Understanding the Privacy Policy of Your Website

James Chiodo, Certified Information Privacy Professional CIPP/US

Privacy policy iconWebsite privacy policies with the correct disclosures are required by U.S., UK, EU, Canadian, Australian law, and the laws of other countries.

In addition to complying with global privacy laws you are required by Google, Facebook, and other companies to have a privacy policy with specific disclosures posted on your website and mobile app.

Almost every website or blog owner knows what a privacy policy is. However, only a fraction of them could explain what a legally compliant privacy policy should contain. Below are some provisions that a good website privacy policy should have to comply with the U.S. and global privacy laws and protect the website owner. This information is by no means complete; some websites might require additional disclosures because of their information gathering and disclosure practices.

The term “user” in this article refers to a visitor or customer of a website.
The term “PII” in this article refers to a user’s personally identifiable information.
The term “NPI” in this article refers to nonpersonal information.

What Types of Information Does Your Website Collect?
You are required by law to disclose in your privacy policy the types of PII that you collect from your users. The information must be specific and not vague. Examples of specific PII would be users’ names, email addresses, postal addresses, phone numbers, photos, physical characteristics, and geolocation information. To a lesser extent you should disclose the types of NPI that your website collects from users.

Know the Difference Between PII and NPI
The difference between PII and NPI has been blurred because of changes in the law and the way in which regulatory agencies define PII. As an example the laws of the European Union (EU) as well as COPPA and HIPAA in the United States have in many situations classified a user’s IP address and cookies as PII. The chief of the FTC’s Consumer Protection Bureau said “We regard data as ‘personally identifiable,’ and thus warranting privacy protections when it can be reasonably linked to a particular person, device, or computer. In many cases persistent identifiers such as MAC addresses, device identifiers, cookies, or static IP addresses meet this test.”

How Users’ Information Is Collected
You are required to explain how and where you collect users’ information from. This includes information collected at registration, from online forms, questionnaires, email, mobile applications, APIs, and other means.

Disclose How You Use Your Users’ Information
The law requires you to explain to users in your privacy policy exactly how you use their information that you collect from your website. Some examples would be using their information to communicate with them, send advertising relating to your business, sharing information with third parties, releasing information because you are legally required to do so, and disclosing information to successors who purchase your business.

Linking to Other Websites
To help reduce your legal liability explain in your privacy policy that when your website links to other websites, those sites have their own privacy policies and users should review them to see how they treat personal information when using their sites. Make it clear in your privacy policy that you have no responsibility for the content or policies on websites that you link to and the use of those websites is at users’ own risk.

Explain to Users What Cookies Are and Do
Cookies are small data text files stored in users’ web browsers when they visit your website. Cookies help users navigate and use your website, identify them as members, track advertising, and have many other uses. Countries like the UK require you to get users’ consent before you place cookies on their computers. This is typically done by using a popup box asking the user when they enter your website to agree to accepting cookies before using your site.

You must also provide a link to your cookie and privacy policy from the device where your user gives consent to accept or decline your cookies. You are required to describe the general classification of cookies that you place on your visitors’ computers and the types of information they gather. This description does not have to be overly technical. Here are some examples of how cookies are used:

Cookies can be used for:

•   Recognizing parts of your website that users have visited
•   Logging in and detecting users who are members of your website
•   Using Google or other analytics programs
•   Remarketing services from Facebook, Google, and other companies
•   Tracking specific advertising campaigns
•   Tracking your affiliates
•   Recalling user settings and favorites

You must disclose to users the parties, organizations, and websites that will collect data from the cookies you use. Your privacy policy is required to provide instructions to users so they can disable or opt out of cookie tracking from your website.

Use of Web Beacons
Web beacons are another technology that collects information about your users as they navigate through your website and open your emails. Sometimes they are used in conjunction with cookies. Like cookies, you need to explain to your users in general terms the type of information collected by web beacons and whether they track users outside of your website.

Information That Your Website Collects Automatically
Your privacy policy should list the type of automatic information that your website collects from users. This type of information may be collected automatically from your users’ mobile devices or web browsers. This information might consist of the IP address of your users’ computers, the web browsers they are using, types of operating systems, mobile devices, and their Internet providers’ names.

Google Analytics Disclosure Requirements
If you are using Google Analytics to gather information about the users of your website, you are required by Google’s terms of service to explain in your privacy policy how you use Google Analytics; if you do not, you are in violation of their terms of service and could get your Analytics account cancelled.

Google Remarketing and Facebook Disclosure Requirements
As with Analytics, you are required to have specific disclosures in your privacy policy to comply with Google’s terms of service if you are using their remarketing service or other advertising based on interests or location. These types of services track users’ behavior over time and across different websites. This type of tracking is called behavior advertising and is closely watched by regulatory agencies for compliance. Facebook also requires your privacy policy to have a specific disclosure if you use Facebook’s remarketing program and their “Custom Audience Pixel.”

Google AdSense Disclosure Requirements
Google’s AdSense program is probably their most demanding and sensitive of all their programs. And it is definitely the easiest one to get banned from if you violate its policies. And like their other programs, you are required to disclose specific information in your privacy policy about Google’s AdSense program to comply with their terms of service. In addition, Google also requires you to comply with the cookie laws from other countries when using their AdSense service.

