How to Craft a Privacy Policy for Your Website

social media how toDoes your website have a privacy policy?

This article will tell you what you need to know to create a privacy policy for your website.

Why a Privacy Policy?

As online professionals and entrepreneurs, you know that collecting information on visitors to your (or your client’s) website can help tailor goods and services. It offers insight that previously could only be gathered through expensive research. Today, though, data collection can be easy and inexpensive.

But with this type of information, businesses face a daunting task of protecting the data and telling visitors and/or consumers what will be done with the information. Regardless of whether site visitors read the terms and conditions, companies can’t overlook the creation of policies that set out how such information will be used.

privacy policy and descriptive link

Example of a well-placed privacy policy and descriptive link. Disney Muppets website.

Interestingly, except for regulated industries, there is no federal law requiring an online business to have a privacy policy. More importantly, no company has ever been sued for not having a privacy policy. But, for those businesses located in California or those that do business in California (many online companies!), there is a California state law requiring the posting of a privacy policy.

As professionals in the online world, often we’re expected to know all of the rules and regulations when it comes to what a company can and cannot collect or do with the information that is collected. Marketing wants to collect certain information and use it as a competitive advantage, but the company as a whole may want to convey a different sense of privacy, which creates internal conflict.

Privacy and personal data collection are areas where consulting with legal counsel may be necessary if your industry is regulated or if you want to be very aggressive with the data collected. The collection methods also need to be confirmed with the IT professionals who create the back-end tools.

In addition, following the policy set forth is imperative so there is no risk of sanctions. This is why having a policy custom-tailored will always be better than using a stock policy or cutting and pasting from what you find on the Internet.

The Elephant in the Room

It wouldn’t be a complete discussion about online privacy without mentioning Facebook and the recent ruling by the FTC that the social network deceived consumers by telling them their information was private when in fact the data was exploited beyond what was agreed.

While Facebook was not fined, the settlement is quite strict and obligates Facebook to undergo third-party reviews for 20 years.

Facebook

Sometimes young companies learn the hard way. Facebook.com

For a platform that relies on users sharing information, Facebook turned a blind eye to the disparity between what they agreed to do and what, in fact, they did. But consumers are very savvy and complaints ignored by the company were taken to the FTC.

The social network faced the potential for millions of dollars in fines. Ultimately, though, that may have been a lesser punishment than what was agreed upon because of the length of monitoring.

Unlike for most companies, users of Facebook are highly involved and very vocal. Even though the company is still in its infancy, this big stumble was likely a wake-up call. Not just for the social network, but also for the online business community as a whole. Consumer deception is becoming a bigger concern, and Internet users are savvier with each passing day.

Creating a Great Privacy Policy

When you think of the policies and disclosures that belong on websites, it should come as no surprise that big companies have them drafted by a team of lawyers. If you’ve ever read them, you’d agree.

However, when it comes to a privacy policy, sometimes the best thing to do is write it out yourself first. You know best what you’re doing with the information. When it’s done, run it past an attorney.

What to Include in a Privacy Policy

First, and foremost, write it in plain English (or if your primary language is something else, then that language). Determine what information you would be gathering—email, cookies, subscription information, credit card, login, gender, age, etc.—and make sure there is a legitimate reason for collection. And once you have all this information, identify what you are doing with it.

Next comes putting it together—all it takes is 8 easy steps to an awesome privacy policy!

  1. Write in language that is easy to read and understand.
  2. Explain what information will be collected and whether it will be identifying or anonymous. If it’s both, say so.
  3. Without getting into lengthy detail, explain how it’s collected (such as search terms, sign-up, log files, clicked links, cookies).
  4. If you’ll share information with affiliated, partner or other sites, be clear about this. Most people are concerned with who else is getting their information.
  5. Simply state that if compelled by law to disclose, then you’ll comply with such orders.
  6. Give readers the option of verifying, correcting, changing or removing personal registration information. I suggest having a separate email for this purpose so you know exactly the nature of this communication.
  7. Provide a way for people to opt out of future communication. If someone wants to be removed, make it easy. Having a “privacy policy email” allows for these types of communications to be routed for easy handling.
  8. State that the policy will be updated periodically and how you will communicate such changes.

Privacy Policy Best Practices

Creating, updating, monitoring or managing privacy policies and practices may not be your responsibility. But that doesn’t mean you should ignore possible missteps. More importantly, those who are responsible may not know the rules, regulations or best practices.

