Website privacy policies with the correct disclosures are required by U.S., UK, EU, Canadian, Australian law, and the laws of other countries.
The term “user” in this article refers to a visitor or customer of a website.
The term “PII” in this article refers to a user’s personally identifiable information.
The term “NPI” in this article refers to nonpersonal information.
What Types of Information Does Your Website Collect?
Know the Difference Between PII and NPI
The difference between PII and NPI has been blurred because of changes in the law and the way in which regulatory agencies define PII. As an example the laws of the European Union (EU) as well as COPPA and HIPAA in the United States have in many situations classified a user’s IP address and cookies as PII. The chief of the FTC’s Consumer Protection Bureau said “We regard data as ‘personally identifiable,’ and thus warranting privacy protections when it can be reasonably linked to a particular person, device, or computer. In many cases persistent identifiers such as MAC addresses, device identifiers, cookies, or static IP addresses meet this test.”
How Users’ Information Is Collected
You are required to explain how and where you collect users’ information from. This includes information collected at registration, from online forms, questionnaires, email, mobile applications, APIs, and other means.
Disclose How You Use Your Users’ Information
Linking to Other Websites
Explain to Users What Cookies Are and Do
Cookies are small data text files stored in users’ web browsers when they visit your website. Cookies help users navigate and use your website, identify them as members, track advertising, and have many other uses. Countries like the UK require you to get users’ consent before you place cookies on their computers. This is typically done by using a popup box asking the user when they enter your website to agree to accepting cookies before using your site.
Cookies can be used for:
• Recognizing parts of your website that users have visited
• Logging in and detecting users who are members of your website
• Using Google or other analytics programs
• Remarketing services from Facebook, Google, and other companies
• Tracking specific advertising campaigns
• Tracking your affiliates
• Recalling user settings and favorites
Use of Web Beacons
Web beacons are another technology that collects information about your users as they navigate through your website and open your emails. Sometimes they are used in conjunction with cookies. Like cookies, you need to explain to your users in general terms the type of information collected by web beacons and whether they track users outside of your website.
Information That Your Website Collects Automatically
Google Analytics Disclosure Requirements
Google Remarketing and Facebook Disclosure Requirements
Google AdSense Disclosure Requirements
Honoring a User’s Request to Change or Access Their Information
Blogs and Discussion Platforms
Letting Users Opt Out of Sharing Information
You need to provide users a way to opt out of disclosing their PII to your affiliates or other third parties in connection with promotions and advertising. If users choose to opt out of disclosing their PII for direct advertising purposes, it should be made clear to them that it will not affect disclosure of their PII to third parties who provide essential services for your website, or disclosing information to law enforcement agencies when require it by law.
Do Not Track Laws
Protecting Children’s Privacy
Children’s privacy is a highly monitored and regulated part of Internet privacy law, and enforcement for violating children’s privacy comes swiftly. If you collect information from children under the age of 13, you must comply with the Children’s Online Privacy Protection Act (COPPA.) This law has very strict guidelines, one being that you must get express consent from parents before you collect information from children under the age of 13.
Do You Have a Mobile App?
Your Email Policy
Your Security Policy
You are required to explain to users what security measures you use to protect their personal information. The explanation does not have to be overly technical, but in general terms you need to be careful about making statements that you will guarantee your users’ information to be completely safe. The Internet is not a totally safe environment, and making such guarantees could get you sued should your website get hacked or some other event occur where your users’ personal information were disclosed to unauthorized people.
Protecting Users’ Credit Card Information
Here you should describe how you protect your users’ credit card information when processing their orders. As with your security policy provision, you should generally explain how you protect their credit card information. It is important that you make no guarantees that their credit card information will be 100% secure, and that you explain that you will not be responsible for any misuse of their credit card.
Guaranteeing that your users’ credit card information will always remain safe and secure can get you sued should you or the third parties who you work with get hacked, or your users’ credit card information be disclosed by other means. Obviously you must use good business practices and procedures to keep users’ credit card information safe. However, the Internet is not totally secure, and it is impossible to guarantee security of any information including your users’ credit card information.
Holding and Destroying Users’ Personal Information