Honoring a User’s Request to Change or Access Their Information
You are required to explain in your privacy policy how users can access and change their PII that you have gathered about them in your database or other storage devices. You need to provide a mechanism for users to review and update their personal information if they request it.

Blogs and Discussion Platforms
If your website has a blog or any type of discussion platform, you should tell users to carefully consider posting their personal information, as it is not protected in your privacy policy. You should make it clear that you will not be liable for any misuse of their personal information that they reveal when posting comments on your blog or other discussion platforms.

Letting Users Opt Out of Sharing Information
You need to provide users a way to opt out of disclosing their PII to your affiliates or other third parties in connection with promotions and advertising. If users choose to opt out of disclosing their PII for direct advertising purposes, it should be made clear to them that it will not affect disclosure of their PII to third parties who provide essential services for your website, or disclosing information to law enforcement agencies when require it by law.

Do Not Track Laws
California was the first state to pass a law requiring website owners to explain how they respond to a user’s web browser do not track requests. Other states have since passed their own do not track laws. Regardless of the state you do business in, this law requires you to disclose how your website responds to those requests, specifically whether you obey or do not obey the do not track requests from a user’s web browser. Oddly enough, there is no right or wrong answer, you can choose to obey or not to obey the do not track requests. The law only requires that you disclose in your privacy policy how your website responds to requests from a user’s browser.

Protecting Children’s Privacy
Children’s privacy is a highly monitored and regulated part of Internet privacy law, and enforcement for violating children’s privacy comes swiftly. If you collect information from children under the age of 13, you must comply with the Children’s Online Privacy Protection Act (COPPA.) This law has very strict guidelines, one being that you must get express consent from parents before you collect information from children under the age of 13.

Even if you don’t collect information from children under 13, you should tell users in your privacy policy that your website is not designed for anyone under the age of 18 and you do not knowingly collect personally identifiable information (PII) from children under 13, and that you will delete all their information as soon as you discover a child using your website. Based on trends in current privacy laws it seems best to avoid collecting information from the 13-17 age group without parental consent.

Mobile application privacy policyDo You Have a Mobile App?
Having a mobile app subjects you to more risks and liability than that of a traditional website. Mobile apps are the most scrutinized platform for privacy compliance by the FTC, state, and other global regulatory agencies. In some cases you will need additional privacy disclosures for your mobile app when collecting PII from users. In addition a mobile app presents other challenges, because users are reading your privacy policy on a smaller device. It is best to have a shorter, easy-to-read privacy policy highlighting your most important privacy practices relating to a user’s PII. It is also a good idea to link your shorter mobile app privacy policy to your longer more comprehensive website privacy policy.

Your Email Policy
Here you should tell users that you will not sell or rent their email addresses and that you comply with the federal CAN-SPAM Act. If you do share or sell your users information, you are required to disclose this to them and should get there express consent. And if selling or renting users’ information was not part of your privacy policy when they signed up for your products or services, you are required to get express consent from them before you sell or share their information with third parties for direct marketing purposes.

Your Security Policy
You are required to explain to users what security measures you use to protect their personal information. The explanation does not have to be overly technical, but in general terms you need to be careful about making statements that you will guarantee your users’ information to be completely safe. The Internet is not a totally safe environment, and making such guarantees could get you sued should your website get hacked or some other event occur where your users’ personal information were disclosed to unauthorized people.

See our blog post “This Privacy Policy Provision Could Bankrupt You”

This Privacy Policy Provision Could Bankrupt You

Protecting Users’ Credit Card Information
Here you should describe how you protect your users’ credit card information when processing their orders. As with your security policy provision, you should generally explain how you protect their credit card information. It is important that you make no guarantees that their credit card information will be 100% secure, and that you explain that you will not be responsible for any misuse of their credit card.

Guaranteeing that your users’ credit card information will always remain safe and secure can get you sued should you or the third parties who you work with get hacked, or your users’ credit card information be disclosed by other means. Obviously you must use good business practices and procedures to keep users’ credit card information safe. However, the Internet is not totally secure, and it is impossible to guarantee security of any information including your users’ credit card information.

Holding and Destroying Users’ Personal Information
You are required to tell users in your privacy policy how long you will retain their PII, why you are retaining it, and what you will do with it when it is no longer needed. This includes PII in electronic and paper form. Practice information reduction; don’t retain information from users that is not required for the functioning of your website. Remember, any PII that you don’t collect or save is PII you don’t have to protect.

Notifying Users When You Change Your Privacy Policy
Privacy laws require you to explain and notify your users of any substantial changes to your privacy policy and give them the chance to accept or decline those changes. Substantial changes would include treating their personal information in a manner significantly different from what they agreed to in your privacy policy when they signed up for your services or products.

What not to say in your privacy policy
Telling users that you can make changes to your privacy policy at any time, and that they should come back from time to time and review your website privacy policy to be aware of any changes will not work, nor comply with current privacy laws, and should you end up in court, it will not be enforced.



New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More