For those who are responsible, whether it’s part of your job because you’re an entrepreneur and everything is your responsibility, or you’re hoping to add this area to your book of knowledge, there are best practices to keep in mind.

  1. Don’t ignore the FTC or state laws that provide minimum standards.
  2. Write the policy in plain English. If you have a lawyer draft your policy, ask that it be written so your consumer or visitor will clearly understand.
  3. Don’t cut and paste something you found for free on the Internet. Because the risk of penalties is very real, this is not the time to be cheap. Your policy should be your own and reflect the unique circumstances of your site.
  4. Update your policy regularly to reflect changes in the online environment, what your company actually does with information and clarify areas that may be vague. And once it’s updated, communicate the update!
  5. Follow the policy! If there is only one thing learned from the FTC sanctions of Facebook, it is that you should follow your policy and not engage in deceptive practices.
  6. Allow consumers, readers, forum visitors or others to opt out of having their personal information retained. And then follow through with their wish.
  7. Make your policy easy to find and accessible. One of the biggest complaints I hear is that the policies are buried or inaccessible due to broken links.
  8. Ensure that the stored information is, indeed, secure. Security breaches are not only very costly in terms of having to invest in infrastructure, the potential disclosure or sale of private information can be devastating.
  9. Utilize a well-respected privacy certification program to add credibility.
  10. Do not ask for intrusive or excessively personal information unless it’s absolutely necessary. Consumers are getting savvier and are less willing to provide sensitive information if they don’t feel the situation merits such an intrusion. If you need this information, be clear as to why and include how you will protect the data.

Conclusion

garden gate

Putting up a sign may work for your garden, but not for your online business. Image: freedigitalphotos.net

Privacy policies are often not given the attention they deserve. Many companies churn them out, not realizing their true importance. While not everyone will read the policy, it’s these types of policies that say a lot about what the company stands for and what it wants to achieve. Information is key to future growth. It provides insight that can’t be replicated in other ways.

Most companies don’t have the resources or reputation that the largest social networking site has, and being singled out for deceptive practices could easily crush them.

Success tomorrow depends on not just doing the right thing today, but doing it every day. Most of us want our information kept secure. And our most valuable asset—our customers, users and community members—do too.

What do you think? Have you written a policy for your business? Leave your questions and comments in the box below.

* This article does not specifically address policies regarding children under 13. The Children’s Online Privacy Protection Act (“COPPA”) will be addressed in a future treatment.
Disclosure: While Sara Hawkins is an attorney, this article is for informational purposes only and is not to be considered legal advice.
Image: Simon Howden / FreeDigitalPhotos.net

Tags: , , , , , , , ,

About the Author, Sara Hawkins

Sara Hawkins is a lawyer, blogger and doer. No longer happy waiting for someday to find her, she's finding ways to make her somedays happen. Other posts by »




More Info
  • Pingback: How to Craft a Privacy Policy for Your Website | MarketingHits.com

  • Cris Trautner

    Timely. We’ve been discussing how to develop terms and conditions with client for their new website, and this post has excellent advice.

  • Pingback: Does your site have a Privacy Policy? | swca

  • FolksM

    Nice post Sara. Right now not much is being invested in Privacy Policy but days are not far when this will be an integral part of the website. So your article has future ramifications.
    Would really love to get more insight on another important doc; MoU between a buyer and seller.

  • http://sarafhawkins.com/ Sara F. Hawkins

    Thanks Cris! Hope the article will help you exceed your client’s expectations.

  • http://sarafhawkins.com/ Sara F. Hawkins

    FolksM, I agree that this article is a bit ‘future thinking’. However, as I’ve experienced in the past, Social Media Examiner readers are savvy and very forward thinking so Michael knew that this was the crowd that would be on the forefront of ‘best practices’.

    As for a Memorandum of Understanding between a buyer and seller, those tend to be very specific to the situation at hand and are best handled by competent legal counsel knowledgeable not only of the law but also the specifics of the industry.

  • One_Finger_short_of_a_Hand

    Interesting, as in the EU you must have a privacy policy. While I agree about the ‘cut and paste’, but here in the UK we have Government Bodies who allow you to cut and paste, so that your site complies with the laws. You can then manipulate to your own needs

    RAther surprised that the US does not have a federal law requiring a PP. It is certainly in the consumer’s interest

  • Sara

    Is it true that having a privacy policy helps to improve search engine rank?

