other things, that certain sites post privacy statements. Sites directed at children and general interest sites with "actual knowledge" that they collect such information from children need to comply with these regulations. Contact the FTC at kidsprivacy@ftc.gov to make certain of your status.

The privacy statement (or a link to it) must be posted on the site's homepage and at every site where personal information is collected. The links must be "clear and prominent." The FTC suggests using a larger font size or color contrast to make the link stand out. A link in small print at the bottom of the page isn't considered clear and prominent.

Your privacy statement should be clearly written and easily understandable and should include the following:

•Name and contact information of all operators ("operators" include the people who own and control the information and/or who pay for the collection and maintenance of the information) collecting children's personal information through the Web site.

•The type of personal information collected from children. (For instance, name, address, phone number, hobbies, etc.)

•The way personal information is collected and what it will be used for.

•Whether the site shares the information with a third party, and if so, what kind of business this party does, what it uses the information for, and whether it has agreed to maintain the confidentiality of the information. The statement also must disclose that parents can agree to the collection and use of the child's information without consenting that it be disclosed to any third party.

•The statement must disclose that the operator may not require a child to disclose any more information as a condition of participation in an activity than is reasonably necessary for that activity.

•The site must disclose that parents can review the child's personal information, ask to have it deleted, and forbid the further collection or use of their child's information. The notice should inform the parent of how to do this.

In addition, affected sites need to obtain "verifiable parental consent" before collecting personal information from children. Until April 2002, the FTC will use a "sliding scale" approach to parental consent. This means that the kind of parental consent required will vary depending on how the site will use the child's personal information. (In 2002 the FTC will review the policy and determine whether to continue the sliding scale approach.)

Information that a site gathers only for its own internal use will require less rigorous parental consent. For instance, a site can get parental consent through e-mail, as long as the site operators send a follow-up e-mail or letter or make a phone call to increase the likelihood that the parent has actually given permission.

In a few cases involving contests, online newsletters, homework help, and electronic postcards, site operators can collect a child's information without prior parental consent. Contact the FTC for more information.

Affected sites may need to meet other requirements beyond those listed. Read the FTC's report "How To Comply With The Children's Online Privacy Protection Rule" at http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm for more information.





Want more information about a topic you found of interest while reading this article? Type a word or phrase that identifies the topic and click "Search" to find relevant articles from within our editorial database.

Enter A Subject (key words or a phrase):
ALL Words (‘digital’ AND ‘photography’)
ANY Words (‘digital’ OR ‘photography’)
Exact Match ('digital photography'- all words MUST appear together)




Home     Copyright & Legal Information     Privacy Policy     Site Map     Contact Us

Copyright © 2010 Sandhills Publishing Company U.S.A. All rights reserved.