  • Pingback: How to Craft a Privacy Policy for Your Website | Social Media … | Pro I-Marketer

  • http://sarafhawkins.com/ Sara F. Hawkins

    OFSofaH, when it comes to using government mandated language often it is best to, as you said, cut/paste and then manipulate to your needs. However, my reference to the cut/paste was regarding those who search the internet and just cut/paste other sites without really knowing what they’re saying their company will now comply with (and could potentially be a copyright violation, too!).

    It may just be a matter of time until the US creates some type of federal legislation requiring privacy policies across the board. Highly regulated industries such as health care, financial, banking do have federal requirements but those are not web-specific. Instead, the privacy protections incorporate their web/online/mobile presence as they are an extension of the traditional means of collecting information.

  • http://sarafhawkins.com/ Sara F. Hawkins

    I do not know for certain whether the presence of a Privacy Policy on a website improves search engine rank. It is quite possible it’s part of the algorithm because the existence of a privacy policy often indicates a commitment to website security. Possibly someone more versed in SEO would be able to better answer your question.

  • One_Finger_short_of_a_Hand

    Couldn’t agree more, Yet, despite a shockingly bad site for navigation and general browsing through, this one is not too bad on its language. Here is an example of the sample PP they suggest: http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1076142085&r.l1=1073861197&r.l2=1074448560&r.l3=1076141950&r.s=sc&type=RESOURCES

    Those looking for guidance might find it useful, though I appreciate you might not have federal laws regarding Data Protection. While few may read PP, it is always reassuring when it is written in plain English and can give the user a sense that their confidential details are being used with care. I often watch from this side of the pond at the legal wrangles going on Stateside. Some companies do seem to feel that your information is “their” information to do what they like with (Elephant in the room LOL).

    I may be old school, but I believe you should do on to others as you would wish others to do unto you. Treat your customers with respect and honesty and they will reward you with loyalty

  • GASP

    “Don’t ignore the FTC or state laws that provide minimum standards”…where do you find these easily.
    For example TX, CA and NY

  • http://www.CyberGnarus.com/ Carol Harkins

    What do you think about the websites that have applications which build a privacy policy depending on your answers to some questions? If you Google “free privacy policy generator” you can find them.

  • Pingback: How to Craft a Privacy Policy for Your Website « My Social Media Policy

  • http://sarafhawkins.com/ Sara F. Hawkins

    GASP, it’s not very easy to keep track of all that goes on with state legislation and updates to the FTC. That’s what is great about places like Social Media Examiner, there are so many great professionals making sure we all have the latest information.

    Currently, only California has written laws regarding Privacy Policies. They actually have a full governmental agency - http://www.privacyprotection.ca.gov/privacy_laws.htm

    Nebraska and Pennsylvania both have laws regarding misleading statements in online privacy policies as deceptive or fraudulent business practices. For state laws you have to focus on deceptive trade practices as the laws which would govern statements made on websites. Unfortunately, other than California, no states specifically discuss online privacy policies.

    As for federal law, there is HIPPA (Health Care), Graham-Leach-Bliley (certain types of financial transactions and COPPA (marketing to children 13 and under). In addition, the FTC has general oversight for unfair or deceptive trade practices.

  • http://sarafhawkins.com/ Sara F. Hawkins

    Hello Carol,

    I’m not a fan of websites that generate these types of documents for free. Often people don’t read what is generated before they post it as their policy and they clearly violate their own policy. In addition, these ‘free privacy policy generators’ like other similar types of disclosure generators can expose a business to unnecessary risk because it does not take into account specifics of what the site really does vs what the generator asks.

    It can be a good start to then recreate something specific and then pass it by an attorney. But for me, it’s very frustrating, time consuming and much more expensive having to do the clean up work after the fact because a business went the ‘free’ route .

  • Sfrost

    Ms.
    Hawkins,

    This
    post provided some really wonderful information. As a student studying for her
    masters in communication I was particularly drawn to section The Elephant in
    the Room in which you state: “Consumer deception is becoming a
    bigger concern, and Internet users are savvier with each
    passing day.” In my ethics course we’ve covered the topic of public
    confidence in the truthfulness of public communication. Your post exemplifies
    perfectly how media, in this case social media, weakens the public’s trust
    through their hypocritical actions. In the book Ethics in Human Communication,
    the authors emphasize this when they say: “Distrust and suspicion poison a
    widening variety of human communication relationships” (p. 30). However,
    these authors say nothing concerning how the public is compensating for this “credibility
    gap” (p. 29). You mention Facebook’s users as joining together to call for
    action against the company. Through this example you have identified the public’s
    response as becoming savvier in order to proactively avoid trusting untrustworthy
    information.

    As you
    stated in your article, user-friendly privacy-policies are a prime way to
    combat this growing problem. If I may ask, do you have any other suggestions
    concerning actions that companies might take in order to improve their
    trustworthiness and credibility?

    Thank
    you,

    Stephanie
    Weddell

    Graduate
    Student

    Drury
    University

    Johannesen, R. L., Valde, K. S., & Whedbee, K. E.
    (2007). Ethics in human communication (6th
    ed.).

    Prospect Heights: Waveland Press

  • http://www.i95dev.com/ecommerce-magento Henry Louis

    Hi Sara! I am really appreciating you for choosing this concept to share with all of us. As you mentioned here, it is very important to create a privacy policy to our website. I like your way of presentation. Keep updating.

  • http://socialmarketingfella.com/ Andre F. Bourque

    Straight forward, practical reference.  I’ll tag it and pass it along!

  • http://www.CyberGnarus.com/ Carol Harkins

    Good points – thanks! I appreciate your expertise.

  • Pingback: Wordpreneur Reader 02.03.2011 | Wordpreneur

  • http://sarafhawkins.com/ Sara F. Hawkins

    Thank you, Henry. I enjoy writing about the intersection of social media and the law. My goal is to make it understandable, and welcoming because many people get turned off when lawyers start talking since it usually involves what people can’t do. I like to approach it from the ‘can do’ side of things.

  • http://sarafhawkins.com/ Sara F. Hawkins

    Thank you!

  • Pingback: CyberGnarus Web Development & Internet Marketing

  • http://www.seobooklab.com/ Ram Babu SEO

    what i can tell here it just increases the reputation of the website, not the Search Rank, but Reputation is one important search ranking factor to consider wisely while making privacy to any company’s website!

  • Pingback: » Search Engine Marketing News Wrap-up Feb 5

  • http://www.i95dev.com/ecommerce-magento Henry Louis

    Well, I welcome your goal and I like your way of approaching your goal. Keep it up. Thanks for the reply.

  • http://precisionsignz.com/ political campaign signs

    Amazing post! i am so thankful to you! quite informative and interesting as well… appreciate your efforts!

  • http://sarafhawkins.com/ Sara F. Hawkins

    Thank you for taking time to comment. I’m glad it was helpful to you.

  • http://www.nichesense.com/ Anshul

    Errrm…may be its time to dump my favourite “easy privacy policy” plugin for wordpress:) Thanks for the insights Sara.

  • Pingback: Social media code of conduct. « Strategyaudit's Blog

  • http://sarafhawkins.com/ Sara F. Hawkins

    Anshul, I bet you could craft one that better says what you need it to say. And do so in a way that matches your site’s style.

    Best wishes!

  • Pingback: Search Engine Marketing News Wrap-up Feb 5 | Domain Buddy

  • Babul Films

    thanks sara for the useful information. i could draft my own Privacy Policy.
     you spared me the shame of doing Ctrl C and Ctrl P. thanks again.

  • Pingback: 207 Articles on Effective WebDesign - Winter 2011-2012 - PSD to HTML Blog

  • http://www.imoddigital.com/ Christopher M

    What a wonderful article to stumble upon! Thank you so much Sara, this couldn’t have come at a better time :)

  • http://www.buraq-technologies.com/ ambreen11

    Its an effective work that how we craft a privacy policy for our website.Its the best post to show such information that is necessary to maintain privacy policy on website.Thanks

  • Pingback: Create a Privacy Policy for your Website | Top Blog - Topsarge Business Solutions, LLC

  • Alex Thomas

    Hi Sara, i want Privacy Policy and Terms of Use, Copyright Notice Statement but the problem is i am not finding any good website to make all these statements what about your website Whom You Hired to make Your Privacy Policy Statement.

  • http://sarafhawkins.com/ Sara F. Hawkins

    Alex, I don’t use a website to create these policies, terms, and notices. I am an attorney and I create them for my clients.







Check out the Social Media Marketing Podcast!
Check out our Blogging workshop!
Join our Social Media Marketing Networking Club
Download the free Social Media Marketing Industry Report
Check out our sister publication: My Kids' Adventures